Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SHIPPING DOC.exe

Overview

General Information

Sample name:SHIPPING DOC.exe
Analysis ID:1408227
MD5:a53510c8abfed32dfb6f0765de3faf7b
SHA1:3ea41317b78988a213ce66656b2b2d417ea3626e
SHA256:4b39adbf8d3a4e2a5793014b4af4a4cb98d3a71c4a565dd20dc3a69928a84c72
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AgentTesla
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SHIPPING DOC.exe (PID: 7668 cmdline: C:\Users\user\Desktop\SHIPPING DOC.exe MD5: A53510C8ABFED32DFB6F0765DE3FAF7B)
    • SHIPPING DOC.exe (PID: 7736 cmdline: C:\Users\user\Desktop\SHIPPING DOC.exe MD5: A53510C8ABFED32DFB6F0765DE3FAF7B)
    • SHIPPING DOC.exe (PID: 7744 cmdline: C:\Users\user\Desktop\SHIPPING DOC.exe MD5: A53510C8ABFED32DFB6F0765DE3FAF7B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.elec-qatar.com", "Username": "mohammed.abrar@elec-qatar.com", "Password": "MHabrar2019@#"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000002.2478143113.000000000332E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000003.00000002.2478143113.0000000003336000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000003.00000002.2475894598.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000003.00000002.2475894598.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000003.00000002.2478143113.00000000032E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 7 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              1.2.SHIPPING DOC.exe.3e3b508.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                1.2.SHIPPING DOC.exe.3e3b508.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  1.2.SHIPPING DOC.exe.3e3b508.4.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x316c3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x31735:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x317bf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x31851:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x318bb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x3192d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x319c3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x31a53:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  3.2.SHIPPING DOC.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    3.2.SHIPPING DOC.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 12 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Suspicious Outbound SMTP Connections
                      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 50.87.139.143, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\SHIPPING DOC.exe, Initiated: true, ProcessId: 7744, Protocol: tcp, SourceIp: 192.168.2.10, SourceIsIpv6: false, SourcePort: 49704

                      Snort Signatures

                      Timestamp:03/13/24-14:12:59.454453
                      SID:2840032
                      Source Port:49704
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:03/13/24-14:12:59.454453
                      SID:2855542
                      Source Port:49704
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:03/13/24-14:12:59.454453
                      SID:2855245
                      Source Port:49704
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:03/13/24-14:12:59.454308
                      SID:2030171
                      Source Port:49704
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:03/13/24-14:12:59.454308
                      SID:2839723
                      Source Port:49704
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:03/13/24-14:12:59.454453
                      SID:2851779
                      Source Port:49704
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: SHIPPING DOC.exeAvira: detected
                      Found malware configuration
                      Source: 1.2.SHIPPING DOC.exe.3e00ae8.3.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.elec-qatar.com", "Username": "mohammed.abrar@elec-qatar.com", "Password": "MHabrar2019@#"}
                      Multi AV Scanner detection for submitted file
                      Source: SHIPPING DOC.exeReversingLabs: Detection: 34%
                      Source: SHIPPING DOC.exeVirustotal: Detection: 41%Perma Link
                      Machine Learning detection for sample
                      Source: SHIPPING DOC.exeJoe Sandbox ML: detected
                      Source: SHIPPING DOC.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: SHIPPING DOC.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.10:49704 -> 50.87.139.143:587
                      Source: TrafficSnort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.10:49704 -> 50.87.139.143:587
                      Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.10:49704 -> 50.87.139.143:587
                      Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.10:49704 -> 50.87.139.143:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.10:49704 -> 50.87.139.143:587
                      Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.10:49704 -> 50.87.139.143:587
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: 1.2.SHIPPING DOC.exe.3e3b508.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.SHIPPING DOC.exe.3e00ae8.3.raw.unpack, type: UNPACKEDPE
                      Source: global trafficTCP traffic: 192.168.2.10:49704 -> 50.87.139.143:587
                      Source: Joe Sandbox ViewIP Address: 50.87.139.143 50.87.139.143
                      Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                      Source: global trafficTCP traffic: 192.168.2.10:49704 -> 50.87.139.143:587
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownDNS traffic detected: queries for: mail.elec-qatar.com
                      Source: SHIPPING DOC.exe, 00000003.00000002.2478143113.0000000003336000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.elec-qatar.com
                      Source: SHIPPING DOC.exe, 00000001.00000002.1229936951.0000000003D5E000.00000004.00000800.00020000.00000000.sdmp, SHIPPING DOC.exe, 00000003.00000002.2475894598.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: 1.2.SHIPPING DOC.exe.3e00ae8.3.raw.unpack, NmHr1WHWKO.cs.Net Code: IiB
                      Source: 1.2.SHIPPING DOC.exe.3e3b508.4.raw.unpack, NmHr1WHWKO.cs.Net Code: IiB

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 1.2.SHIPPING DOC.exe.3e3b508.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 3.2.SHIPPING DOC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 1.2.SHIPPING DOC.exe.3e00ae8.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 1.2.SHIPPING DOC.exe.3e3b508.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 1.2.SHIPPING DOC.exe.3e00ae8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeCode function: 1_2_029BD7E41_2_029BD7E4
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeCode function: 1_2_050C73001_2_050C7300
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeCode function: 1_2_050C05081_2_050C0508
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeCode function: 1_2_050C05181_2_050C0518
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeCode function: 1_2_050C72F01_2_050C72F0
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeCode function: 3_2_030E96E03_2_030E96E0
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeCode function: 3_2_030E9B303_2_030E9B30
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeCode function: 3_2_030E4A983_2_030E4A98
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeCode function: 3_2_030E3E803_2_030E3E80
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeCode function: 3_2_030ECDA83_2_030ECDA8
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeCode function: 3_2_030E41C83_2_030E41C8
                      Source: SHIPPING DOC.exe, 00000001.00000002.1231942494.00000000060A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SHIPPING DOC.exe
                      Source: SHIPPING DOC.exe, 00000001.00000000.1216146918.000000000083A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamefmnc.exe2 vs SHIPPING DOC.exe
                      Source: SHIPPING DOC.exe, 00000001.00000002.1228718899.0000000000E6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SHIPPING DOC.exe
                      Source: SHIPPING DOC.exe, 00000001.00000002.1229479240.0000000002B81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameecf3ed1c-5c3b-4038-87a8-401c6c5075d4.exe4 vs SHIPPING DOC.exe
                      Source: SHIPPING DOC.exe, 00000001.00000002.1229936951.0000000003D5E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameecf3ed1c-5c3b-4038-87a8-401c6c5075d4.exe4 vs SHIPPING DOC.exe
                      Source: SHIPPING DOC.exe, 00000001.00000002.1229936951.0000000003D5E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SHIPPING DOC.exe
                      Source: SHIPPING DOC.exe, 00000003.00000002.2476201135.00000000012F9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SHIPPING DOC.exe
                      Source: SHIPPING DOC.exe, 00000003.00000002.2475894598.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameecf3ed1c-5c3b-4038-87a8-401c6c5075d4.exe4 vs SHIPPING DOC.exe
                      Source: SHIPPING DOC.exeBinary or memory string: OriginalFilenamefmnc.exe2 vs SHIPPING DOC.exe
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: SHIPPING DOC.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 1.2.SHIPPING DOC.exe.3e3b508.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 3.2.SHIPPING DOC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 1.2.SHIPPING DOC.exe.3e00ae8.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 1.2.SHIPPING DOC.exe.3e3b508.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 1.2.SHIPPING DOC.exe.3e00ae8.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: SHIPPING DOC.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 1.2.SHIPPING DOC.exe.3e00ae8.3.raw.unpack, ISZbPXDvPz.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 1.2.SHIPPING DOC.exe.3e00ae8.3.raw.unpack, ISZbPXDvPz.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.2.SHIPPING DOC.exe.3e00ae8.3.raw.unpack, nAXAT51m.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 1.2.SHIPPING DOC.exe.3e00ae8.3.raw.unpack, nAXAT51m.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 1.2.SHIPPING DOC.exe.3e00ae8.3.raw.unpack, nAXAT51m.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 1.2.SHIPPING DOC.exe.3e00ae8.3.raw.unpack, nAXAT51m.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 1.2.SHIPPING DOC.exe.3e00ae8.3.raw.unpack, YpS.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 1.2.SHIPPING DOC.exe.3e00ae8.3.raw.unpack, YpS.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 1.2.SHIPPING DOC.exe.3f2f0b8.2.raw.unpack, OEMNn1OrrVjtqpxfs0.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 1.2.SHIPPING DOC.exe.60a0000.7.raw.unpack, OEMNn1OrrVjtqpxfs0.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 1.2.SHIPPING DOC.exe.60a0000.7.raw.unpack, hx522Aq0eW2kUhCv5G.csSecurity API names: _0020.SetAccessControl
                      Source: 1.2.SHIPPING DOC.exe.60a0000.7.raw.unpack, hx522Aq0eW2kUhCv5G.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 1.2.SHIPPING DOC.exe.60a0000.7.raw.unpack, hx522Aq0eW2kUhCv5G.csSecurity API names: _0020.AddAccessRule
                      Source: 1.2.SHIPPING DOC.exe.3f2f0b8.2.raw.unpack, hx522Aq0eW2kUhCv5G.csSecurity API names: _0020.SetAccessControl
                      Source: 1.2.SHIPPING DOC.exe.3f2f0b8.2.raw.unpack, hx522Aq0eW2kUhCv5G.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 1.2.SHIPPING DOC.exe.3f2f0b8.2.raw.unpack, hx522Aq0eW2kUhCv5G.csSecurity API names: _0020.AddAccessRule
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/1@1/1
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SHIPPING DOC.exe.logJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeMutant created: NULL
                      Source: SHIPPING DOC.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: SHIPPING DOC.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: SHIPPING DOC.exeReversingLabs: Detection: 34%
                      Source: SHIPPING DOC.exeVirustotal: Detection: 41%
                      Source: unknownProcess created: C:\Users\user\Desktop\SHIPPING DOC.exe C:\Users\user\Desktop\SHIPPING DOC.exe
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess created: C:\Users\user\Desktop\SHIPPING DOC.exe C:\Users\user\Desktop\SHIPPING DOC.exe
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess created: C:\Users\user\Desktop\SHIPPING DOC.exe C:\Users\user\Desktop\SHIPPING DOC.exe
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess created: C:\Users\user\Desktop\SHIPPING DOC.exe C:\Users\user\Desktop\SHIPPING DOC.exeJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess created: C:\Users\user\Desktop\SHIPPING DOC.exe C:\Users\user\Desktop\SHIPPING DOC.exeJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: SHIPPING DOC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: SHIPPING DOC.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: SHIPPING DOC.exe, MainForm.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                      Source: 1.2.SHIPPING DOC.exe.60a0000.7.raw.unpack, hx522Aq0eW2kUhCv5G.cs.Net Code: pn7EIw8wAE System.Reflection.Assembly.Load(byte[])
                      Source: 1.2.SHIPPING DOC.exe.3f2f0b8.2.raw.unpack, hx522Aq0eW2kUhCv5G.cs.Net Code: pn7EIw8wAE System.Reflection.Assembly.Load(byte[])
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeCode function: 1_2_029BD8AA pushad ; retf 1_2_029BD8B1
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeCode function: 1_2_050CC4B0 push 64050B91h; retf 1_2_050CC5AD
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeCode function: 1_2_050CC5A1 push 64050B91h; retf 1_2_050CC5AD
                      Source: SHIPPING DOC.exeStatic PE information: section name: .text entropy: 7.885207920834807
                      Source: 1.2.SHIPPING DOC.exe.60a0000.7.raw.unpack, GKfjiIuHtil7qtynYQ.csHigh entropy of concatenated method names: 'USEP6CJvDp', 'fLyPSw0Odi', 'g3UPEGjULU', 'G9pPcuMhDZ', 'jpxP89pYi6', 'hSyPZVL9mb', 'kjtP5Xd7Cx', 'IniHrne6PU', 'BTTHJeiKKE', 'E9ZHC8elbP'
                      Source: 1.2.SHIPPING DOC.exe.60a0000.7.raw.unpack, LQtP5syIaTgvMBcXxt.csHigh entropy of concatenated method names: 'ToString', 'tXydbuKFnl', 'g7sdjTBpsq', 'kqodkKPQIW', 'mj6dKEr3MD', 'L8WdWj9ZlN', 'oRHdimD89Z', 'M13dhnluAJ', 'I2DdUTviHc', 'zIbdA92wZa'
                      Source: 1.2.SHIPPING DOC.exe.60a0000.7.raw.unpack, LNfkdJ1F0jiCp795oc.csHigh entropy of concatenated method names: 'iXFROeeJa5', 'T12ResZe39', 'RlfRxAgBN6', 'TVCRjuaFLx', 'ycJRKtI2LZ', 'unPRWF4ytp', 'znyRhdVptF', 'gpfRUHPVFM', 'dBrRGaO0Wm', 'OeHRbsnXxQ'
                      Source: 1.2.SHIPPING DOC.exe.60a0000.7.raw.unpack, bydEhqz6QADfbfEnlJ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uOBPRUpSXt', 'CdVPvpTrax', 'dRIPd1FL6M', 'fT1P4v8W5h', 'QvtPHJV3Q0', 'QjPPPCc0tW', 'K7aPNnZiFB'
                      Source: 1.2.SHIPPING DOC.exe.60a0000.7.raw.unpack, suOfnC7BrQp7je2mxQ.csHigh entropy of concatenated method names: 'gjBvGuuVSD', 'mEdvw2EaeJ', 'O8tv75oUIk', 'IHavBi80Ue', 'xsivjTwgQv', 'yH6vkIgs7N', 'Q9DvK1hkfS', 'mTBvWM1oqJ', 'iGXvin2GdZ', 'CGHvhJVXoX'
                      Source: 1.2.SHIPPING DOC.exe.60a0000.7.raw.unpack, CReg2gfqxm9UgsNpFV.csHigh entropy of concatenated method names: 'doj4JGP2Is', 'AaQ4uQvtDA', 'VtTHacarVa', 'BFJH615njL', 'WFu4bcBXXC', 'JDs4whCAP6', 'iy441F8WtK', 'joO47x6uLx', 'cDC4BSOsh8', 'rnr4yf4n26'
                      Source: 1.2.SHIPPING DOC.exe.60a0000.7.raw.unpack, cP0ZAVEaVGCcLG4ZcV.csHigh entropy of concatenated method names: 'DCb6YEMNn1', 'VrV6qjtqpx', 'zy26MUy3Ua', 'yOM6nku5RI', 'uGD6vrOQtm', 'ok16docMpZ', 'AgcctojZtkbjSTjdFr', 'RamjPa5YjVe9Y5XQRH', 'nWG66scqNP', 'Q3J6STA7F8'
                      Source: 1.2.SHIPPING DOC.exe.60a0000.7.raw.unpack, YVWt3oKxm4mmSrrdWp.csHigh entropy of concatenated method names: 'ecc53RWyKh', 'Cbh5V4myaK', 'gYs5IH7Caq', 'wLs5D7F4SY', 'QNJ5myI3t7', 'iFo52N4JuB', 'QuI5eJVJOe', 'cvW5o4nMYn', 'aEEytZAZl0LbNJGDv1v', 'PScgfbALyUQTe6k0WZ9'
                      Source: 1.2.SHIPPING DOC.exe.60a0000.7.raw.unpack, hgxNb8JhgwL7S767rW.csHigh entropy of concatenated method names: 'uRWHcJxWZu', 'MNpH8Yregr', 'adnHtvHw63', 'rI7HZ1WLmh', 'YVgH5iBt5k', 'DmlHYamYed', 'AbJHqcaFHE', 'SmyHXanl0w', 'zfRHMI2C9X', 'dcbHnWnA9o'
                      Source: 1.2.SHIPPING DOC.exe.60a0000.7.raw.unpack, DL8PZIey2Uy3UagOMk.csHigh entropy of concatenated method names: 'j0AtDMa5nr', 'KBqtmZZP4T', 'kaQtOB4ahh', 'BJ2teAmptd', 'c7Itv4GBPR', 'z3JtdEwVnP', 'GIpt44VvFU', 'vFotHA6vnF', 'l3ttPcicpJ', 'ugNtNdm7E8'
                      Source: 1.2.SHIPPING DOC.exe.60a0000.7.raw.unpack, deejC06anDeniGPsCo9.csHigh entropy of concatenated method names: 'oBMPVtWU8N', 'zR3Pg3waxU', 'VPsPIpRJRV', 'i77PDmOq1E', 'vLvP0bncpV', 'S0cPmKdcVm', 'NQYP2QoEbq', 'dp8POG2Cum', 'bIBPejpT5V', 'TnFPovhRL9'
                      Source: 1.2.SHIPPING DOC.exe.60a0000.7.raw.unpack, QqyL2AC9kbkvyVoG46.csHigh entropy of concatenated method names: 'YFjHxotlG2', 'rLrHjSv30T', 'ipGHkfVvoR', 'WYrHKMT9pD', 'DRIH7tFvTc', 'UBhHWIqcYm', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 1.2.SHIPPING DOC.exe.60a0000.7.raw.unpack, OEMNn1OrrVjtqpxfs0.csHigh entropy of concatenated method names: 'tso87V8CF4', 'esk8BokL2c', 'VrJ8yOZbcI', 'pRC8TPxVY8', 'NnA8stUoeH', 'ICi8ftuBZn', 'EWW8r6QG5D', 'lj98Jo7YrY', 'Jjc8C9YyQi', 'rTj8u5gBDh'
                      Source: 1.2.SHIPPING DOC.exe.60a0000.7.raw.unpack, JAEHVZpOLNuB6f9cdN.csHigh entropy of concatenated method names: 'spuIA1M5g', 'Q3nDE0CAw', 'LKXm8Uugr', 'PoS2XYLop', 'qQUeCYV2H', 'P2Dof0eDP', 'M167Pk8Bh8ICUK8XR1', 'xF9FcTylsugKumfXyf', 'sbrHGI8wx', 'A0dNf4CsO'
                      Source: 1.2.SHIPPING DOC.exe.60a0000.7.raw.unpack, zdmNlA6SLcRJtZwB1Cl.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'RuGN7IU4Cw', 'oHgNBMiWgk', 'bJZNyIFddF', 'YR2NT57Dl7', 'nLkNsaXerG', 'jq7NffRxKn', 'wqONraJJL8'
                      Source: 1.2.SHIPPING DOC.exe.60a0000.7.raw.unpack, DePoAHAYb2BjY7tG6U.csHigh entropy of concatenated method names: 'kpgYVigSHS', 'djKYgRrVpi', 'dNgYI84hGy', 'DfLYDpVBBg', 'pBDY0SA3N2', 'Fp9YmsApHM', 'zK2Y2ZOSSv', 'JjPYOWqEnl', 'twkYefIL6g', 'Jk7YoaFJpJ'
                      Source: 1.2.SHIPPING DOC.exe.60a0000.7.raw.unpack, Y5RI06ovnXHdiFGDrO.csHigh entropy of concatenated method names: 'TAhZ0IQVpX', 'W9OZ2LsRfA', 'hYQtkh05XM', 'sd2tKDFQkK', 'akAtW7juUb', 'YcxtiJL0mL', 'k1Uth1n1Pr', 'IRLtUCvZxq', 'CiCtAxNpWZ', 'NSttGgflTa'
                      Source: 1.2.SHIPPING DOC.exe.60a0000.7.raw.unpack, hx522Aq0eW2kUhCv5G.csHigh entropy of concatenated method names: 'VY5SLYPpsb', 'B3XSc0a1gJ', 'sSJS8WNJtV', 'vHLStjj4Xy', 'VtQSZggpMR', 'c8VS5GHbyO', 'Mj1SYLPmKi', 'UQ5SqQH8oV', 'LtnSXfkoZt', 'hZ9SMJuZ6L'
                      Source: 1.2.SHIPPING DOC.exe.60a0000.7.raw.unpack, mwQMCLhqNK2tMo69ZO.csHigh entropy of concatenated method names: 'kJAYc76LSS', 'sJ2YtI3xfd', 'j7vY5WGCnv', 'EU85uMavWx', 'huq5z7GId2', 'HmvYaKSDiQ', 'CiOY6LbvhX', 'YIrYp5OCvj', 'rMEYSkFmet', 'wFLYEt1ecV'
                      Source: 1.2.SHIPPING DOC.exe.60a0000.7.raw.unpack, OMqLGv8DtSqKrN8qLP.csHigh entropy of concatenated method names: 'Dispose', 'Ffp6COt5VS', 'd6npjDbcnR', 'VAfEE1nZDi', 'Ftg6uxNb8h', 'ywL6z7S767', 'ProcessDialogKey', 'VW7paqyL2A', 'ukbp6kvyVo', 'N46ppxKfji'
                      Source: 1.2.SHIPPING DOC.exe.60a0000.7.raw.unpack, vtmRk1xocMpZ7lVNsT.csHigh entropy of concatenated method names: 'NmE5LRLOha', 'Dw258GapOs', 'KGL5ZQUuuF', 'Ir75YmhKYm', 'VgB5qrHmn1', 'H0xZswnvmW', 'pkmZfrlr4B', 'm05ZrTl1E7', 'M59ZJgsxdq', 'mqcZCDxius'
                      Source: 1.2.SHIPPING DOC.exe.3f2f0b8.2.raw.unpack, GKfjiIuHtil7qtynYQ.csHigh entropy of concatenated method names: 'USEP6CJvDp', 'fLyPSw0Odi', 'g3UPEGjULU', 'G9pPcuMhDZ', 'jpxP89pYi6', 'hSyPZVL9mb', 'kjtP5Xd7Cx', 'IniHrne6PU', 'BTTHJeiKKE', 'E9ZHC8elbP'
                      Source: 1.2.SHIPPING DOC.exe.3f2f0b8.2.raw.unpack, LQtP5syIaTgvMBcXxt.csHigh entropy of concatenated method names: 'ToString', 'tXydbuKFnl', 'g7sdjTBpsq', 'kqodkKPQIW', 'mj6dKEr3MD', 'L8WdWj9ZlN', 'oRHdimD89Z', 'M13dhnluAJ', 'I2DdUTviHc', 'zIbdA92wZa'
                      Source: 1.2.SHIPPING DOC.exe.3f2f0b8.2.raw.unpack, LNfkdJ1F0jiCp795oc.csHigh entropy of concatenated method names: 'iXFROeeJa5', 'T12ResZe39', 'RlfRxAgBN6', 'TVCRjuaFLx', 'ycJRKtI2LZ', 'unPRWF4ytp', 'znyRhdVptF', 'gpfRUHPVFM', 'dBrRGaO0Wm', 'OeHRbsnXxQ'
                      Source: 1.2.SHIPPING DOC.exe.3f2f0b8.2.raw.unpack, bydEhqz6QADfbfEnlJ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uOBPRUpSXt', 'CdVPvpTrax', 'dRIPd1FL6M', 'fT1P4v8W5h', 'QvtPHJV3Q0', 'QjPPPCc0tW', 'K7aPNnZiFB'
                      Source: 1.2.SHIPPING DOC.exe.3f2f0b8.2.raw.unpack, suOfnC7BrQp7je2mxQ.csHigh entropy of concatenated method names: 'gjBvGuuVSD', 'mEdvw2EaeJ', 'O8tv75oUIk', 'IHavBi80Ue', 'xsivjTwgQv', 'yH6vkIgs7N', 'Q9DvK1hkfS', 'mTBvWM1oqJ', 'iGXvin2GdZ', 'CGHvhJVXoX'
                      Source: 1.2.SHIPPING DOC.exe.3f2f0b8.2.raw.unpack, CReg2gfqxm9UgsNpFV.csHigh entropy of concatenated method names: 'doj4JGP2Is', 'AaQ4uQvtDA', 'VtTHacarVa', 'BFJH615njL', 'WFu4bcBXXC', 'JDs4whCAP6', 'iy441F8WtK', 'joO47x6uLx', 'cDC4BSOsh8', 'rnr4yf4n26'
                      Source: 1.2.SHIPPING DOC.exe.3f2f0b8.2.raw.unpack, cP0ZAVEaVGCcLG4ZcV.csHigh entropy of concatenated method names: 'DCb6YEMNn1', 'VrV6qjtqpx', 'zy26MUy3Ua', 'yOM6nku5RI', 'uGD6vrOQtm', 'ok16docMpZ', 'AgcctojZtkbjSTjdFr', 'RamjPa5YjVe9Y5XQRH', 'nWG66scqNP', 'Q3J6STA7F8'
                      Source: 1.2.SHIPPING DOC.exe.3f2f0b8.2.raw.unpack, YVWt3oKxm4mmSrrdWp.csHigh entropy of concatenated method names: 'ecc53RWyKh', 'Cbh5V4myaK', 'gYs5IH7Caq', 'wLs5D7F4SY', 'QNJ5myI3t7', 'iFo52N4JuB', 'QuI5eJVJOe', 'cvW5o4nMYn', 'aEEytZAZl0LbNJGDv1v', 'PScgfbALyUQTe6k0WZ9'
                      Source: 1.2.SHIPPING DOC.exe.3f2f0b8.2.raw.unpack, hgxNb8JhgwL7S767rW.csHigh entropy of concatenated method names: 'uRWHcJxWZu', 'MNpH8Yregr', 'adnHtvHw63', 'rI7HZ1WLmh', 'YVgH5iBt5k', 'DmlHYamYed', 'AbJHqcaFHE', 'SmyHXanl0w', 'zfRHMI2C9X', 'dcbHnWnA9o'
                      Source: 1.2.SHIPPING DOC.exe.3f2f0b8.2.raw.unpack, DL8PZIey2Uy3UagOMk.csHigh entropy of concatenated method names: 'j0AtDMa5nr', 'KBqtmZZP4T', 'kaQtOB4ahh', 'BJ2teAmptd', 'c7Itv4GBPR', 'z3JtdEwVnP', 'GIpt44VvFU', 'vFotHA6vnF', 'l3ttPcicpJ', 'ugNtNdm7E8'
                      Source: 1.2.SHIPPING DOC.exe.3f2f0b8.2.raw.unpack, deejC06anDeniGPsCo9.csHigh entropy of concatenated method names: 'oBMPVtWU8N', 'zR3Pg3waxU', 'VPsPIpRJRV', 'i77PDmOq1E', 'vLvP0bncpV', 'S0cPmKdcVm', 'NQYP2QoEbq', 'dp8POG2Cum', 'bIBPejpT5V', 'TnFPovhRL9'
                      Source: 1.2.SHIPPING DOC.exe.3f2f0b8.2.raw.unpack, QqyL2AC9kbkvyVoG46.csHigh entropy of concatenated method names: 'YFjHxotlG2', 'rLrHjSv30T', 'ipGHkfVvoR', 'WYrHKMT9pD', 'DRIH7tFvTc', 'UBhHWIqcYm', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 1.2.SHIPPING DOC.exe.3f2f0b8.2.raw.unpack, OEMNn1OrrVjtqpxfs0.csHigh entropy of concatenated method names: 'tso87V8CF4', 'esk8BokL2c', 'VrJ8yOZbcI', 'pRC8TPxVY8', 'NnA8stUoeH', 'ICi8ftuBZn', 'EWW8r6QG5D', 'lj98Jo7YrY', 'Jjc8C9YyQi', 'rTj8u5gBDh'
                      Source: 1.2.SHIPPING DOC.exe.3f2f0b8.2.raw.unpack, JAEHVZpOLNuB6f9cdN.csHigh entropy of concatenated method names: 'spuIA1M5g', 'Q3nDE0CAw', 'LKXm8Uugr', 'PoS2XYLop', 'qQUeCYV2H', 'P2Dof0eDP', 'M167Pk8Bh8ICUK8XR1', 'xF9FcTylsugKumfXyf', 'sbrHGI8wx', 'A0dNf4CsO'
                      Source: 1.2.SHIPPING DOC.exe.3f2f0b8.2.raw.unpack, zdmNlA6SLcRJtZwB1Cl.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'RuGN7IU4Cw', 'oHgNBMiWgk', 'bJZNyIFddF', 'YR2NT57Dl7', 'nLkNsaXerG', 'jq7NffRxKn', 'wqONraJJL8'
                      Source: 1.2.SHIPPING DOC.exe.3f2f0b8.2.raw.unpack, DePoAHAYb2BjY7tG6U.csHigh entropy of concatenated method names: 'kpgYVigSHS', 'djKYgRrVpi', 'dNgYI84hGy', 'DfLYDpVBBg', 'pBDY0SA3N2', 'Fp9YmsApHM', 'zK2Y2ZOSSv', 'JjPYOWqEnl', 'twkYefIL6g', 'Jk7YoaFJpJ'
                      Source: 1.2.SHIPPING DOC.exe.3f2f0b8.2.raw.unpack, Y5RI06ovnXHdiFGDrO.csHigh entropy of concatenated method names: 'TAhZ0IQVpX', 'W9OZ2LsRfA', 'hYQtkh05XM', 'sd2tKDFQkK', 'akAtW7juUb', 'YcxtiJL0mL', 'k1Uth1n1Pr', 'IRLtUCvZxq', 'CiCtAxNpWZ', 'NSttGgflTa'
                      Source: 1.2.SHIPPING DOC.exe.3f2f0b8.2.raw.unpack, hx522Aq0eW2kUhCv5G.csHigh entropy of concatenated method names: 'VY5SLYPpsb', 'B3XSc0a1gJ', 'sSJS8WNJtV', 'vHLStjj4Xy', 'VtQSZggpMR', 'c8VS5GHbyO', 'Mj1SYLPmKi', 'UQ5SqQH8oV', 'LtnSXfkoZt', 'hZ9SMJuZ6L'
                      Source: 1.2.SHIPPING DOC.exe.3f2f0b8.2.raw.unpack, mwQMCLhqNK2tMo69ZO.csHigh entropy of concatenated method names: 'kJAYc76LSS', 'sJ2YtI3xfd', 'j7vY5WGCnv', 'EU85uMavWx', 'huq5z7GId2', 'HmvYaKSDiQ', 'CiOY6LbvhX', 'YIrYp5OCvj', 'rMEYSkFmet', 'wFLYEt1ecV'
                      Source: 1.2.SHIPPING DOC.exe.3f2f0b8.2.raw.unpack, OMqLGv8DtSqKrN8qLP.csHigh entropy of concatenated method names: 'Dispose', 'Ffp6COt5VS', 'd6npjDbcnR', 'VAfEE1nZDi', 'Ftg6uxNb8h', 'ywL6z7S767', 'ProcessDialogKey', 'VW7paqyL2A', 'ukbp6kvyVo', 'N46ppxKfji'
                      Source: 1.2.SHIPPING DOC.exe.3f2f0b8.2.raw.unpack, vtmRk1xocMpZ7lVNsT.csHigh entropy of concatenated method names: 'NmE5LRLOha', 'Dw258GapOs', 'KGL5ZQUuuF', 'Ir75YmhKYm', 'VgB5qrHmn1', 'H0xZswnvmW', 'pkmZfrlr4B', 'm05ZrTl1E7', 'M59ZJgsxdq', 'mqcZCDxius'
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeMemory allocated: 2950000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeMemory allocated: 2B80000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeMemory allocated: 2AD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeMemory allocated: 6240000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeMemory allocated: 7240000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeMemory allocated: 7380000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeMemory allocated: 8380000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeMemory allocated: 30A0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeMemory allocated: 32E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeMemory allocated: 3120000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeWindow / User API: threadDelayed 3591Jump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeWindow / User API: threadDelayed 883Jump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exe TID: 7720Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exe TID: 7868Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exe TID: 7868Thread sleep time: -100000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exe TID: 7876Thread sleep count: 3591 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exe TID: 7868Thread sleep time: -99890s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exe TID: 7876Thread sleep count: 883 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exe TID: 7868Thread sleep time: -99781s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exe TID: 7868Thread sleep time: -99671s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exe TID: 7868Thread sleep time: -99562s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exe TID: 7868Thread sleep time: -99453s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exe TID: 7868Thread sleep time: -99343s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exe TID: 7868Thread sleep time: -99234s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exe TID: 7868Thread sleep time: -99125s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exe TID: 7868Thread sleep time: -99015s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exe TID: 7868Thread sleep time: -98906s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exe TID: 7868Thread sleep time: -98797s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exe TID: 7868Thread sleep time: -98687s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exe TID: 7868Thread sleep time: -98578s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exe TID: 7868Thread sleep time: -98468s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exe TID: 7868Thread sleep time: -98359s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exe TID: 7868Thread sleep time: -98250s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exe TID: 7868Thread sleep time: -98140s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exe TID: 7868Thread sleep time: -98031s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exe TID: 7868Thread sleep time: -97921s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exe TID: 7868Thread sleep time: -97812s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exe TID: 7868Thread sleep time: -97702s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exe TID: 7868Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeThread delayed: delay time: 99890Jump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeThread delayed: delay time: 99781Jump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeThread delayed: delay time: 99671Jump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeThread delayed: delay time: 99562Jump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeThread delayed: delay time: 99453Jump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeThread delayed: delay time: 99343Jump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeThread delayed: delay time: 99234Jump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeThread delayed: delay time: 99125Jump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeThread delayed: delay time: 99015Jump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeThread delayed: delay time: 98906Jump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeThread delayed: delay time: 98797Jump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeThread delayed: delay time: 98687Jump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeThread delayed: delay time: 98578Jump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeThread delayed: delay time: 98468Jump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeThread delayed: delay time: 98359Jump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeThread delayed: delay time: 98250Jump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeThread delayed: delay time: 98140Jump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeThread delayed: delay time: 98031Jump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeThread delayed: delay time: 97921Jump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeThread delayed: delay time: 97812Jump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeThread delayed: delay time: 97702Jump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: SHIPPING DOC.exe, 00000003.00000002.2476679238.00000000014B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess created: C:\Users\user\Desktop\SHIPPING DOC.exe C:\Users\user\Desktop\SHIPPING DOC.exeJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeProcess created: C:\Users\user\Desktop\SHIPPING DOC.exe C:\Users\user\Desktop\SHIPPING DOC.exeJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeQueries volume information: C:\Users\user\Desktop\SHIPPING DOC.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeQueries volume information: C:\Users\user\Desktop\SHIPPING DOC.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 1.2.SHIPPING DOC.exe.3e3b508.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.SHIPPING DOC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.SHIPPING DOC.exe.3e00ae8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.SHIPPING DOC.exe.3e3b508.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.SHIPPING DOC.exe.3e00ae8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.2478143113.000000000332E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2478143113.0000000003336000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2475894598.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2478143113.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.1229936951.0000000003D5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SHIPPING DOC.exe PID: 7668, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: SHIPPING DOC.exe PID: 7744, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Users\user\Desktop\SHIPPING DOC.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: Yara matchFile source: 1.2.SHIPPING DOC.exe.3e3b508.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.SHIPPING DOC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.SHIPPING DOC.exe.3e00ae8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.SHIPPING DOC.exe.3e3b508.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.SHIPPING DOC.exe.3e00ae8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.2475894598.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2478143113.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.1229936951.0000000003D5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SHIPPING DOC.exe PID: 7668, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: SHIPPING DOC.exe PID: 7744, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 1.2.SHIPPING DOC.exe.3e3b508.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.SHIPPING DOC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.SHIPPING DOC.exe.3e00ae8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.SHIPPING DOC.exe.3e3b508.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.SHIPPING DOC.exe.3e00ae8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.2478143113.000000000332E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2478143113.0000000003336000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2475894598.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2478143113.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.1229936951.0000000003D5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SHIPPING DOC.exe PID: 7668, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: SHIPPING DOC.exe PID: 7744, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		11
                      Process Injection                      		1
                      Masquerading                      		1
                      OS Credential Dumping                      		111
                      Security Software Discovery                      		Remote Services1
                      Email Collection                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		1
                      Input Capture                      		1
                      Process Discovery                      		Remote Desktop Protocol1
                      Input Capture                      		1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)141
                      Virtualization/Sandbox Evasion                      		1
                      Credentials in Registry                      		141
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin Shares11
                      Archive Collected Data                      		1
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object Model1
                      Data from Local System                      		11
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets1
                      File and Directory Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                      Obfuscated Files or Information                      		Cached Domain Credentials24
                      System Information Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                      Software Packing                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      SHIPPING DOC.exe34%ReversingLabsByteCode-MSIL.Trojan.Leonem
                      SHIPPING DOC.exe42%VirustotalBrowse
                      SHIPPING DOC.exe100%AviraHEUR/AGEN.1308761
                      SHIPPING DOC.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      SourceDetectionScannerLabelLink
                      mail.elec-qatar.com2%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://mail.elec-qatar.com0%Avira URL Cloudsafe
                      http://mail.elec-qatar.com2%VirustotalBrowse

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      mail.elec-qatar.com
                      		50.87.139.143
                      		truetrueunknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://mail.elec-qatar.comSHIPPING DOC.exe, 00000003.00000002.2478143113.0000000003336000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 2%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://account.dyn.com/SHIPPING DOC.exe, 00000001.00000002.1229936951.0000000003D5E000.00000004.00000800.00020000.00000000.sdmp, SHIPPING DOC.exe, 00000003.00000002.2475894598.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        		high

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        50.87.139.143
                        		mail.elec-qatar.comUnited States
                        		46606UNIFIEDLAYER-AS-1UStrue

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1408227
                        Start date and time:2024-03-13 14:12:08 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 6m 3s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:13
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:SHIPPING DOC.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@5/1@1/1
                        EGA Information:
                        • Successful, ratio: 50%
                        HCA Information:
                        • Successful, ratio: 99%
                        • Number of executed functions: 64
                        • Number of non-executed functions: 3
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
                        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Execution Graph export aborted for target SHIPPING DOC.exe, PID 7744 because it is empty
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        14:12:53API Interceptor23x Sleep call for process: SHIPPING DOC.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        50.87.139.143Order 19A20060.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          Proforma Invoice.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              SHIPPING DOC.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                New order.bat.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  Quotation R2100131410.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                    SecuriteInfo.com.Trojan.MSIL.Krypt.2433.31957.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      z92BankingDetails.exeGet hashmaliciousAgentTeslaBrowse
                                        z14Paymentslip.exeGet hashmaliciousAgentTeslaBrowse
                                          PO_0130717.exeGet hashmaliciousAgentTeslaBrowse

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            mail.elec-qatar.comOrder 19A20060.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 50.87.139.143
                                            Proforma Invoice.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 50.87.139.143
                                            SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 50.87.139.143
                                            SHIPPING DOC.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 50.87.139.143
                                            New order.bat.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 50.87.139.143
                                            Quotation R2100131410.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 50.87.139.143
                                            SecuriteInfo.com.Trojan.MSIL.Krypt.2433.31957.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 50.87.139.143
                                            z92BankingDetails.exeGet hashmaliciousAgentTeslaBrowse
                                            • 50.87.139.143
                                            z14Paymentslip.exeGet hashmaliciousAgentTeslaBrowse
                                            • 50.87.139.143
                                            PO_0130717.exeGet hashmaliciousAgentTeslaBrowse
                                            • 50.87.139.143

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            UNIFIEDLAYER-AS-1UShttp://a.email8.westpac.com.au/?qqd8UFJGTiJENtWiy-VcqIDuBHhkRyDMq&//conventosp.com.br/wp-includes/pomo/DOms/Franconette@dfl.ieGet hashmaliciousUnknownBrowse
                                            • 216.172.160.199
                                            063837646WAYBILLMAR24.exeGet hashmaliciousRedLineBrowse
                                            • 162.144.32.209
                                            DHL EXPRESS.exeGet hashmaliciousAgentTeslaBrowse
                                            • 162.215.168.66
                                            PO -70611.bat.exeGet hashmaliciousAgentTeslaBrowse
                                            • 192.185.16.97
                                            5059367692.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 50.87.253.239
                                            http://a.email8.westpac.com.au/?qqd8UFJGTiJENtWiy-VcqIDuBHhkRyDMq&//mountainspeak.ca/tmp/pxp/mbu/a.b@mbu.eduGet hashmaliciousHTMLPhisherBrowse
                                            • 216.172.172.184
                                            https://funkmonsters.com/hjsdfwex/hjsahealthy/hjsahealthy/c3BlZWRwZXJrc0BhZHZhbmNlLWF1dG8uY29tGet hashmaliciousUnknownBrowse
                                            • 162.241.124.47
                                            https://tracker.club-os.com/campaign/click?msgId=d738c6bd137e6a03157c6c728cbc659e734fc398&test=false&target=jehufelfledelrisco.com/@a/jehufelfledelrisco.com/hr@jehufelfledelrisco.comGet hashmaliciousHTMLPhisherBrowse
                                            • 162.240.41.48
                                            https://indd.adobe.com/view/b6974824-548c-4a56-9b4e-2262d37bb22fGet hashmaliciousUnknownBrowse
                                            • 192.185.24.249
                                            https://indd.adobe.com/view/b0f94dfd-0691-4cc6-9e6d-5099ed0a5a2fGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                            • 192.185.24.249

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SHIPPING DOC.exe.log

                                            Download File
                                            Process:C:\Users\user\Desktop\SHIPPING DOC.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1216
                                            Entropy (8bit):5.34331486778365
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.87395470187003
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Windows Screen Saver (13104/52) 0.07%
                                            • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                            File name:SHIPPING DOC.exe
                                            File size:830'464 bytes
                                            MD5:a53510c8abfed32dfb6f0765de3faf7b
                                            SHA1:3ea41317b78988a213ce66656b2b2d417ea3626e
                                            SHA256:4b39adbf8d3a4e2a5793014b4af4a4cb98d3a71c4a565dd20dc3a69928a84c72
                                            SHA512:dbc9dfafb9dde32184060fd67c86df178f5eaf9365a5193ca2154d2889ed339cc4a585c929f9b9ba183a0a2bc2e40ca05c727a55b43ce260aca4b0c6987cfd30
                                            SSDEEP:12288:ICsL4MhHwgG3htgIV3ZTVBWzfrBjnuWcD5UWoljR8J7HYXWG91EzJGU600qvDKhc:wo7fwluheWoljRqH1zJGprhvfg
                                            TLSH:3805121372FC9B94D03DE7F81A5226802778791E7660D30C9E8970CE5E92BD2475ABE3
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e..............0..h...@........... ........@.. ....................................@................................

                                            File Icon

                                            Icon Hash:334d96a68ec4710b

                                            Static PE Info

                                            General

                                            Entrypoint:0x4c87ce
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x65F104EE [Wed Mar 13 01:44:14 2024 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xc877c0x4f.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xca0000x3a98.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xce0000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000xc67d40xc6800392193ef29135277820ddf8229509971False0.9258698047858942data7.885207920834807IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rsrc0xca0000x3a980x3c00e3e6300a7a27f04b4c730a16aba52bb2False0.9008463541666667data7.601559607157697IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0xce0000xc0x4000b643b607e09bd68eaeecdb0ed9f203bFalse0.025390625data0.05390218305374581IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_ICON0xca1000x3195PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9961396045064209
                                            RT_GROUP_ICON0xcd2a80x14data1.05
                                            RT_VERSION0xcd2cc0x5cadata0.4291497975708502
                                            RT_MANIFEST0xcd8a80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Network Behavior

                                            Snort IDS Alerts

                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                            03/13/24-14:12:59.454453TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249704587192.168.2.1050.87.139.143
                                            03/13/24-14:12:59.454453TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity49704587192.168.2.1050.87.139.143
                                            03/13/24-14:12:59.454453TCP2855245ETPRO TROJAN Agent Tesla Exfil via SMTP49704587192.168.2.1050.87.139.143
                                            03/13/24-14:12:59.454308TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49704587192.168.2.1050.87.139.143
                                            03/13/24-14:12:59.454308TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49704587192.168.2.1050.87.139.143
                                            03/13/24-14:12:59.454453TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49704587192.168.2.1050.87.139.143

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Mar 13, 2024 14:12:57.572730064 CET49704587192.168.2.1050.87.139.143
                                            Mar 13, 2024 14:12:57.746175051 CET5874970450.87.139.143192.168.2.10
                                            Mar 13, 2024 14:12:57.746273994 CET49704587192.168.2.1050.87.139.143
                                            Mar 13, 2024 14:12:58.187787056 CET5874970450.87.139.143192.168.2.10
                                            Mar 13, 2024 14:12:58.188811064 CET49704587192.168.2.1050.87.139.143
                                            Mar 13, 2024 14:12:58.362395048 CET5874970450.87.139.143192.168.2.10
                                            Mar 13, 2024 14:12:58.363487005 CET49704587192.168.2.1050.87.139.143
                                            Mar 13, 2024 14:12:58.537195921 CET5874970450.87.139.143192.168.2.10
                                            Mar 13, 2024 14:12:58.538275003 CET49704587192.168.2.1050.87.139.143
                                            Mar 13, 2024 14:12:58.752213955 CET5874970450.87.139.143192.168.2.10
                                            Mar 13, 2024 14:12:58.884455919 CET5874970450.87.139.143192.168.2.10
                                            Mar 13, 2024 14:12:58.884823084 CET49704587192.168.2.1050.87.139.143
                                            Mar 13, 2024 14:12:59.058247089 CET5874970450.87.139.143192.168.2.10
                                            Mar 13, 2024 14:12:59.058409929 CET5874970450.87.139.143192.168.2.10
                                            Mar 13, 2024 14:12:59.058722019 CET49704587192.168.2.1050.87.139.143
                                            Mar 13, 2024 14:12:59.273333073 CET5874970450.87.139.143192.168.2.10
                                            Mar 13, 2024 14:12:59.279181957 CET5874970450.87.139.143192.168.2.10
                                            Mar 13, 2024 14:12:59.279438019 CET49704587192.168.2.1050.87.139.143
                                            Mar 13, 2024 14:12:59.452783108 CET5874970450.87.139.143192.168.2.10
                                            Mar 13, 2024 14:12:59.453265905 CET5874970450.87.139.143192.168.2.10
                                            Mar 13, 2024 14:12:59.454308033 CET49704587192.168.2.1050.87.139.143
                                            Mar 13, 2024 14:12:59.454452991 CET49704587192.168.2.1050.87.139.143
                                            Mar 13, 2024 14:12:59.454544067 CET49704587192.168.2.1050.87.139.143
                                            Mar 13, 2024 14:12:59.454623938 CET49704587192.168.2.1050.87.139.143
                                            Mar 13, 2024 14:12:59.627935886 CET5874970450.87.139.143192.168.2.10
                                            Mar 13, 2024 14:12:59.628123999 CET5874970450.87.139.143192.168.2.10
                                            Mar 13, 2024 14:12:59.629354000 CET5874970450.87.139.143192.168.2.10
                                            Mar 13, 2024 14:12:59.671525002 CET49704587192.168.2.1050.87.139.143
                                            Mar 13, 2024 14:14:38.234376907 CET49704587192.168.2.1050.87.139.143
                                            Mar 13, 2024 14:14:38.448396921 CET5874970450.87.139.143192.168.2.10
                                            Mar 13, 2024 14:14:38.609136105 CET5874970450.87.139.143192.168.2.10
                                            Mar 13, 2024 14:14:38.609282970 CET49704587192.168.2.1050.87.139.143
                                            Mar 13, 2024 14:14:38.609493017 CET49704587192.168.2.1050.87.139.143
                                            Mar 13, 2024 14:14:38.782721043 CET5874970450.87.139.143192.168.2.10

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Mar 13, 2024 14:12:57.281599998 CET6537153192.168.2.101.1.1.1
                                            Mar 13, 2024 14:12:57.561481953 CET53653711.1.1.1192.168.2.10

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Mar 13, 2024 14:12:57.281599998 CET192.168.2.101.1.1.10x58adStandard query (0)mail.elec-qatar.comA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Mar 13, 2024 14:12:57.561481953 CET1.1.1.1192.168.2.100x58adNo error (0)mail.elec-qatar.com50.87.139.143A (IP address)IN (0x0001)false

                                            SMTP Packets

                                            TimestampSource PortDest PortSource IPDest IPCommands
                                            Mar 13, 2024 14:12:58.187787056 CET5874970450.87.139.143192.168.2.10220-box2248.bluehost.com ESMTP Exim 4.96.2 #2 Wed, 13 Mar 2024 07:12:58 -0600
                                            220-We do not authorize the use of this system to transport unsolicited,
                                            220 and/or bulk e-mail.
                                            Mar 13, 2024 14:12:58.188811064 CET49704587192.168.2.1050.87.139.143EHLO 585948
                                            Mar 13, 2024 14:12:58.362395048 CET5874970450.87.139.143192.168.2.10250-box2248.bluehost.com Hello 585948 [191.96.227.194]
                                            250-SIZE 52428800
                                            250-8BITMIME
                                            250-PIPELINING
                                            250-PIPECONNECT
                                            250-AUTH PLAIN LOGIN
                                            250-STARTTLS
                                            250 HELP
                                            Mar 13, 2024 14:12:58.363487005 CET49704587192.168.2.1050.87.139.143AUTH login bW9oYW1tZWQuYWJyYXJAZWxlYy1xYXRhci5jb20=
                                            Mar 13, 2024 14:12:58.537195921 CET5874970450.87.139.143192.168.2.10334 UGFzc3dvcmQ6
                                            Mar 13, 2024 14:12:58.884455919 CET5874970450.87.139.143192.168.2.10235 Authentication succeeded
                                            Mar 13, 2024 14:12:58.884823084 CET49704587192.168.2.1050.87.139.143MAIL FROM:<mohammed.abrar@elec-qatar.com>
                                            Mar 13, 2024 14:12:59.058409929 CET5874970450.87.139.143192.168.2.10250 OK
                                            Mar 13, 2024 14:12:59.058722019 CET49704587192.168.2.1050.87.139.143RCPT TO:<jinhux31@gmail.com>
                                            Mar 13, 2024 14:12:59.279181957 CET5874970450.87.139.143192.168.2.10250 Accepted
                                            Mar 13, 2024 14:12:59.279438019 CET49704587192.168.2.1050.87.139.143DATA
                                            Mar 13, 2024 14:12:59.453265905 CET5874970450.87.139.143192.168.2.10354 Enter message, ending with "." on a line by itself
                                            Mar 13, 2024 14:12:59.454623938 CET49704587192.168.2.1050.87.139.143.
                                            Mar 13, 2024 14:12:59.629354000 CET5874970450.87.139.143192.168.2.10250 OK id=1rkOPj-0040fT-1B
                                            Mar 13, 2024 14:14:38.234376907 CET49704587192.168.2.1050.87.139.143QUIT
                                            Mar 13, 2024 14:14:38.609136105 CET5874970450.87.139.143192.168.2.10221 box2248.bluehost.com closing connection

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:1
                                            Start time:14:12:53
                                            Start date:13/03/2024
                                            Path:C:\Users\user\Desktop\SHIPPING DOC.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\Desktop\SHIPPING DOC.exe
                                            Imagebase:0x770000
                                            File size:830'464 bytes
                                            MD5 hash:A53510C8ABFED32DFB6F0765DE3FAF7B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1229936951.0000000003D5E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.1229936951.0000000003D5E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:2
                                            Start time:14:12:54
                                            Start date:13/03/2024
                                            Path:C:\Users\user\Desktop\SHIPPING DOC.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Users\user\Desktop\SHIPPING DOC.exe
                                            Imagebase:0x240000
                                            File size:830'464 bytes
                                            MD5 hash:A53510C8ABFED32DFB6F0765DE3FAF7B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:14:12:54
                                            Start date:13/03/2024
                                            Path:C:\Users\user\Desktop\SHIPPING DOC.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\Desktop\SHIPPING DOC.exe
                                            Imagebase:0xdc0000
                                            File size:830'464 bytes
                                            MD5 hash:A53510C8ABFED32DFB6F0765DE3FAF7B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2478143113.000000000332E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2478143113.0000000003336000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2475894598.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2475894598.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2478143113.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2478143113.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:false

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:8.4%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:94
                                              Total number of Limit Nodes:6
                                              execution_graph 24436 29bd8b8 24437 29bd8fe 24436->24437 24441 29bda98 24437->24441 24444 29bda87 24437->24444 24438 29bd9eb 24448 29bbc10 24441->24448 24445 29bda98 24444->24445 24446 29bbc10 DuplicateHandle 24445->24446 24447 29bdac6 24446->24447 24447->24438 24449 29bdb00 DuplicateHandle 24448->24449 24450 29bdac6 24449->24450 24450->24438 24455 29b4668 24456 29b467a 24455->24456 24457 29b4686 24456->24457 24461 29b4778 24456->24461 24466 29b420c 24457->24466 24459 29b46a5 24462 29b479d 24461->24462 24470 29b4888 24462->24470 24474 29b4878 24462->24474 24467 29b4217 24466->24467 24482 29b5b28 24467->24482 24469 29b7459 24469->24459 24472 29b48af 24470->24472 24471 29b498c 24471->24471 24472->24471 24478 29b455c 24472->24478 24476 29b4888 24474->24476 24475 29b498c 24475->24475 24476->24475 24477 29b455c CreateActCtxA 24476->24477 24477->24475 24479 29b5d18 CreateActCtxA 24478->24479 24481 29b5ddb 24479->24481 24483 29b5b33 24482->24483 24486 29b7194 24483->24486 24485 29b757d 24485->24469 24487 29b719f 24486->24487 24490 29b71c4 24487->24490 24489 29b765a 24489->24485 24491 29b71cf 24490->24491 24494 29b71f4 24491->24494 24493 29b774d 24493->24489 24495 29b71ff 24494->24495 24497 29b8a4b 24495->24497 24501 29bb0f8 24495->24501 24496 29b8a89 24496->24493 24497->24496 24505 29bd1e0 24497->24505 24510 29bd1f0 24497->24510 24515 29bb121 24501->24515 24520 29bb130 24501->24520 24502 29bb10e 24502->24497 24506 29bd1f0 24505->24506 24507 29bd235 24506->24507 24543 29bd390 24506->24543 24547 29bd3a0 24506->24547 24507->24496 24511 29bd211 24510->24511 24512 29bd235 24511->24512 24513 29bd390 2 API calls 24511->24513 24514 29bd3a0 2 API calls 24511->24514 24512->24496 24513->24512 24514->24512 24516 29bb12a 24515->24516 24517 29bb0d9 24515->24517 24523 29bb218 24516->24523 24517->24502 24518 29bb13f 24518->24502 24522 29bb218 2 API calls 24520->24522 24521 29bb13f 24521->24502 24522->24521 24524 29bb239 24523->24524 24525 29bb25c 24523->24525 24524->24525 24531 29bb4b1 24524->24531 24535 29bb4c0 24524->24535 24525->24518 24526 29bb254 24526->24525 24527 29bb460 GetModuleHandleW 24526->24527 24528 29bb48d 24527->24528 24528->24518 24532 29bb4d4 24531->24532 24534 29bb4f9 24532->24534 24539 29ba5e8 24532->24539 24534->24526 24536 29bb4d4 24535->24536 24537 29ba5e8 LoadLibraryExW 24536->24537 24538 29bb4f9 24536->24538 24537->24538 24538->24526 24540 29bb6a0 LoadLibraryExW 24539->24540 24542 29bb719 24540->24542 24542->24534 24545 29bd3ad 24543->24545 24544 29bd3e7 24544->24507 24545->24544 24551 29bbc00 24545->24551 24549 29bd3ad 24547->24549 24548 29bd3e7 24548->24507 24549->24548 24550 29bbc00 2 API calls 24549->24550 24550->24548 24552 29bbc0b 24551->24552 24553 29be0f8 24552->24553 24555 29bd504 24552->24555 24556 29bd50f 24555->24556 24557 29b71f4 2 API calls 24556->24557 24558 29be167 24557->24558 24558->24553 24451 50c43a0 24452 50c43e2 24451->24452 24454 50c43e9 24451->24454 24453 50c443a CallWindowProcW 24452->24453 24452->24454 24453->24454

                                              Executed Functions

                                              Function 050C7300 Relevance: 5.5, Strings: 2, Instructions: 3005COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 50c7300-50c732c 1 50c732e 0->1 2 50c7333-50c7a67 call 50c6f10 call 50c6f20 call 50c6f30 call 50c6f40 * 17 0->2 1->2 131 50c7bdd-50c7bee 2->131 132 50c7bf6-50c7bf8 131->132 133 50c7bf0 131->133 136 50c7bff-50c7c0e 132->136 134 50c7bfa 133->134 135 50c7bf2-50c7bf4 133->135 134->136 135->132 135->134 137 50c7a6c-50c7a90 136->137 138 50c7c14-50c82e9 call 50c6f40 * 9 call 50c6f50 call 50c6f60 * 4 call 50c6f70 call 50c6f80 call 50c6f90 * 8 call 50c6f10 call 50c6f90 * 2 call 50c6fa0 call 50c6fb0 136->138 141 50c7a9d-50c7aa0 137->141 142 50c7a92-50c7a94 137->142 297 50c82eb 138->297 298 50c82f0-50c83af 138->298 146 50c7aa7-50c7ab0 141->146 147 50c7aa2 141->147 144 50c7a9b 142->144 145 50c7a96 142->145 144->146 145->144 149 50c7ab7-50c7ae3 146->149 150 50c7ab2 146->150 147->146 157 50c7ae5-50c7ae7 149->157 158 50c7af0-50c7af3 149->158 150->149 159 50c7aee 157->159 160 50c7ae9 157->160 161 50c7afa-50c7b03 158->161 162 50c7af5 158->162 159->161 160->159 164 50c7b0a-50c7b6b 161->164 165 50c7b05 161->165 162->161 171 50c7b6d-50c7b6f 164->171 172 50c7b78-50c7b7b 164->172 165->164 173 50c7b76 171->173 174 50c7b71 171->174 175 50c7b7d 172->175 176 50c7b82-50c7bb1 172->176 173->176 174->173 175->176 181 50c7bb8-50c7bda 176->181 182 50c7bb3 176->182 181->131 182->181 297->298 305 50c83b6-50c83d6 298->305 306 50c83b1 298->306 308 50c83dd-50c8441 305->308 309 50c83d8 305->309 306->305 313 50c8448-50ca310 call 50c6fc0 call 50c6fb0 call 50c6fd0 call 50c6fe0 call 50c6fc0 call 50c6fd0 call 50c6ff0 call 50c6fe0 call 50c7000 call 50c6fc0 call 50c7010 call 50c6fd0 call 50c6ff0 call 50c6fe0 call 50c7000 call 50c6fc0 call 50c7010 call 50c6fe0 call 50c6fc0 call 50c7010 call 50c6ff0 call 50c6fe0 call 50c7000 call 50c6fc0 call 50c7010 call 50c6fe0 call 50c7000 call 50c6fc0 call 50c7010 call 50c6fe0 call 50c6fc0 call 50c7010 call 50c6fe0 call 50c7000 call 50c6fc0 call 50c6fb0 call 50c6fe0 call 50c7020 call 50c6fc0 call 50c6ff0 call 50c6fe0 call 50c7000 call 50c6fc0 call 50c6ff0 call 50c6fe0 call 50c7000 call 50c6fc0 call 50c6fe0 call 50c7030 call 50c6fc0 call 50c6fe0 call 50c7000 call 50c6fc0 call 50c6fe0 call 50c7000 call 50c6fc0 call 50c6fb0 call 50c6fe0 call 50c6fc0 call 50c6fb0 call 50c6fe0 call 50c7020 call 50c6fc0 call 50c6fe0 call 50c7000 call 50c6fc0 call 50c6fe0 call 50c7000 call 50c6fc0 call 50c6fe0 call 50c7000 call 50c6fc0 call 50c6fe0 call 50c6fc0 call 50c6ff0 call 50c6fe0 call 50c7000 call 50c6fc0 call 50c6ff0 call 50c6fe0 call 50c7000 call 50c6fc0 call 50c6fe0 call 50c6fc0 call 50c6fe0 call 50c7000 call 50c6fc0 call 50c6fe0 call 50c7000 call 50c6fc0 call 50c6fe0 call 50c7000 call 50c7040 call 50c7050 call 50c7060 call 50c7070 call 50c7080 call 50c7090 call 50c70a0 call 50c70b0 call 50c70c0 call 50c70d0 call 50c70e0 call 50c70a0 call 50c70c0 call 50c70d0 call 50c70e0 call 50c70f0 call 50c70c0 call 50c7100 call 50c70d0 call 50c70e0 call 50c70f0 call 50c70a0 call 50c70c0 call 50c70d0 call 50c70e0 call 50c70f0 call 50c7110 call 50c7120 call 50c7040 call 50c7050 call 50c7070 call 50c7080 call 50c7130 call 50c7140 call 50c7150 call 50c7160 call 50c7170 call 50c7180 call 50c7190 call 50c71a0 call 50c71b0 call 50c71c0 call 50c7040 call 50c7050 call 50c71d0 call 50c7070 call 50c7080 call 50c71e0 call 50c71f0 call 50c7200 call 50c7210 call 50c71f0 call 50c7200 call 50c7210 call 50c71f0 call 50c7200 call 50c7210 call 50c7200 call 50c7220 call 50c71f0 call 50c7200 call 50c7210 call 50c71f0 call 50c7200 call 50c7210 call 50c7200 call 50c7220 call 50c7230 call 50c71f0 call 50c7200 call 50c7220 call 50c7210 call 50c7240 call 50c7200 call 50c7220 call 50c71f0 call 50c7200 call 50c7220 call 50c7210 308->313 309->308 777 50ca33a 313->777 778 50ca312-50ca31e 313->778 781 50ca340-50ca851 call 50c7250 call 50c7260 call 50c7270 * 11 call 50c7280 call 50c7290 call 50c72a0 call 50c7120 * 2 call 50c72b0 call 50c72c0 call 50c7050 call 50c72d0 call 50c72e0 777->781 779 50ca328-50ca32e 778->779 780 50ca320-50ca326 778->780 782 50ca338 779->782 780->782 782->781
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1231317698.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_50c0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: '2q$$2q
                                              • API String ID: 0-1962809717
                                              • Opcode ID: 43344613a29d0d2d91cd1856ffef3cd186e753db9ac31bb9c34859849a15340e
                                              • Instruction ID: c57d18ca1e4237f22ba740790d876839bd2e366bcb0853cdf3ede51602fcc71b
                                              • Opcode Fuzzy Hash: 43344613a29d0d2d91cd1856ffef3cd186e753db9ac31bb9c34859849a15340e
                                              • Instruction Fuzzy Hash: 39638474A02219CFDB25DB24D898BAEB7B6FF8A304F5045E9D40967395CB35AE81CF40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 050C72F0 Relevance: 5.4, Strings: 2, Instructions: 2892COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 856 50c72f0-50c732c 857 50c732e 856->857 858 50c7333-50c743a call 50c6f10 call 50c6f20 call 50c6f30 856->858 857->858 878 50c7444-50c744a call 50c6f40 858->878 880 50c744f-50c7a67 call 50c6f40 * 16 878->880 987 50c7bdd-50c7bee 880->987 988 50c7bf6-50c7bf8 987->988 989 50c7bf0 987->989 992 50c7bff-50c7c0e 988->992 990 50c7bfa 989->990 991 50c7bf2-50c7bf4 989->991 990->992 991->988 991->990 993 50c7a6c-50c7a90 992->993 994 50c7c14-50c7dd6 call 50c6f40 * 9 992->994 997 50c7a9d-50c7aa0 993->997 998 50c7a92-50c7a94 993->998 1061 50c7de0-50c7dec call 50c6f50 994->1061 1002 50c7aa7-50c7ab0 997->1002 1003 50c7aa2 997->1003 1000 50c7a9b 998->1000 1001 50c7a96 998->1001 1000->1002 1001->1000 1005 50c7ab7-50c7ae3 1002->1005 1006 50c7ab2 1002->1006 1003->1002 1013 50c7ae5-50c7ae7 1005->1013 1014 50c7af0-50c7af3 1005->1014 1006->1005 1015 50c7aee 1013->1015 1016 50c7ae9 1013->1016 1017 50c7afa-50c7b03 1014->1017 1018 50c7af5 1014->1018 1015->1017 1016->1015 1020 50c7b0a-50c7b6b 1017->1020 1021 50c7b05 1017->1021 1018->1017 1027 50c7b6d-50c7b6f 1020->1027 1028 50c7b78-50c7b7b 1020->1028 1021->1020 1029 50c7b76 1027->1029 1030 50c7b71 1027->1030 1031 50c7b7d 1028->1031 1032 50c7b82-50c7bb1 1028->1032 1029->1032 1030->1029 1031->1032 1037 50c7bb8-50c7bda 1032->1037 1038 50c7bb3 1032->1038 1037->987 1038->1037 1063 50c7df1-50c7f02 call 50c6f60 * 4 call 50c6f70 1061->1063 1085 50c7f0c-50c7f18 call 50c6f80 1063->1085 1087 50c7f1d-50c815a call 50c6f90 * 8 call 50c6f10 call 50c6f90 * 2 1085->1087 1133 50c8164-50c817c call 50c6fa0 1087->1133 1135 50c8181-50c82ad call 50c6fb0 1133->1135 1150 50c82b3-50c82d3 1135->1150 1152 50c82d9-50c82e9 1150->1152 1153 50c82eb 1152->1153 1154 50c82f0-50c83af 1152->1154 1153->1154 1161 50c83b6-50c83d6 1154->1161 1162 50c83b1 1154->1162 1164 50c83dd-50c8412 1161->1164 1165 50c83d8 1161->1165 1162->1161 1168 50c841d-50c8441 1164->1168 1165->1164 1169 50c8448-50ca310 call 50c6fc0 call 50c6fb0 call 50c6fd0 call 50c6fe0 call 50c6fc0 call 50c6fd0 call 50c6ff0 call 50c6fe0 call 50c7000 call 50c6fc0 call 50c7010 call 50c6fd0 call 50c6ff0 call 50c6fe0 call 50c7000 call 50c6fc0 call 50c7010 call 50c6fe0 call 50c6fc0 call 50c7010 call 50c6ff0 call 50c6fe0 call 50c7000 call 50c6fc0 call 50c7010 call 50c6fe0 call 50c7000 call 50c6fc0 call 50c7010 call 50c6fe0 call 50c6fc0 call 50c7010 call 50c6fe0 call 50c7000 call 50c6fc0 call 50c6fb0 call 50c6fe0 call 50c7020 call 50c6fc0 call 50c6ff0 call 50c6fe0 call 50c7000 call 50c6fc0 call 50c6ff0 call 50c6fe0 call 50c7000 call 50c6fc0 call 50c6fe0 call 50c7030 call 50c6fc0 call 50c6fe0 call 50c7000 call 50c6fc0 call 50c6fe0 call 50c7000 call 50c6fc0 call 50c6fb0 call 50c6fe0 call 50c6fc0 call 50c6fb0 call 50c6fe0 call 50c7020 call 50c6fc0 call 50c6fe0 call 50c7000 call 50c6fc0 call 50c6fe0 call 50c7000 call 50c6fc0 call 50c6fe0 call 50c7000 call 50c6fc0 call 50c6fe0 call 50c6fc0 call 50c6ff0 call 50c6fe0 call 50c7000 call 50c6fc0 call 50c6ff0 call 50c6fe0 call 50c7000 call 50c6fc0 call 50c6fe0 call 50c6fc0 call 50c6fe0 call 50c7000 call 50c6fc0 call 50c6fe0 call 50c7000 call 50c6fc0 call 50c6fe0 call 50c7000 call 50c7040 call 50c7050 call 50c7060 call 50c7070 call 50c7080 call 50c7090 call 50c70a0 call 50c70b0 call 50c70c0 call 50c70d0 call 50c70e0 call 50c70a0 call 50c70c0 call 50c70d0 call 50c70e0 call 50c70f0 call 50c70c0 call 50c7100 call 50c70d0 call 50c70e0 call 50c70f0 call 50c70a0 call 50c70c0 call 50c70d0 call 50c70e0 call 50c70f0 call 50c7110 call 50c7120 call 50c7040 call 50c7050 call 50c7070 call 50c7080 call 50c7130 call 50c7140 call 50c7150 call 50c7160 call 50c7170 call 50c7180 call 50c7190 call 50c71a0 call 50c71b0 call 50c71c0 call 50c7040 call 50c7050 call 50c71d0 call 50c7070 call 50c7080 call 50c71e0 call 50c71f0 call 50c7200 call 50c7210 call 50c71f0 call 50c7200 call 50c7210 call 50c71f0 call 50c7200 call 50c7210 call 50c7200 call 50c7220 call 50c71f0 call 50c7200 call 50c7210 call 50c71f0 call 50c7200 call 50c7210 call 50c7200 call 50c7220 call 50c7230 call 50c71f0 call 50c7200 call 50c7220 call 50c7210 call 50c7240 call 50c7200 call 50c7220 call 50c71f0 call 50c7200 call 50c7220 call 50c7210 1168->1169 1633 50ca33a 1169->1633 1634 50ca312-50ca31e 1169->1634 1637 50ca340-50ca851 call 50c7250 call 50c7260 call 50c7270 * 11 call 50c7280 call 50c7290 call 50c72a0 call 50c7120 * 2 call 50c72b0 call 50c72c0 call 50c7050 call 50c72d0 call 50c72e0 1633->1637 1635 50ca328-50ca32e 1634->1635 1636 50ca320-50ca326 1634->1636 1638 50ca338 1635->1638 1636->1638 1638->1637
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1231317698.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_50c0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: '2q$$2q
                                              • API String ID: 0-1962809717
                                              • Opcode ID: 15b9bc7d3f2b6881f94c7393cd68814acf670333634b408ad8d8ea7610bcd933
                                              • Instruction ID: f5d7578dd3968f8306c8f1659b3edd54c221a1b1640248008cbf534ab378a4dc
                                              • Opcode Fuzzy Hash: 15b9bc7d3f2b6881f94c7393cd68814acf670333634b408ad8d8ea7610bcd933
                                              • Instruction Fuzzy Hash: CE637474A02219CFDB25DB24D898BAEB7B6FF8A304F5045E9D4096B355CB35AE81CF40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 029BB218 Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1712 29bb218-29bb237 1713 29bb239-29bb246 call 29ba580 1712->1713 1714 29bb263-29bb267 1712->1714 1721 29bb248 1713->1721 1722 29bb25c 1713->1722 1715 29bb27b-29bb2bc 1714->1715 1716 29bb269-29bb273 1714->1716 1723 29bb2c9-29bb2d7 1715->1723 1724 29bb2be-29bb2c6 1715->1724 1716->1715 1768 29bb24e call 29bb4b1 1721->1768 1769 29bb24e call 29bb4c0 1721->1769 1722->1714 1725 29bb2fb-29bb2fd 1723->1725 1726 29bb2d9-29bb2de 1723->1726 1724->1723 1728 29bb300-29bb307 1725->1728 1729 29bb2e9 1726->1729 1730 29bb2e0-29bb2e7 call 29ba58c 1726->1730 1727 29bb254-29bb256 1727->1722 1731 29bb398-29bb458 1727->1731 1732 29bb309-29bb311 1728->1732 1733 29bb314-29bb31b 1728->1733 1735 29bb2eb-29bb2f9 1729->1735 1730->1735 1763 29bb45a-29bb45d 1731->1763 1764 29bb460-29bb48b GetModuleHandleW 1731->1764 1732->1733 1736 29bb328-29bb331 call 29ba59c 1733->1736 1737 29bb31d-29bb325 1733->1737 1735->1728 1743 29bb33e-29bb343 1736->1743 1744 29bb333-29bb33b 1736->1744 1737->1736 1745 29bb361-29bb36e 1743->1745 1746 29bb345-29bb34c 1743->1746 1744->1743 1752 29bb391-29bb397 1745->1752 1753 29bb370-29bb38e 1745->1753 1746->1745 1748 29bb34e-29bb35e call 29ba5ac call 29ba5bc 1746->1748 1748->1745 1753->1752 1763->1764 1765 29bb48d-29bb493 1764->1765 1766 29bb494-29bb4a8 1764->1766 1765->1766 1768->1727 1769->1727
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 029BB47E
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1229360382.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_29b0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 24464e00d329ed2bb1adaa86da51175433d8d08f38cdc9e82ede1664acaf3a2c
                                              • Instruction ID: 26e80d9b0b171242b50d9fbcf550a3a2aa1bfb7d2f332fe7cafb792444246a89
                                              • Opcode Fuzzy Hash: 24464e00d329ed2bb1adaa86da51175433d8d08f38cdc9e82ede1664acaf3a2c
                                              • Instruction Fuzzy Hash: 0A814570A00B058FDB25DF2AD55579ABBF5FF88308F008929D88AD7A90D774E946CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 029B455C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1770 29b455c-29b5dd9 CreateActCtxA 1773 29b5ddb-29b5de1 1770->1773 1774 29b5de2-29b5e3c 1770->1774 1773->1774 1781 29b5e4b-29b5e4f 1774->1781 1782 29b5e3e-29b5e41 1774->1782 1783 29b5e51-29b5e5d 1781->1783 1784 29b5e60 1781->1784 1782->1781 1783->1784 1786 29b5e61 1784->1786 1786->1786
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 029B5DC9
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1229360382.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_29b0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: a94b355e474e3f8f755cd54d13579abb88d1f3792955ee29e2e61bc3509e3f7b
                                              • Instruction ID: d31fa78a9bdfd9f8c9d1b28a503a3e0caa96375b8d81bd9ba3ed44472086c7b0
                                              • Opcode Fuzzy Hash: a94b355e474e3f8f755cd54d13579abb88d1f3792955ee29e2e61bc3509e3f7b
                                              • Instruction Fuzzy Hash: DF41E2B0C00719CBEB25CFA9C984BDDBBB5BF48304F60816AD408AB251DBB16946CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 029B5D0D Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1787 29b5d0d-29b5dd9 CreateActCtxA 1789 29b5ddb-29b5de1 1787->1789 1790 29b5de2-29b5e3c 1787->1790 1789->1790 1797 29b5e4b-29b5e4f 1790->1797 1798 29b5e3e-29b5e41 1790->1798 1799 29b5e51-29b5e5d 1797->1799 1800 29b5e60 1797->1800 1798->1797 1799->1800 1802 29b5e61 1800->1802 1802->1802
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 029B5DC9
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1229360382.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_29b0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 78585af13cec19eb082a6b8b5f1cee3c5392c15c1b5176e9c43a12a0deab811a
                                              • Instruction ID: 2ad1ccc95c5d227604aee03fddc13b365acd92f499c31561738285eabf9e098f
                                              • Opcode Fuzzy Hash: 78585af13cec19eb082a6b8b5f1cee3c5392c15c1b5176e9c43a12a0deab811a
                                              • Instruction Fuzzy Hash: A241E2B1C00719CFEB25CFA9C984BDDBBB5BF49304F60816AD408AB250DBB56946CF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 050C43A0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1803 50c43a0-50c43dc 1804 50c448c-50c44ac 1803->1804 1805 50c43e2-50c43e7 1803->1805 1811 50c44af-50c44bc 1804->1811 1806 50c43e9-50c4420 1805->1806 1807 50c443a-50c4472 CallWindowProcW 1805->1807 1814 50c4429-50c4438 1806->1814 1815 50c4422-50c4428 1806->1815 1808 50c447b-50c448a 1807->1808 1809 50c4474-50c447a 1807->1809 1808->1811 1809->1808 1814->1811 1815->1814
                                              APIs
                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 050C4461
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1231317698.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_50c0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID: CallProcWindow
                                              • String ID:
                                              • API String ID: 2714655100-0
                                              • Opcode ID: 5ae62748c85bb7a4ee6a2797f9e3901cac887f559c7722b8f9f7ad00d73c7aea
                                              • Instruction ID: 7220c35f7112b50d160bf7b06f88be7352d69406885b41b6f15fc47ffd5c853e
                                              • Opcode Fuzzy Hash: 5ae62748c85bb7a4ee6a2797f9e3901cac887f559c7722b8f9f7ad00d73c7aea
                                              • Instruction Fuzzy Hash: 0241E7B9900305CFDB14DF95D488AAEBBF5FF89314F248499E919AB321D774A841CFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 029BBC10 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1817 29bbc10-29bdb94 DuplicateHandle 1819 29bdb9d-29bdbba 1817->1819 1820 29bdb96-29bdb9c 1817->1820 1820->1819
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,029BDAC6,?,?,?,?,?), ref: 029BDB87
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1229360382.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_29b0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 74d70d7ef3de6828b1ef73b6e7c8a71efd0ccc2d8bad8efda06e906fe1e7b7eb
                                              • Instruction ID: c4cb9d9bdca948fc61bd177f1bc3667920c6f67b35c6d7f36be042140016c40f
                                              • Opcode Fuzzy Hash: 74d70d7ef3de6828b1ef73b6e7c8a71efd0ccc2d8bad8efda06e906fe1e7b7eb
                                              • Instruction Fuzzy Hash: 3D21E5B59003599FDB10CF9AD984AEEFBF4EF48310F14842AE958A7310D374A944CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 029BDAFA Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1823 29bdafa 1824 29bdb00-29bdb94 DuplicateHandle 1823->1824 1825 29bdb9d-29bdbba 1824->1825 1826 29bdb96-29bdb9c 1824->1826 1826->1825
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,029BDAC6,?,?,?,?,?), ref: 029BDB87
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1229360382.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_29b0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 34887513233031eedbd9222d0ebec80af3f639a5d89ce8bdb92b4bcbff4a0fd9
                                              • Instruction ID: fdba0ab22d1e8e5ee1299d732c66063bca54a52d5d2ea96be51eadc14ba39fa2
                                              • Opcode Fuzzy Hash: 34887513233031eedbd9222d0ebec80af3f639a5d89ce8bdb92b4bcbff4a0fd9
                                              • Instruction Fuzzy Hash: 9D21E5B59003599FDB10CF9AD984ADEBBF4EB48310F14801AE918A3310C379A944CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 029BA5E8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1829 29ba5e8-29bb6e0 1831 29bb6e8-29bb717 LoadLibraryExW 1829->1831 1832 29bb6e2-29bb6e5 1829->1832 1833 29bb719-29bb71f 1831->1833 1834 29bb720-29bb73d 1831->1834 1832->1831 1833->1834
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,029BB4F9,00000800,00000000,00000000), ref: 029BB70A
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1229360382.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_29b0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 1ad4f893b3b3ee7458688430279fe5a4e7dcb09161b1048a507138d0b4e45251
                                              • Instruction ID: d437f020eca45fda95dda06d0165c79b2ea37ef483e0b64e1b96cfee8b9130c6
                                              • Opcode Fuzzy Hash: 1ad4f893b3b3ee7458688430279fe5a4e7dcb09161b1048a507138d0b4e45251
                                              • Instruction Fuzzy Hash: CE1106B69003099FDB10CF9AD584BDEFBF4EF48314F50842AD819A7640C375A945CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 029BB698 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1837 29bb698-29bb6e0 1839 29bb6e8-29bb717 LoadLibraryExW 1837->1839 1840 29bb6e2-29bb6e5 1837->1840 1841 29bb719-29bb71f 1839->1841 1842 29bb720-29bb73d 1839->1842 1840->1839 1841->1842
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,029BB4F9,00000800,00000000,00000000), ref: 029BB70A
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1229360382.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_29b0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: b6b43cb1900cc3ace423acd6816b7acde6a9fef6e155a77e3ed02d26f228b3a4
                                              • Instruction ID: a3eb06c5eceeb435e302d15d89d8001712ed820e5ce5a7ee2cd7da6ee690e438
                                              • Opcode Fuzzy Hash: b6b43cb1900cc3ace423acd6816b7acde6a9fef6e155a77e3ed02d26f228b3a4
                                              • Instruction Fuzzy Hash: 441103B69003099FDB20CF9AD584BDEFBF4EB48314F14842AD819A7640C3B9A545CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 029BB418 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1845 29bb418-29bb458 1846 29bb45a-29bb45d 1845->1846 1847 29bb460-29bb48b GetModuleHandleW 1845->1847 1846->1847 1848 29bb48d-29bb493 1847->1848 1849 29bb494-29bb4a8 1847->1849 1848->1849
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 029BB47E
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1229360382.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_29b0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: efc7a641942a4bb01f5ab6c700a561ee47027c9209c7c49053a21ba09ddd96d5
                                              • Instruction ID: 646296ada25f15d25fa999ca967f4b6a36a4bb7b23952be021c8d38ae7d4e8f1
                                              • Opcode Fuzzy Hash: efc7a641942a4bb01f5ab6c700a561ee47027c9209c7c49053a21ba09ddd96d5
                                              • Instruction Fuzzy Hash: 5A1102B6C003498FDB20CF9AC544BDEFBF5EF48218F10841AD859A7250C379A545CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00E0D3D8 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1228592570.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0d000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d27b15ac410ed72ad0ee0135f757f2b74a410b0c68406e764af78547afd6b741
                                              • Instruction ID: fc4942a2c351955fb518deaf921d38941b9cbae5819318686e3c4fd5f584d516
                                              • Opcode Fuzzy Hash: d27b15ac410ed72ad0ee0135f757f2b74a410b0c68406e764af78547afd6b741
                                              • Instruction Fuzzy Hash: 52216AB1508304DFDB05DF40CDC0B26BB65FB94324F24C16DE90A5B286C336E896CBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00E1D01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1228620362.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e1d000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2d18da980f0b99bc3042cfef8bf5544aaea0fc1d182f8898105e4fd99a2a20f3
                                              • Instruction ID: 012391bac3eba380e0a98b1de4d0cbd033e5f18874738a778d2fb3924d54bbd1
                                              • Opcode Fuzzy Hash: 2d18da980f0b99bc3042cfef8bf5544aaea0fc1d182f8898105e4fd99a2a20f3
                                              • Instruction Fuzzy Hash: EB21F575508344DFDB15DF14D980B56BB66FB88314F24C56DD80A5B286C33BD887CA62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00E1D005 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1228620362.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e1d000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 37623b81a711ab73a69fa1389bc0b59f448aa349fc7e3b7d34e035a5c8dc3f52
                                              • Instruction ID: 9037d7879a118a2a68d692363d1212737fad834e541bd43c849a5058d267e5c2
                                              • Opcode Fuzzy Hash: 37623b81a711ab73a69fa1389bc0b59f448aa349fc7e3b7d34e035a5c8dc3f52
                                              • Instruction Fuzzy Hash: B221837550D3808FC712CF24D990755BF71EB46314F28C5EAD8498F6A7C33A984ACB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00E0D3D3 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1228592570.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0d000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
                                              • Instruction ID: cf5e18116fb0819570a3eb88c8e6ee6e2e972a4e615d0a41a0983d0872ff96b5
                                              • Opcode Fuzzy Hash: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
                                              • Instruction Fuzzy Hash: FA112676408240CFCB12CF40D9C0B16BF71FB94324F24C2A9DC091B656C33AE856CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00E0D731 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1228592570.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0d000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2026e1ab6fa6f5cb975cf5bccc4a95976fc3105516a79f07662d93e3c2b4bde1
                                              • Instruction ID: 62b594e07af287a1dca72e86a259597aa177b2a2391850f520f2061838b98f16
                                              • Opcode Fuzzy Hash: 2026e1ab6fa6f5cb975cf5bccc4a95976fc3105516a79f07662d93e3c2b4bde1
                                              • Instruction Fuzzy Hash: 7601A77140C3449BE7205A65CDC47A6FB98EF81374F6CC41BED095A2C2D2799880CB72
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00E0D730 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1228592570.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0d000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b88f6cefe84237fa066c38909006b16c7a9b5f58137182aa7de8c5de73d2ce61
                                              • Instruction ID: 27c18656038f56aae2db873e644a24631a7e18191a1afc73537661d81163293a
                                              • Opcode Fuzzy Hash: b88f6cefe84237fa066c38909006b16c7a9b5f58137182aa7de8c5de73d2ce61
                                              • Instruction Fuzzy Hash: ECF062764083449FE7208A16CDC4B66FF98EF91778F28C55AED485F286C2799884CB71
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Function 050C0518 Relevance: .3, Instructions: 315COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1231317698.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_50c0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2fec8cf2b4d52b453ae9b4988b4b750aa54495fb5736681d44636fd179a05759
                                              • Instruction ID: 8909993241a9d3084c6004d0e72c78990c476b298ed7c9b8a5c937efb606a2c4
                                              • Opcode Fuzzy Hash: 2fec8cf2b4d52b453ae9b4988b4b750aa54495fb5736681d44636fd179a05759
                                              • Instruction Fuzzy Hash: 9C1261B0422B458EE320CF65ED4E18D7EB1BBC53A8B504209E2655E6E1DFBC114BCF4A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 029BD7E4 Relevance: .3, Instructions: 264COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1229360382.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_29b0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 469e2475a5b05a200e52fda1a3c36e3fd842e265d124312d5553ebcf5fbe2f05
                                              • Instruction ID: 49aa108183629318fca0a65344b6f0b4620677ae32fefcea7183cfb893f08726
                                              • Opcode Fuzzy Hash: 469e2475a5b05a200e52fda1a3c36e3fd842e265d124312d5553ebcf5fbe2f05
                                              • Instruction Fuzzy Hash: 59A17032A002058FCF1ADFB4C9845DEBBB6FF85300B15856AF805AB665DB75E946CF40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 050C0508 Relevance: .2, Instructions: 222COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1231317698.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_50c0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 48f7050931b75e84d3193a0bf94ef41ce0ab4a4064977359258b80fa5536f2a2
                                              • Instruction ID: 0cf875c749159492b5c3a20eb36b5508e78e85c9d3c2f4395280b7ddfc4815cc
                                              • Opcode Fuzzy Hash: 48f7050931b75e84d3193a0bf94ef41ce0ab4a4064977359258b80fa5536f2a2
                                              • Instruction Fuzzy Hash: 6CC191B0822B458EE720DF65EC4A18D7EB1BBC5368F514219E1616F2D0DFB8158BCF4A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Executed Functions

                                              Function 030E9B30 Relevance: 2.8, Instructions: 2810COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d699847f826c9855ea3db1990559f3506ee031a8f3611a5593de0b56b321b3b7
                                              • Instruction ID: 930a144f40487eaa2db2aa14653eeb9483e0843f6b4cba2afe719079938f01b8
                                              • Opcode Fuzzy Hash: d699847f826c9855ea3db1990559f3506ee031a8f3611a5593de0b56b321b3b7
                                              • Instruction Fuzzy Hash: 5A53E731D10B1A8EDB51EF68C8805A9F7B1FF99300F15D79AE4587B121EB70AAD4CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030ECDA8 Relevance: 2.3, Instructions: 2333COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2095a67d158dc41c6b1ee7d08a16893392d3a41a04e50010c55c0329b5c73c14
                                              • Instruction ID: a572ae6f9a5d82df6bc22b08e4837591bfb5cfaab9553784e4959eab26729ff5
                                              • Opcode Fuzzy Hash: 2095a67d158dc41c6b1ee7d08a16893392d3a41a04e50010c55c0329b5c73c14
                                              • Instruction Fuzzy Hash: 6E330C31D1061A8EDB10EF68C8806ADF7B5FF99300F15C79AD459BB211EB70AAD5CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E3E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \Vcm
                                              • API String ID: 0-3044874373
                                              • Opcode ID: bebd5cc39f1834511f289cdfa6521a5d309265d835acc0932435f1721faf6791
                                              • Instruction ID: 94b7fb14a23055231b749148e86f14eb9c07d3ca886b0cbf509a54cd82fde9f3
                                              • Opcode Fuzzy Hash: bebd5cc39f1834511f289cdfa6521a5d309265d835acc0932435f1721faf6791
                                              • Instruction Fuzzy Hash: B8915B74F012099FDF54CFAAC88579EFBF2BF88314F188169E415AB254EB749845CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E96E0 Relevance: .4, Instructions: 352COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8ba74b931b90d81fe20f65367eeca24141f3b43f8fb871b3a29a8cd0a870e67a
                                              • Instruction ID: 2a0e402c96ed4765dcf77359d2128ec2e5633b34833d14bebf553d4bf0e4056c
                                              • Opcode Fuzzy Hash: 8ba74b931b90d81fe20f65367eeca24141f3b43f8fb871b3a29a8cd0a870e67a
                                              • Instruction Fuzzy Hash: E2D19D74B012058FDB54CFA9D9807AEBBB6FF88310F2481AAD909DB395DB749844CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E4A98 Relevance: .3, Instructions: 266COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f895a9b2acf157abc0e9c322bc7dba82e39fee87c1b2873ef7d4a920bf151d3b
                                              • Instruction ID: 828bb9f76ad89ffee2387d259b174353262c444b8beb6e84e1c6e7961d0fe577
                                              • Opcode Fuzzy Hash: f895a9b2acf157abc0e9c322bc7dba82e39fee87c1b2873ef7d4a920bf151d3b
                                              • Instruction Fuzzy Hash: F9B15D70F012198FDB54CFAAD8817ADFBF2BF88314F198529D815EB254EB749885CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E4804 Relevance: 2.7, Strings: 2, Instructions: 181COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \Vcm$\Vcm
                                              • API String ID: 0-1332369452
                                              • Opcode ID: f2340282fab0e13a3a0938cb64136bace2650c38da19fcb488c0284faa060d0f
                                              • Instruction ID: 3e2b5ef1d8f9d76644956953e49053b22a778d3be6795952d1fff88c259dd186
                                              • Opcode Fuzzy Hash: f2340282fab0e13a3a0938cb64136bace2650c38da19fcb488c0284faa060d0f
                                              • Instruction Fuzzy Hash: 27719CB0E01249DFDB10CFAAC8817DEFBF2BF88310F188129E414AB254EB749845CB95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E4810 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \Vcm$\Vcm
                                              • API String ID: 0-1332369452
                                              • Opcode ID: 5a954d4330e5eef5f9c446a24f9aeaa80fc2957382692755bc7c881c61d18edb
                                              • Instruction ID: 0c4a38cc7d69291686a6d9d555ca8644b03f9e35ae8e6c702aefa4b338c90f11
                                              • Opcode Fuzzy Hash: 5a954d4330e5eef5f9c446a24f9aeaa80fc2957382692755bc7c881c61d18edb
                                              • Instruction Fuzzy Hash: 68717D70E013499FDB54CFAAC8817DEFBF2BF88310F188129E414AB254EB749846CB95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E3E74 Relevance: 1.5, Strings: 1, Instructions: 234COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \Vcm
                                              • API String ID: 0-3044874373
                                              • Opcode ID: 1533f444b3b1eab1e4a1f7ae811d4edf24c5aa3e598b8bb44ec48400b8f2970b
                                              • Instruction ID: 89cfd23134294c277b49f2a018577749c319a758d62e76f212aaec141e0b5f1e
                                              • Opcode Fuzzy Hash: 1533f444b3b1eab1e4a1f7ae811d4edf24c5aa3e598b8bb44ec48400b8f2970b
                                              • Instruction Fuzzy Hash: 5C915974E012099FDF50CFAAC8857DEFBF2BF88314F188169E415AB254EB749885CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E790A Relevance: .6, Instructions: 554COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6a04d1e590381d17faa8c44177e8f2ba4559fccffc96be056c7df15bdd5623cf
                                              • Instruction ID: e3f6e4f4b8a47d22bca088b3900240353e9f205e615c1ce04084f5c57e5757b4
                                              • Opcode Fuzzy Hash: 6a04d1e590381d17faa8c44177e8f2ba4559fccffc96be056c7df15bdd5623cf
                                              • Instruction Fuzzy Hash: 1312D1717113069FCB56AB38E44822C73ABFBC9B50B64896DD006CB364DF75DC828BA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E9364 Relevance: .3, Instructions: 313COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c0a689597ebe66e13a854d2daa6530460ab986328f0ea695b51cf98a1b6a68b9
                                              • Instruction ID: 6517fae74c4066da1fb50de53011bb3ec91ffbcbb513b4eea7afaafefa36c873
                                              • Opcode Fuzzy Hash: c0a689597ebe66e13a854d2daa6530460ab986328f0ea695b51cf98a1b6a68b9
                                              • Instruction Fuzzy Hash: C0C15C75B012048FCB54DFA9D594AADBBF6FF88310F248469E806E7365DB35AC42CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E4A8E Relevance: .3, Instructions: 260COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0935f446d9a8df25129e5893a11b14345fa5cc357b50303cb543165ab9a04964
                                              • Instruction ID: 8f39d053f086f44ac6a9fec2976cab93d4d99df1e148e39eb9b5354f2eab5ce9
                                              • Opcode Fuzzy Hash: 0935f446d9a8df25129e5893a11b14345fa5cc357b50303cb543165ab9a04964
                                              • Instruction Fuzzy Hash: F4A15C70F012198FDB50CFAAD8857DDFBF2BF48354F298529D814AB254EB749885CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E6EDA Relevance: .1, Instructions: 142COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 85fddbbfd8ffd03c86d15350b55823d371abee36fbc7c7b126059db6764a673d
                                              • Instruction ID: c471884aa2df1310dc99bfe75f0b50dedcd81b8f1e9f20a45dd75051bba63890
                                              • Opcode Fuzzy Hash: 85fddbbfd8ffd03c86d15350b55823d371abee36fbc7c7b126059db6764a673d
                                              • Instruction Fuzzy Hash: 8341D270F11209AFDB14DB79D4547AEB7B6FF85700F20856AE416EB390EB719C428B80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E6CDC Relevance: .1, Instructions: 135COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4f166c778c422faba4b3945d21089459e984c2fadb87ebd026efc0485faa62e4
                                              • Instruction ID: b59f14feb36497bebe3edaecff3cc2ef7075145a79d77985ef277ca727292b05
                                              • Opcode Fuzzy Hash: 4f166c778c422faba4b3945d21089459e984c2fadb87ebd026efc0485faa62e4
                                              • Instruction Fuzzy Hash: 45510371E012188FDB18CFA9D884B9DFBF2BF48310F588529D819BB391D7B5A844CB95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E6CE8 Relevance: .1, Instructions: 132COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8b9a87cbb1282015c6dc59a88f21b26b6b0079d37a0137719eb3ff6556cc8201
                                              • Instruction ID: c9c6a7e515dda6790cbdb16ae2a77ba86648295bb60e7e553c8d74136fc32d82
                                              • Opcode Fuzzy Hash: 8b9a87cbb1282015c6dc59a88f21b26b6b0079d37a0137719eb3ff6556cc8201
                                              • Instruction Fuzzy Hash: BD510271E012188FDB18CFA9D884B9DFBF2BF48310F588529E815BB391D7B5A844CB95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E112A Relevance: .1, Instructions: 115COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9047aa796696f000a85aa937866e1fff5d9e76759c73bd9499badca56901ad4a
                                              • Instruction ID: ea1274e8df00f3f7568169f947ead1e94b95b49df64461a25b30d6a3b21acc2d
                                              • Opcode Fuzzy Hash: 9047aa796696f000a85aa937866e1fff5d9e76759c73bd9499badca56901ad4a
                                              • Instruction Fuzzy Hash: 96513B70351242CFDB15DB2EF888A597B6AF79A305344C1A8D0424F376DAB86D49CFA3
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E5098 Relevance: .1, Instructions: 114COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 37eb925fd0e6c268d79582cc46b2981a2f039bc8f852e2c8560e1a13d2797b14
                                              • Instruction ID: 63928e8b009a9d29124c2ec63b5c7fb2cd52b5544371c82cf2948503074f5c90
                                              • Opcode Fuzzy Hash: 37eb925fd0e6c268d79582cc46b2981a2f039bc8f852e2c8560e1a13d2797b14
                                              • Instruction Fuzzy Hash: 9C415E34702215CFDB68DB79D9546ADB7F6EF8E209F1108A8D402AB3A0DB76DC01CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E1138 Relevance: .1, Instructions: 112COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 538f48923c557822e4a345f05d0d9ae2d49636dde482a9528ae5ba02630f98fb
                                              • Instruction ID: 9d98f5855e88b16ab95b52c23e9a5c54f167b0594602490e0878bbf47ef3c565
                                              • Opcode Fuzzy Hash: 538f48923c557822e4a345f05d0d9ae2d49636dde482a9528ae5ba02630f98fb
                                              • Instruction Fuzzy Hash: 72511A70351242CFDB15DB2EF888A597B6AF79A305344C1A8D0424F376DAB86D49CFA3
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030EF3FD Relevance: .1, Instructions: 110COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0d163267e547dab323a46504702c522dc2a9cb30c146c2cae3cdeaf60a5e2cbb
                                              • Instruction ID: cef8356251ec150d77ef3e06285e4917b7bf48078e8e6bc77ca71d5a75907ab0
                                              • Opcode Fuzzy Hash: 0d163267e547dab323a46504702c522dc2a9cb30c146c2cae3cdeaf60a5e2cbb
                                              • Instruction Fuzzy Hash: E131FDB2B012068FCB56EF38955426EBBA6BB8A610F6944ACC002DB399DE35CC45C791
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E1878 Relevance: .1, Instructions: 104COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7cdcfbc004b14bdae3c89b72a869dc3202e2c4f20af114467913e3ed3552c9a6
                                              • Instruction ID: 8b2eb62a0f29a909595292c6186274230407e5fa9d378eb0c621bc591391edec
                                              • Opcode Fuzzy Hash: 7cdcfbc004b14bdae3c89b72a869dc3202e2c4f20af114467913e3ed3552c9a6
                                              • Instruction Fuzzy Hash: 8431B035B01214CFDB68EF39D9547AEB7F6EB89200F1404A8D506EB390DB769D41CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030EF2C0 Relevance: .1, Instructions: 97COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6ea93e2f0177a78dcdaa74346f78591251f76b4a337c4d62a2c049f05d057651
                                              • Instruction ID: 348fe32d6fc5647f77ed702de66f3c7f7f1e4907b6a1333304e8329aa406a429
                                              • Opcode Fuzzy Hash: 6ea93e2f0177a78dcdaa74346f78591251f76b4a337c4d62a2c049f05d057651
                                              • Instruction Fuzzy Hash: F8313835F1060A9FDB14CB69D89469EB7F6FF89300F148529E816EB350EB70A842CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E6F78 Relevance: .1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dfb57004cc57e5a55165a76497768c11094af61e5634bc972504e093752889fd
                                              • Instruction ID: 26ac99256a56f904d72abb6a89f0800d649e8ee79ebb6ffeaf3e47f0c0c6e823
                                              • Opcode Fuzzy Hash: dfb57004cc57e5a55165a76497768c11094af61e5634bc972504e093752889fd
                                              • Instruction Fuzzy Hash: 12318A30F11209DFDB24CFA9D45479EB7B6FF89711F20856AE816EB240EB71E9418B90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E26DE Relevance: .1, Instructions: 92COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b6372b51ea34a10708778e305077f591eeb6be4f9c5675812a87681668cf9a75
                                              • Instruction ID: 9a0e5612cb8b8df8b10692406d63f2e9cdaec023b505f586db3e8db79d19e96e
                                              • Opcode Fuzzy Hash: b6372b51ea34a10708778e305077f591eeb6be4f9c5675812a87681668cf9a75
                                              • Instruction Fuzzy Hash: 3C4102B1D01348DFDB14DFA9C480ADEBBF9FF48310F148429E419AB254DB759985CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030EF2D0 Relevance: .1, Instructions: 91COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7e117150f02b237bcc638701eac146fc54fa263289051ead1d58d4ae4c5966eb
                                              • Instruction ID: bf43b0b97d178aea68b13698b305fbc46f8026fb6fe0d08e1ebde42df092660d
                                              • Opcode Fuzzy Hash: 7e117150f02b237bcc638701eac146fc54fa263289051ead1d58d4ae4c5966eb
                                              • Instruction Fuzzy Hash: 73313934F1460A9FDB14CB69D49469EB7F6FF89300F108559E816AB350EB70AC42CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E26E8 Relevance: .1, Instructions: 90COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 21f9c4cb5aee78caef85bb22808baa2b544cd32f5ca2833425487755cbc83502
                                              • Instruction ID: 19882ffff98c62b056af64a5cd428631d899482a3372ad78f80d6bc61c06e539
                                              • Opcode Fuzzy Hash: 21f9c4cb5aee78caef85bb22808baa2b544cd32f5ca2833425487755cbc83502
                                              • Instruction Fuzzy Hash: 2541F2B0E01348DFDB14DFA9C584ADEBBF9FF48310F248429E819AB254DB75A945CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E50A8 Relevance: .1, Instructions: 89COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 364c7c4be0137d88537126c289acd7f409a08674ca1d9b1df8982792ffde0b4c
                                              • Instruction ID: b890b3593a3a91a1672859060a2a858067096600327da5631fccfdc093f290ce
                                              • Opcode Fuzzy Hash: 364c7c4be0137d88537126c289acd7f409a08674ca1d9b1df8982792ffde0b4c
                                              • Instruction Fuzzy Hash: 3F316038701214CFDB58DB39D91469DB7F6AF8E205F1008A8D402AB394DF76DC41CBA6
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E9251 Relevance: .1, Instructions: 80COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ac17bc2b19ad35890cb51c22aef774a29907d5cd1903376061507406604e4dd8
                                              • Instruction ID: 20039ad4448eec71fcbd6e47cbac63f503ab9980613ce10f21188a0a9f54a139
                                              • Opcode Fuzzy Hash: ac17bc2b19ad35890cb51c22aef774a29907d5cd1903376061507406604e4dd8
                                              • Instruction Fuzzy Hash: 5D318E75E102099FCF45CFA9D4846AEF7B2FF89300F148619E815AB280EB749841CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E9260 Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5c00d2d32f218ebd3394c865033a92c0d427901cfc229ff0b8f01261b82d5c8b
                                              • Instruction ID: 91e115d27b26900ffbf6e98a50882d737d27a9c4da27a03c500fbdfe6b448555
                                              • Opcode Fuzzy Hash: 5c00d2d32f218ebd3394c865033a92c0d427901cfc229ff0b8f01261b82d5c8b
                                              • Instruction Fuzzy Hash: 1C217E31F102099FCF45CFA9D48469EF7B6FF89300F14C619E815AB280DB749881CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E16A0 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ece8023981e1b9af9f564f7d4b4ad7aa334c6a54c73d025d22004972af7719c9
                                              • Instruction ID: ee8d262bd1af30e26ffe4ea8ad1de4c6b7fa411ccb342ab0ef858dad085ee4d4
                                              • Opcode Fuzzy Hash: ece8023981e1b9af9f564f7d4b4ad7aa334c6a54c73d025d22004972af7719c9
                                              • Instruction Fuzzy Hash: C32192707102004FDF64D729F888BAA37BAEB49745F148AA5D446CB355EA78DC808FE2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E9150 Relevance: .1, Instructions: 74COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b6663e8b0d702c4519b18fd8d108198eca0dcf4dd96bed6519055dadb528c1d5
                                              • Instruction ID: bc64ef6895fcd30bde54768b12f2ba1ee3d951a6f721c07a02d4c524da2b6f78
                                              • Opcode Fuzzy Hash: b6663e8b0d702c4519b18fd8d108198eca0dcf4dd96bed6519055dadb528c1d5
                                              • Instruction Fuzzy Hash: 66218335E012099FCB18CFA9D4545DEF7B6AF89300F14855AE815BB351EB709845CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E4F88 Relevance: .1, Instructions: 73COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c37fc4b2b7c77a59db19f83f329523d6d8251405115ff2741ef339bc2b515c96
                                              • Instruction ID: ff615f24d5fa250813080353e2c6b27c8e89bff48406573b821f1c45a29f4211
                                              • Opcode Fuzzy Hash: c37fc4b2b7c77a59db19f83f329523d6d8251405115ff2741ef339bc2b515c96
                                              • Instruction Fuzzy Hash: 6C215A74701204CFCB54DF79D958AADB7F5EB8E215B1008A8E406EB3A4EB75DC00CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0146D01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2476515079.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_146d000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 01f414a6e7098e6686dc8db2f0f4a3afe8a50075026c041ee1078cead077e101
                                              • Instruction ID: ea9470ea2c7e48be799b4b672059656953688103f4de6426a5f52f8589e0f071
                                              • Opcode Fuzzy Hash: 01f414a6e7098e6686dc8db2f0f4a3afe8a50075026c041ee1078cead077e101
                                              • Instruction Fuzzy Hash: 162125B5A04340DFDB15DF54D880B26BBA9EB8431CF24C56ED98A0B366C337D447CA62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E1380 Relevance: .1, Instructions: 71COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 87e5330ffc72698dba3d274130680b4d934f44e0ad1ea902c43ddc86f744ebae
                                              • Instruction ID: aa158a1a0a605650edd91e7fd28311e7c681644bc143c55afe1523f32f346003
                                              • Opcode Fuzzy Hash: 87e5330ffc72698dba3d274130680b4d934f44e0ad1ea902c43ddc86f744ebae
                                              • Instruction Fuzzy Hash: 182103B17123018FDB78E638F48C36C7398E706341F1848AAE806CB795DB79CC858B46
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E9160 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2dd17592ec26ac6a5c1a4c8ca0ee8559fe4a6f1caa629064e1e352805dd734f7
                                              • Instruction ID: 86b3d6520c6dd7c8e60f26a26e3848834c4a7eb3adee75cb4eab5d9c16d274f0
                                              • Opcode Fuzzy Hash: 2dd17592ec26ac6a5c1a4c8ca0ee8559fe4a6f1caa629064e1e352805dd734f7
                                              • Instruction Fuzzy Hash: D8215035F012099FCB18CFA9D8545DEF7B6BF89310F50855AE815BB350EB74A941CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E1888 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 348d3ce781cd10d33e28bb410c8945775fab3dd93fa438474111f89e86fbd6d0
                                              • Instruction ID: 7e8213e9085e874eb46e521fdf26330311511bdf1891d04d23575dddee6b9050
                                              • Opcode Fuzzy Hash: 348d3ce781cd10d33e28bb410c8945775fab3dd93fa438474111f89e86fbd6d0
                                              • Instruction Fuzzy Hash: D6213A34B01215CFDB68EB69C5147AEB7F6AF8D201F1404A8D106EB390EF769D40CBA6
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E16B0 Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 154a5bece9ced7370979549aedd73f92405b5746cdd4eeb5b0cbdbb1c9b62cc6
                                              • Instruction ID: 200f59c917a9b8b5c512ec1c50f871d5db7a616f40ae2ebdd84d7fd4ed81fd62
                                              • Opcode Fuzzy Hash: 154a5bece9ced7370979549aedd73f92405b5746cdd4eeb5b0cbdbb1c9b62cc6
                                              • Instruction Fuzzy Hash: 612193707101004FDF64D729F888B6E37AAEB49745F148AA5D446CB355DA78DC808FA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E4F98 Relevance: .1, Instructions: 68COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6f09d5b3176a414813579f3871ccc3e90cb16c8427ef8ca94c86537ec78b4fc1
                                              • Instruction ID: 8331adcc8919e8e535ad2cff40b2472e03913e3a2e592b330cf98047d18ac985
                                              • Opcode Fuzzy Hash: 6f09d5b3176a414813579f3871ccc3e90cb16c8427ef8ca94c86537ec78b4fc1
                                              • Instruction Fuzzy Hash: 49211674701204CFCB54DB79D958AADB7F5EB8E215B1004A8E406EB3A4DB75DD00CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E0848 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8b496710f71fc38464a9c903a7a12b7ff6fe12b6e57247983becfe5a727a95d9
                                              • Instruction ID: 7c70f8208fe8e47399d68d52e6b8004081e372649d51cf285913c9cee06e997d
                                              • Opcode Fuzzy Hash: 8b496710f71fc38464a9c903a7a12b7ff6fe12b6e57247983becfe5a727a95d9
                                              • Instruction Fuzzy Hash: AB119430B023094FEFA4DA7BD55836932D9EB46654F188879D486CF341DAA5CC814BD1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0146D006 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2476515079.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_146d000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8462d3f83d145d17486240d9841dda1ac2fa6d0b633a3d6b03a75a25be75e4e3
                                              • Instruction ID: 2cb6ae194f6fca8d6e8b89217dabc42ffe2a6be9b6e0fba1fa2878fbb2ffa20c
                                              • Opcode Fuzzy Hash: 8462d3f83d145d17486240d9841dda1ac2fa6d0b633a3d6b03a75a25be75e4e3
                                              • Instruction Fuzzy Hash: C12183755093808FD713CF24D590716BF71EB46218F28C5DBD8898F667C33A980ACB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E6B8F Relevance: .1, Instructions: 61COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 235e8f236c657b8914ddb58d28040940a9f54daccee0a6670299ecb99642161d
                                              • Instruction ID: 659a06d37fb156c654fa33100e5875fd751791c957c3798ee9ec9957d8bdaf8f
                                              • Opcode Fuzzy Hash: 235e8f236c657b8914ddb58d28040940a9f54daccee0a6670299ecb99642161d
                                              • Instruction Fuzzy Hash: 8E112320304684AFD306AB78A4686AE7FF5EFCA300F1584EBD005CB392DE364841CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E0838 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e666bcc3495a24964fe60e6fafc2fc155fe9970effc520fe549e330593239f63
                                              • Instruction ID: 5bd3f4ae15ca7f812cd8e49b51cc93662fd3615665e950caee09145a82bdab8c
                                              • Opcode Fuzzy Hash: e666bcc3495a24964fe60e6fafc2fc155fe9970effc520fe549e330593239f63
                                              • Instruction Fuzzy Hash: 8111C630B023094FEFA4DA7BD65437932D9EB56255F18897DD486CF281DAE5CC814BC2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E17C0 Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e9e18bb85636f89b05439bf526ab646428e46b825d509cc56fec0c988e6a5d58
                                              • Instruction ID: 2ae7098c819eab01d6f0dfe760a3c05410d5d2776900d169590e0a55f1228c71
                                              • Opcode Fuzzy Hash: e9e18bb85636f89b05439bf526ab646428e46b825d509cc56fec0c988e6a5d58
                                              • Instruction Fuzzy Hash: 3611C276B002549FDB50EB7AE80C65F7BF9FB88650B2445A5E946D3304E634C801CBD1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E148A Relevance: .1, Instructions: 57COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 07da8bfdcf6224ef155748af3bc16e593b7a7b158984c1a9786050199c0f7fe4
                                              • Instruction ID: 142f9f97e067a43b2bfa52f275be67afe651977d69d6ffb8f3ef080e1e2347b4
                                              • Opcode Fuzzy Hash: 07da8bfdcf6224ef155748af3bc16e593b7a7b158984c1a9786050199c0f7fe4
                                              • Instruction Fuzzy Hash: 8C11A176B023249FCF65EFB9C4502AEBBF5EF48210B190479D805EB301E735C8418BA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E1498 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4e8587f0f580c959afffbfa5953129d211f192a99c63a4e9a5fe8fdf2b53a9d5
                                              • Instruction ID: ef92b5e8ec6a28c750517e4ae17fcf290eaa35dd2d6bfe091649ae038468dcbc
                                              • Opcode Fuzzy Hash: 4e8587f0f580c959afffbfa5953129d211f192a99c63a4e9a5fe8fdf2b53a9d5
                                              • Instruction Fuzzy Hash: FB014076B023259FCF65EFB9C4542AEBBF5EB88210B144479D805EB301E735C8418BD5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E80F1 Relevance: .0, Instructions: 37COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 395cf0fde159dfb74f87ccb7a4f7744f67793e756b9fc52485644cb547bb9776
                                              • Instruction ID: 162b5d1491f3f2b94cc6cf767be3a54edded03ed8e9de78bdf7f5a756df12c88
                                              • Opcode Fuzzy Hash: 395cf0fde159dfb74f87ccb7a4f7744f67793e756b9fc52485644cb547bb9776
                                              • Instruction Fuzzy Hash: 1C018FB0A103089FDB41EFB9F8846ADBBB5EB45700F9042A9C4059B251DE752E44CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E1524 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ed8db8402a705b623814ceaac8160915fc0de610f84b698a492c9f8618dcb20a
                                              • Instruction ID: 8a2cb0c35462db0964396934166e54c56049e208fabad794319183de061e871d
                                              • Opcode Fuzzy Hash: ed8db8402a705b623814ceaac8160915fc0de610f84b698a492c9f8618dcb20a
                                              • Instruction Fuzzy Hash: FFF0247BB06260DFCB26CBA4C4902ACBBB1EE8822175D40E7D812DF701D335D442CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E7090 Relevance: .0, Instructions: 34COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 40c9d0d1661a17181b89a04bd9c92d3d9277922dd2df3f117e4ffcbf43998b62
                                              • Instruction ID: f8c07cc93e4afb9aa0e5715725dcae2593e32a0e4aa17a5e4e641ec8e384e8a1
                                              • Opcode Fuzzy Hash: 40c9d0d1661a17181b89a04bd9c92d3d9277922dd2df3f117e4ffcbf43998b62
                                              • Instruction Fuzzy Hash: A8F03C35740204CFC714EB68E558B6C77B2FF88351F5180A8E506CB3A4DB34AD42CB40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 030E8100 Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2477748688.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_30e0000_SHIPPING DOC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 757270c3de258b1642c3aebe62376122c97f9de0a12497eb9b093af1e94fcfe8
                                              • Instruction ID: 5f50167216cf96b784a17c97142796065329f549592e2f1e02c1a3238cf69e94
                                              • Opcode Fuzzy Hash: 757270c3de258b1642c3aebe62376122c97f9de0a12497eb9b093af1e94fcfe8
                                              • Instruction Fuzzy Hash: 5AF04470A10308DFDB44EFADF8846AD77F5FB49740F908269C4059B250DE752E54CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%