Edit tour

Windows Analysis Report
Shipping Documents inv. 523435300XX.exe

Overview

General Information

Sample name:	Shipping Documents inv. 523435300XX.exe
Analysis ID:	1448084
MD5:	efae427357884a8d496facd0298f6af8
SHA1:	a69384c7d0d889050d55e557b51e97aa8a3554f7
SHA256:	b86258bbf5182d3da8292cbff6262a90cef9dd418fd8b6706fde5747662da2ae
Tags:	exeRedLineStealer
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Shipping Documents inv. 523435300XX.exe (PID: 3640 cmdline: "C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe" MD5: EFAE427357884A8D496FACD0298F6AF8)

RegSvcs.exe (PID: 3992 cmdline: "C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

jBpFfg.exe (PID: 5232 cmdline: "C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 5660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

jBpFfg.exe (PID: 2076 cmdline: "C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 5704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.gmail.com", "Username": "officestore2022@gmail.com", "Password": "xhcgmrubwdhylrry"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1994390069.0000000002510000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 B8 88 44 24 2B 88 44 24 2F B0 65 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f85e:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f8d0:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f95a:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f9ec:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3fa56:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fac8:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fb5e:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3fbee:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.3226494405.0000000002E0F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3222160800.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B8 88 44 24 2B 88 44 24 2F B0 65 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x40746:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x407b8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x40842:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x408d4:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x4093e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x409b0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x40a46:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40ad6:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3226494405.0000000002DE4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3226494405.0000000002DE4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 3992	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 3992	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B8 88 44 24 2B 88 44 24 2F B0 65 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 B8 88 44 24 2B 88 44 24 2F B0 65 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0.2.Shipping Documents inv. 523435300XX.exe.2510000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 B8 88 44 24 2B 88 44 24 2F B0 65 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.3d96458.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.3d96458.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.3d96458.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.3d96458.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3da5e:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3dad0:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3db5a:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3dbec:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3dc56:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3dcc8:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3dd5e:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ddee:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.299ffc6.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.299ffc6.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.299ffc6.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.299ffc6.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f85e:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f8d0:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f95a:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f9ec:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3fa56:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fac8:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fb5e:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3fbee:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.299f0de.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.299f0de.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.299f0de.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.299f0de.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e946:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e9b8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3ea42:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3ead4:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3eb3e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3ebb0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3ec46:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ecd6:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.299f0de.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.299f0de.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.299f0de.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.299f0de.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x40746:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x407b8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x40842:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x408d4:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x4093e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x409b0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x40a46:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40ad6:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.2d20000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2d20000.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.2d20000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2d20000.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e946:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e9b8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3ea42:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3ead4:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3eb3e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3ebb0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3ec46:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ecd6:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.2d20ee8.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2d20ee8.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.2d20ee8.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2d20ee8.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3da5e:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3dad0:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3db5a:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3dbec:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3dc56:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3dcc8:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3dd5e:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ddee:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.3de3390.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.3de3390.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.3de3390.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.3de3390.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f85e:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f8d0:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f95a:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f9ec:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3fa56:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fac8:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fb5e:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3fbee:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.5380000.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.5380000.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.5380000.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.5380000.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f85e:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f8d0:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f95a:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f9ec:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3fa56:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fac8:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fb5e:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3fbee:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.3de3390.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.3de3390.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.3de3390.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.3de3390.7.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3da5e:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3dad0:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3db5a:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3dbec:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3dc56:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3dcc8:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3dd5e:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ddee:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.2d20000.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2d20000.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.2d20000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2d20000.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x40746:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x407b8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x40842:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x408d4:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x4093e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x409b0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x40a46:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40ad6:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.5380000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.5380000.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.5380000.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.5380000.8.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3da5e:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3dad0:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3db5a:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3dbec:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3dc56:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3dcc8:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3dd5e:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ddee:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.3d95570.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.3d95570.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.3d95570.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.3d95570.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x40746:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x8d67e:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x407b8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x8d6f0:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x40842:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x8d77a:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x408d4:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x8d80c:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x4093e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x8d876:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x409b0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x8d8e8:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x40a46:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x8d97e:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40ad6:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x8da0e:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.3d95570.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.3d95570.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.3d95570.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.3d95570.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e946:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e9b8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3ea42:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3ead4:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3eb3e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3ebb0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3ec46:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ecd6:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.3d96458.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.3d96458.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.3d96458.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.3d96458.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f85e:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x8c796:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f8d0:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x8c808:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f95a:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x8c892:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f9ec:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x8c924:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3fa56:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x8c98e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fac8:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x8ca00:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fb5e:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x8ca96:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3fbee:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x8cb26:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.2d20ee8.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2d20ee8.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.2d20ee8.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2d20ee8.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f85e:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f8d0:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f95a:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f9ec:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3fa56:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fac8:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fb5e:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3fbee:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.299ffc6.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.299ffc6.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.299ffc6.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.299ffc6.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3da5e:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3dad0:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3db5a:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3dbec:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3dc56:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3dcc8:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3dd5e:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ddee:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 62 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 3992, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jBpFfg

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 64.233.184.108, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 3992, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49705

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.gmail.com", "Username": "officestore2022@gmail.com", "Password": "xhcgmrubwdhylrry"}

Multi AV Scanner detection for submitted file

Source: Shipping Documents inv. 523435300XX.exe	ReversingLabs: Detection: 32%
Source: Shipping Documents inv. 523435300XX.exe	Virustotal: Detection: 32%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 89.7% probability

Machine Learning detection for sample

Source: Shipping Documents inv. 523435300XX.exe

Joe Sandbox ML: detected

Source: Shipping Documents inv. 523435300XX.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49704 version: TLS 1.2

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: jBpFfg.exe, 00000003.00000000.2135037340.0000000000E12000.00000002.00000001.01000000.00000007.sdmp, jBpFfg.exe.2.dr
Source:	Binary string: wntdll.pdbUGP source: Shipping Documents inv. 523435300XX.exe, 00000000.00000003.1992055764.0000000003E40000.00000004.00001000.00020000.00000000.sdmp, Shipping Documents inv. 523435300XX.exe, 00000000.00000003.1992163435.0000000004360000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Shipping Documents inv. 523435300XX.exe, 00000000.00000003.1992055764.0000000003E40000.00000004.00001000.00020000.00000000.sdmp, Shipping Documents inv. 523435300XX.exe, 00000000.00000003.1992163435.0000000004360000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: jBpFfg.exe, 00000003.00000000.2135037340.0000000000E12000.00000002.00000001.01000000.00000007.sdmp, jBpFfg.exe.2.dr

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00E24696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00E24696
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00E2C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00E2C9C7
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00E2C93C FindFirstFileW,FindClose,	0_2_00E2C93C
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00E2F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00E2F200
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00E2F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00E2F35D
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00E2F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00E2F65E
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00E23A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00E23A2B
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00E23D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00E23D4E
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00E2BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00E2BF27

Source: global traffic

TCP traffic: 192.168.2.5:49705 -> 64.233.184.108:587

Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.5:49705 -> 64.233.184.108:587

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Code function: 0_2_00E325E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00E325E2

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: smtp.gmail.com

Source: RegSvcs.exe, 00000002.00000002.3243725014.00000000057CB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057B2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
Source: RegSvcs.exe, 00000002.00000002.3243725014.00000000057CB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
Source: RegSvcs.exe, 00000002.00000002.3224787288.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3224787288.0000000000EB4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crls.pki.goog/gts1c3/QqFxbi9M48c.crl0
Source: RegSvcs.exe, 00000002.00000002.3243725014.00000000057CB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057B2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr10)
Source: RegSvcs.exe, 00000002.00000002.3224787288.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3224787288.0000000000EB4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1c301
Source: RegSvcs.exe, 00000002.00000002.3243725014.00000000057CB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.goog/gtsr100
Source: RegSvcs.exe, 00000002.00000002.3243725014.00000000057CB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057B2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
Source: RegSvcs.exe, 00000002.00000002.3224787288.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3224787288.0000000000EB4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0
Source: RegSvcs.exe, 00000002.00000002.3243725014.00000000057CB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
Source: RegSvcs.exe, 00000002.00000002.3226494405.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000002.00000002.3226494405.0000000002E0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.gmail.com
Source: RegSvcs.exe, 00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: RegSvcs.exe, 00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: RegSvcs.exe, 00000002.00000002.3226494405.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: RegSvcs.exe, 00000002.00000002.3226494405.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: RegSvcs.exe, 00000002.00000002.3243725014.00000000057CB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pki.goog/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49704 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, R1W.cs

.Net Code: XzfKyIvDT

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Code function: 0_2_00E3425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00E3425A

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Code function: 0_2_00E34458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00E34458

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

0_2_00E3425A

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Code function: 0_2_00E20219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00E20219

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Code function: 0_2_00E4CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00E4CDAC

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.Shipping Documents inv. 523435300XX.exe.2510000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.3d96458.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.299ffc6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.299f0de.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.299f0de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.2d20000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.2d20ee8.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.3de3390.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.3de3390.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.2d20000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.5380000.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.3d95570.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.3d95570.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.2d20ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.299ffc6.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1994390069.0000000002510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000002.00000002.3222160800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00DC3B4C
Source: Shipping Documents inv. 523435300XX.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Shipping Documents inv. 523435300XX.exe, 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b88bc182-7
Source: Shipping Documents inv. 523435300XX.exe, 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_49304f44-5
Source: Shipping Documents inv. 523435300XX.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f9ebf38c-4
Source: Shipping Documents inv. 523435300XX.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_0a3254a4-4

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Shipping Documents inv. 523435300XX.exe

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Code function: 0_2_00E240B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

0_2_00E240B1

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Code function: 0_2_00E18858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00E18858

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Code function: 0_2_00E2545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00E2545F

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00DCE800	0_2_00DCE800
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00DEDBB5	0_2_00DEDBB5
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00E4804A	0_2_00E4804A
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00DCE060	0_2_00DCE060
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00DD4140	0_2_00DD4140
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00DE2405	0_2_00DE2405
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00DF6522	0_2_00DF6522
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00E40665	0_2_00E40665
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00DF267E	0_2_00DF267E
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00DD6843	0_2_00DD6843
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00DE283A	0_2_00DE283A
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00DF89DF	0_2_00DF89DF
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00E40AE2	0_2_00E40AE2
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00DF6A94	0_2_00DF6A94
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00DD8A0E	0_2_00DD8A0E
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00E1EB07	0_2_00E1EB07
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00E28B13	0_2_00E28B13
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00DECD61	0_2_00DECD61
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00DF7006	0_2_00DF7006
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00DD3190	0_2_00DD3190
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00DD710E	0_2_00DD710E
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00DC1287	0_2_00DC1287
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00DE33C7	0_2_00DE33C7
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00DEF419	0_2_00DEF419
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00DE16C4	0_2_00DE16C4
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00DD5680	0_2_00DD5680
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00DE78D3	0_2_00DE78D3
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00DD58C0	0_2_00DD58C0
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00DE1BB8	0_2_00DE1BB8
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00DF9D05	0_2_00DF9D05
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00DCFE40	0_2_00DCFE40
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00DE1FD0	0_2_00DE1FD0
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00DEBFE6	0_2_00DEBFE6
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_018E3660	0_2_018E3660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00408C60	2_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040DC11	2_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00407C3F	2_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418CCC	2_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00406CA0	2_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004028B0	2_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041A4BE	2_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418244	2_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00401650	2_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402F20	2_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004193C4	2_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418788	2_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402F89	2_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402B90	2_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004073A0	2_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02A9D6F0	2_2_02A9D6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02A9CAD8	2_2_02A9CAD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02A9CE20	2_2_02A9CE20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02A90FD0	2_2_02A90FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02A91030	2_2_02A91030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_063495A0	2_2_063495A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0634EDC0	2_2_0634EDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06346258	2_2_06346258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0634CAF8	2_2_0634CAF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0634634F	2_2_0634634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0634F517	2_2_0634F517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0634BBF8	2_2_0634BBF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06340006	2_2_06340006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06340040	2_2_06340040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06740740	2_2_06740740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_067464C0	2_2_067464C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06745530	2_2_06745530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06741F20	2_2_06741F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_067486B8	2_2_067486B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06741830	2_2_06741830
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Code function: 6_2_01400BC0	6_2_01400BC0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: String function: 00DE0D27 appears 70 times
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: String function: 00DE8B40 appears 42 times
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: String function: 00DC7F41 appears 35 times

Source: Shipping Documents inv. 523435300XX.exe, 00000000.00000003.1991396095.000000000448D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Shipping Documents inv. 523435300XX.exe
Source: Shipping Documents inv. 523435300XX.exe, 00000000.00000002.1994390069.0000000002510000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename828fa1cf-c07a-41d9-8abe-44ba12064e60.exe4 vs Shipping Documents inv. 523435300XX.exe
Source: Shipping Documents inv. 523435300XX.exe, 00000000.00000003.1991205602.0000000003F63000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Shipping Documents inv. 523435300XX.exe

Source: Shipping Documents inv. 523435300XX.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.Shipping Documents inv. 523435300XX.exe.2510000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.3d96458.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.299ffc6.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.299f0de.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.299f0de.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.2d20000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.2d20ee8.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.3de3390.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.3de3390.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.2d20000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.5380000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.3d95570.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.3d95570.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.2d20ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.299ffc6.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.1994390069.0000000002510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000002.00000002.3222160800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.3de3390.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.3de3390.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.299ffc6.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.299ffc6.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, KLhJmaON.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, KLhJmaON.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/8@2/2

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Code function: 0_2_00E2A2D5 GetLastError,FormatMessageW,

0_2_00E2A2D5

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00E18713 AdjustTokenPrivileges,CloseHandle,		0_2_00E18713
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00E18CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00E18CC3

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Code function: 0_2_00E2B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00E2B59E

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Code function: 0_2_00E3F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00E3F121

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Code function: 0_2_00E386D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00E386D0

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Code function: 0_2_00DC4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00DC4FE9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\jBpFfg

Jump to behavior

Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5704:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5660:120:WilError_03

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

File created: C:\Users\user\AppData\Local\Temp\autAB36.tmp

Jump to behavior

Source: Shipping Documents inv. 523435300XX.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Shipping Documents inv. 523435300XX.exe	ReversingLabs: Detection: 32%
Source: Shipping Documents inv. 523435300XX.exe	Virustotal: Detection: 32%

Source: unknown	Process created: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe "C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe"
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe "C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe"
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe "C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe"
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Shipping Documents inv. 523435300XX.exe

Static file information: File size 1137664 > 1048576

Source: Shipping Documents inv. 523435300XX.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Shipping Documents inv. 523435300XX.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Shipping Documents inv. 523435300XX.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Shipping Documents inv. 523435300XX.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Shipping Documents inv. 523435300XX.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Shipping Documents inv. 523435300XX.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Shipping Documents inv. 523435300XX.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: jBpFfg.exe, 00000003.00000000.2135037340.0000000000E12000.00000002.00000001.01000000.00000007.sdmp, jBpFfg.exe.2.dr
Source:	Binary string: wntdll.pdbUGP source: Shipping Documents inv. 523435300XX.exe, 00000000.00000003.1992055764.0000000003E40000.00000004.00001000.00020000.00000000.sdmp, Shipping Documents inv. 523435300XX.exe, 00000000.00000003.1992163435.0000000004360000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Shipping Documents inv. 523435300XX.exe, 00000000.00000003.1992055764.0000000003E40000.00000004.00001000.00020000.00000000.sdmp, Shipping Documents inv. 523435300XX.exe, 00000000.00000003.1992163435.0000000004360000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: jBpFfg.exe, 00000003.00000000.2135037340.0000000000E12000.00000002.00000001.01000000.00000007.sdmp, jBpFfg.exe.2.dr

Source: Shipping Documents inv. 523435300XX.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Shipping Documents inv. 523435300XX.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Shipping Documents inv. 523435300XX.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Shipping Documents inv. 523435300XX.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Shipping Documents inv. 523435300XX.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.3de3390.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.299ffc6.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.2d20ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Code function: 0_2_00E3C304 LoadLibraryA,GetProcAddress,

0_2_00E3C304

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00DE8B85 push ecx; ret	0_2_00DE8B98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C40C push cs; iretd	2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00423149 push eax; ret	2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C50E push cs; iretd	2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004231C8 push eax; ret	2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040E21D push ecx; ret	2_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C6BE push ebx; ret	2_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02A94FA9 push es; ret	2_2_02A94FAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0634E2B1 push esp; retf	2_2_0634E2B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0634E0D8 push esp; retf	2_2_0634E2B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0634D938 pushad ; ret	2_2_0634D939

Source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'uQ5kGQT8Wn4QT', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.3de3390.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'uQ5kGQT8Wn4QT', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.299ffc6.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'uQ5kGQT8Wn4QT', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'uQ5kGQT8Wn4QT', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.2d20ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'uQ5kGQT8Wn4QT', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jBpFfg			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jBpFfg			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (15).png

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00DC4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00DC4A35
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00E455FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00E455FD

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Code function: 0_2_00DE33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00DE33C7

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Memory allocated: 1650000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Memory allocated: 31E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Memory allocated: 16F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Memory allocated: 13C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Memory allocated: 2D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Memory allocated: 4D30000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

2_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 4611			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1605			Jump to behavior

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-101061

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

API coverage: 4.7 %

Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe TID: 5496	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe TID: 7064	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00E24696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00E24696
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00E2C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00E2C9C7
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00E2C93C FindFirstFileW,FindClose,	0_2_00E2C93C
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00E2F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00E2F200
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00E2F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00E2F35D
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00E2F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00E2F65E
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00E23A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00E23A2B
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00E23D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00E23D4E
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00E2BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00E2BF27

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Code function: 0_2_00DC4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00DC4AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99886	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97702	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97374	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97262	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97072	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96966	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96794	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: hgfsZrw6
Source: RegSvcs.exe, 00000002.00000002.3243725014.00000000057CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	API call chain: ExitProcess graph end node	graph_0-98376
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	API call chain: ExitProcess graph end node	graph_0-98442
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Code function: 0_2_00E341FD BlockInput,

0_2_00E341FD

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Code function: 0_2_00DC3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00DC3B4C

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Code function: 0_2_00DF5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00DF5CCC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

2_2_004019F0

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Code function: 0_2_00E3C304 LoadLibraryA,GetProcAddress,

0_2_00E3C304

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_018E3550 mov eax, dword ptr fs:[00000030h]	0_2_018E3550
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_018E34F0 mov eax, dword ptr fs:[00000030h]	0_2_018E34F0
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_018E1ED0 mov eax, dword ptr fs:[00000030h]	0_2_018E1ED0

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Code function: 0_2_00E181F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00E181F7

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00DEA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00DEA395
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00DEA364 SetUnhandledExceptionFilter,	0_2_00DEA364
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004123F1 SetUnhandledExceptionFilter,	2_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: A92008

Jump to behavior

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Code function: 0_2_00E18C93 LogonUserW,

0_2_00E18C93

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Code function: 0_2_00DC3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00DC3B4C

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Code function: 0_2_00DC4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00DC4A35

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Code function: 0_2_00E24EF5 mouse_event,

0_2_00E24EF5

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

0_2_00E181F7

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Code function: 0_2_00E24C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00E24C03

Source: Shipping Documents inv. 523435300XX.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Shipping Documents inv. 523435300XX.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Code function: 0_2_00DE886B cpuid

0_2_00DE886B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

2_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Queries volume information: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Queries volume information: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Code function: 0_2_00DF50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00DF50D7

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Code function: 0_2_00E02230 GetUserNameW,

0_2_00E02230

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Code function: 0_2_00DF418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00DF418A

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe

Code function: 0_2_00DC4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00DC4AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.3d96458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.299ffc6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.299f0de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.299f0de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d20000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d20ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3de3390.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3de3390.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5380000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3d95570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3d95570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d20ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.299ffc6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3226494405.0000000002E0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3226494405.0000000002DE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3992, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 2.2.RegSvcs.exe.3d96458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.299ffc6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.299f0de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.299f0de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d20000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d20ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3de3390.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3de3390.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5380000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3d95570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3d95570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d20ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.299ffc6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Shipping Documents inv. 523435300XX.exe	Binary or memory string: WIN_81
Source: Shipping Documents inv. 523435300XX.exe	Binary or memory string: WIN_XP
Source: Shipping Documents inv. 523435300XX.exe	Binary or memory string: WIN_XPe
Source: Shipping Documents inv. 523435300XX.exe	Binary or memory string: WIN_VISTA
Source: Shipping Documents inv. 523435300XX.exe	Binary or memory string: WIN_7
Source: Shipping Documents inv. 523435300XX.exe	Binary or memory string: WIN_8
Source: Shipping Documents inv. 523435300XX.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 2.2.RegSvcs.exe.3d96458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.299ffc6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.299f0de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.299f0de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d20000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d20ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3de3390.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3de3390.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5380000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3d95570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3d95570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d20ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.299ffc6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3226494405.0000000002DE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3992, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.3d96458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.299ffc6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.299f0de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.299f0de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d20000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d20ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3de3390.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3de3390.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5380000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3d95570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3d95570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d20ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.299ffc6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3226494405.0000000002E0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3226494405.0000000002DE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3992, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 2.2.RegSvcs.exe.3d96458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.299ffc6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.299f0de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.299f0de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d20000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d20ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3de3390.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3de3390.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5380000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3d95570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3d95570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d20ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.299ffc6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00E36596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00E36596
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe	Code function: 0_2_00E36A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00E36A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 Software Packing	NTDS	48 System Information Discovery	Distributed Component Object Model	121 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	11 Masquerading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	212 Process Injection	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Hidden Files and Directories	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Shipping Documents inv. 523435300XX.exe	32%	ReversingLabs	Win32.Trojan.Strab
Shipping Documents inv. 523435300XX.exe	32%	Virustotal		Browse
Shipping Documents inv. 523435300XX.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	0%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
api.ipify.org	1%	Virustotal		Browse
smtp.gmail.com	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://api.ipify.org/	0%	URL Reputation	safe
https://api.ipify.org/	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
http://crl.pki.goog/gsr1/gsr1.crl0;	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://crl.pki.goog/gtsr1/gtsr1.crl0W	0%	URL Reputation	safe
http://crl.pki.goog/gtsr1/gtsr1.crl0W	0%	URL Reputation	safe
http://pki.goog/gsr1/gsr1.crt02	0%	URL Reputation	safe
https://api.ipify.org/t	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://pki.goog/repo/certs/gts1c3.der0	0%	URL Reputation	safe
http://pki.goog/repo/certs/gtsr1.der04	0%	URL Reputation	safe
http://crls.pki.goog/gts1c3/QqFxbi9M48c.crl0	0%	Virustotal		Browse
http://smtp.gmail.com	1%	Virustotal		Browse
http://crls.pki.goog/gts1c3/QqFxbi9M48c.crl0	0%	Avira URL Cloud	safe
http://smtp.gmail.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	172.67.74.152	true	false	1%, Virustotal, Browse	unknown
smtp.gmail.com	64.233.184.108	true	false	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	RegSvcs.exe, 00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.pki.goog/gsr1/gsr1.crl0;	RegSvcs.exe, 00000002.00000002.3243725014.00000000057CB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057B2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	RegSvcs.exe, 00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.pki.goog/gtsr1/gtsr1.crl0W	RegSvcs.exe, 00000002.00000002.3243725014.00000000057CB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://pki.goog/gsr1/gsr1.crt02	RegSvcs.exe, 00000002.00000002.3243725014.00000000057CB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057B2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org/t	RegSvcs.exe, 00000002.00000002.3226494405.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://pki.goog/repository/0	RegSvcs.exe, 00000002.00000002.3243725014.00000000057CB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crls.pki.goog/gts1c3/QqFxbi9M48c.crl0	RegSvcs.exe, 00000002.00000002.3224787288.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3224787288.0000000000EB4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.3226494405.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://smtp.gmail.com	RegSvcs.exe, 00000002.00000002.3226494405.0000000002E0F000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pki.goog/repo/certs/gts1c3.der0	RegSvcs.exe, 00000002.00000002.3224787288.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3224787288.0000000000EB4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pki.goog/repo/certs/gtsr1.der04	RegSvcs.exe, 00000002.00000002.3243725014.00000000057CB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
64.233.184.108	smtp.gmail.com	United States		15169	GOOGLEUS	false
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1448084
Start date and time:	2024-05-27 18:33:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Shipping Documents inv. 523435300XX.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/8@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 97% Number of executed functions: 58 Number of non-executed functions: 272
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target jBpFfg.exe, PID 2076 because it is empty
Execution Graph export aborted for target jBpFfg.exe, PID 5232 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:33:56	API Interceptor	31x Sleep call for process: RegSvcs.exe modified
18:34:00	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run jBpFfg C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe
18:34:08	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run jBpFfg C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.74.152	K8mzlntJVN.msi	Get hash	malicious	Unknown	Browse	api.ipify.org/
	stub.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	stub.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Sonic-Glyder.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta-Setup.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SongOfVikings.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	SongOfVikings.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	Doc_10577030xls.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	Copy#51007602.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	Doc100057638xls.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	0000003448.pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Stamp invoice copy.xls.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	GestorRemesasCONFIRMIMING.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	DRAWING_SHEET_P02405912916 .exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	proforma invoice.bit.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	INV 0983 OSY 240524_PDF.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	https://attachments.office.net/owa/cmangava%40tharisa.com/service.svc/s/GetAttachmentThumbnail?id=AAMkAGE2N2U5NmFkLWIzMjEtNGMwNS1iOWVlLWExNTBkNDk2NTZjMABGAAAAAAAsNFCwuPDISrln6MRbSR5lBwBC4JDOFd8jTJozG%2BNc7YRrAAAAmcUBAABu3YNoqzF8SLI68HoWeAXzAAFRD3sAAAABEgAQAOXLRvcdfU5Kkg7Zx598XsI%3D&thumbnailType=2&token=eyJhbGciOiJSUzI1NiIsImtpZCI6IkU1RDJGMEY4REE5M0I2NzA5QzQzQTlFOEE2MTQzQzAzRDYyRjlBODAiLCJ0eXAiOiJKV1QiLCJ4NXQiOiI1ZEx3LU5xVHRuQ2NRNm5vcGhROEE5WXZtb0EifQ.eyJvcmlnaW4iOiJodHRwczovL291dGxvb2sub2ZmaWNlLmNvbSIsInVjIjoiNTIyZjRhMmM0ZWRmNDA4NjkxMWIwMGFjYzE2ZjgzNzEiLCJzaWduaW5fc3RhdGUiOlsiZHZjX21uZ2QiLCJkdmNfY21wIiwiZHZjX2RtamQiLCJpbmtub3dubnR3ayJdLCJ2ZXIiOiJFeGNoYW5nZS5DYWxsYmFjay5WMSIsImFwcGN0eHNlbmRlciI6Ik93YURvd25sb2FkQDliMDgyOWI5LWJlMzktNDMzNi1hNzY2LWY4YzlkYzJjNzFhNCIsImlzc3JpbmciOiJXVyIsImFwcGN0eCI6IntcIm1zZXhjaHByb3RcIjpcIm93YVwiLFwicHVpZFwiOlwiMTE1MzkwNjY2MTMxNDQwNDI4NFwiLFwic2NvcGVcIjpcIk93YURvd25sb2FkXCIsXCJvaWRcIjpcIjUyMjAyODA5LWJkODUtNGZmOC04NTUwLTRjNzUwZjNhODNlZFwiLFwicHJpbWFyeXNpZFwiOlwiUy0xLTUtMjEtMTAxMjEyODM0Ni0xNjc3NDQzNDQtMTE3Njg1Mjg2MS0xMzc4MTQ4OVwifSIsIm5iZiI6MTcxNjc5NjM3MCwiZXhwIjoxNzE2Nzk2NjcwLCJpc3MiOiIwMDAwMDAwMi0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDBAOWIwODI5YjktYmUzOS00MzM2LWE3NjYtZjhjOWRjMmM3MWE0IiwiYXVkIjoiMDAwMDAwMDItMDAwMC0wZmYxLWNlMDAtMDAwMDAwMDAwMDAwL2F0dGFjaG1lbnRzLm9mZmljZS5uZXRAOWIwODI5YjktYmUzOS00MzM2LWE3NjYtZjhjOWRjMmM3MWE0IiwiaGFwcCI6Im93YSJ9.QgmzIBWvZG6gLwDV2SGPl9TdStXctQrpU_xiIGcL5I4eoVDkUPzqcKcrSAnwOD_E73nNMbCTWC-kgcJIIFGhLmh8iFWITRD5MwmaJN23JV7c8rlmzHlxnoqm8tPo98Soui3XZZYSaJZVTruXDBhUCiweHA69qYSoZDJxVUYZDvl5KvXMWJkA_ui0Vq1Sw7pPL5h9t4_QlGAarVBz6O9q21EGSBoX_hWPpcaEGJwoBDVeI-G6VvbkXzy9bJEMEZ6N-WzLyQtuKS9HVJBafIkUxsf0pIhhnJUluyukhnQ1dZohnpQr8e5v0Xoa3SObMFt_C5SeZHG2hFyxqFdeBhKQ_w&X-OWA-CANARY=X-OWA-CANARY_cookie_is_null_or_empty&owa=outlook.office.com&scriptVer=20240517003.15&clientId=1A63CAED249649AEBB5264A13128C2B5&animation=true&persistenceId=80cb7b14-7011-42b1-acde-250d928510f9	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://www.acm.gov.pt/html/js/editor/ckeditor/editor/filemanager/browser/liferay/browser.html?p=insta&Connector=https://a.top1cheat.com/kJIVLY5E	Get hash	malicious	Unknown	Browse	172.67.184.156
	hXXps://www.acm.gov.pt/html/js/editor/ckeditor/editor/filemanager/browser/liferay/browser.html?p=insta&Connector=https://a.top1cheat.com/kJIVLY5E	Get hash	malicious	Unknown	Browse	172.67.184.156
	https://shorter.gg/dUUJUv	Get hash	malicious	Phisher	Browse	104.21.74.233
	Doc_10577030xls.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	https://stikeman-vpn.azureedge.net/?value=odWPPcO	Get hash	malicious	Unknown	Browse	104.17.2.184
	https://link.elliottscotthr.com/api/redirect.me?track=000000&url=https%3A%2F%2Fwww.atjehupdate.com/3tvdgh	Get hash	malicious	Unknown	Browse	104.17.2.184
	xvJv1BpknZ.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	188.114.96.3
	kam.vbs	Get hash	malicious	Unknown	Browse	162.159.134.233
	las.vbs	Get hash	malicious	Unknown	Browse	162.159.134.233
	upload.vbs	Get hash	malicious	Unknown	Browse	162.159.135.233

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	oxi.ps1	Get hash	malicious	DarkGate, MailPassView	Browse	172.67.74.152
	http://see-track.com/	Get hash	malicious	Unknown	Browse	172.67.74.152
	Doc_10577030xls.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	http://154.29.75.236	Get hash	malicious	Unknown	Browse	172.67.74.152
	kam.vbs	Get hash	malicious	Unknown	Browse	172.67.74.152
	las.vbs	Get hash	malicious	Unknown	Browse	172.67.74.152
	upload.vbs	Get hash	malicious	Unknown	Browse	172.67.74.152
	Copy#51007602.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	yk4ABozmBY.exe	Get hash	malicious	RedLine	Browse	172.67.74.152
	Doc100057638xls.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe	NUEVA ORDEN DE COMPRAsxlx..exe	Get hash	malicious	Snake Keylogger	Browse
	OSE - PO & FCST - ___-LT24052303183991-01.exe	Get hash	malicious	Remcos	Browse
	msimg32.dll	Get hash	malicious	Remcos	Browse
	DHL INVOICE.scr.exe	Get hash	malicious	AgentTesla	Browse
	DHL INVOICE.scr.exe	Get hash	malicious	AgentTesla	Browse
	Hesap hesaphareketi-01.exe	Get hash	malicious	AgentTesla	Browse
	FW CMA SHZ Freight invoice CHN1080769.exe	Get hash	malicious	AgentTesla	Browse
	USD BANK DETAILS.PNG.exe	Get hash	malicious	AgentTesla	Browse
	new order.exe	Get hash	malicious	AgentTesla	Browse
	New order.exe	Get hash	malicious	AgentTesla	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jBpFfg.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\Mazatl

Download File

Process:	C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe
File Type:	data
Category:	dropped
Size (bytes):	268288
Entropy (8bit):	7.899888017115224
Encrypted:	false
SSDEEP:	3072:zo8PeMB5HgerB+zIovNvDm0l+rLT4zMFqRRegAdEYte/CR5JC3pK0qYfLM4sqz6C:JnA9k+Sw+rLcoFYSEtaEpL7TQtBA
MD5:	D5502A154CDA81EF84937CBADFB0B903
SHA1:	0D71ED2FD1095D422C4869618CE6820B5E2D32C4
SHA-256:	A7D3016A4769B885F55436A7DD9FAE812AE34EF256FE339DD18D170DB05E6344
SHA-512:	2A9C362AEFE1967987BE6E654041A6CC89AF876647F8D14D216F016CACA8E42C0B64CA744AE5B443E090D5A18F8720E7726F001859C97E6515D531EF9951F923
Malicious:	false
Reputation:	low
Preview:	.j.BZJ7C3KTT..QX.A7LRP0E.YJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA.LRP>Z.WJ.J.j.U..p.?(Dl""_"08'. V%:;&i3=w3B"r9^e.....X/1z_D[\|WA7LRP0-R.g.2.5x%.7}).?.o-..4.'A..I`%.,e .).F.,b.+<E;.=.h=.8.&ebL2.!.;.0)_oF.TRIQXWA7LRP0EBYJ.&x-TTRI..WA{MVPD.B.J7C7KTTR.Q{VJ6ERP.DBY65C7KTT}.QXWQ7LR.1EBY.7C'KTTPIQ]WA7LRP0@BYJ7C7KT4VIQ\WA.wPP2EB.J7S7KDTRIQHWA'LRP0EBIJ7C7KTTRIQX.T5L.P0EB9H7..JTTRIQXWA7LRP0EBYJ7C7KTTRI..VA+LRP0EBYJ7C7KTTRIQXWA7LRP0EB.G5CwKTTRIQXWA7LR.1E.XJ7C7KTTRIQXWA7LRP0EBYJ7C7Kz 71%XWA/.SP0UBYJ.B7KPTRIQXWA7LRP0EByJ7#.905&(QX.,7LR.1EB7J7C.JTTRIQXWA7LRP0.BY..'V?5TRI.hWA7lPP0SBYJ=A7KTTRIQXWA7LR.0E.w8D1TKTTn.PXW!5LR.1EByH7C7KTTRIQXWA7.RPpEBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTR

C:\Users\user\AppData\Local\Temp\Wauseon

Download File

Process:	C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe
File Type:	ASCII text, with very long lines (28734), with no line terminators
Category:	dropped
Size (bytes):	28734
Entropy (8bit):	3.6010989738941577
Encrypted:	false
SSDEEP:	768:AiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNboE+I026c024vfF3if6d:AiTZ+2QoioGRk6ZklputwjpjBkCiw2Rq
MD5:	F380297F6192024904065554FB5B9C6B
SHA1:	EB921508A23797F2EC5241E5048A429DC281E3CD
SHA-256:	F7A119BAEB34DFF7B0EE8C8401168BDDEF7AA468343D323C907C16DEE52A8450
SHA-512:	E1DFE890FA7762C3B709CA482C2976AE2F6CAA5A94C5A5DDB3029F625CD290D2830157CE8F167C80CC925D2D95E73A20ED3D22F141A749B8695B74C9DE122273
Malicious:	false
Reputation:	low
Preview:	1FEC9305B8B80D0A4D5BE5470B516E345C1E09CE62D1EF502E0FCD31BDB10x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffff

C:\Users\user\AppData\Local\Temp\autAB36.tmp

Download File

Process:	C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe
File Type:	data
Category:	dropped
Size (bytes):	268288
Entropy (8bit):	7.899888017115224
Encrypted:	false
SSDEEP:	3072:zo8PeMB5HgerB+zIovNvDm0l+rLT4zMFqRRegAdEYte/CR5JC3pK0qYfLM4sqz6C:JnA9k+Sw+rLcoFYSEtaEpL7TQtBA
MD5:	D5502A154CDA81EF84937CBADFB0B903
SHA1:	0D71ED2FD1095D422C4869618CE6820B5E2D32C4
SHA-256:	A7D3016A4769B885F55436A7DD9FAE812AE34EF256FE339DD18D170DB05E6344
SHA-512:	2A9C362AEFE1967987BE6E654041A6CC89AF876647F8D14D216F016CACA8E42C0B64CA744AE5B443E090D5A18F8720E7726F001859C97E6515D531EF9951F923
Malicious:	false
Reputation:	low
Preview:	.j.BZJ7C3KTT..QX.A7LRP0E.YJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA.LRP>Z.WJ.J.j.U..p.?(Dl""_"08'. V%:;&i3=w3B"r9^e.....X/1z_D[\|WA7LRP0-R.g.2.5x%.7}).?.o-..4.'A..I`%.,e .).F.,b.+<E;.=.h=.8.&ebL2.!.;.0)_oF.TRIQXWA7LRP0EBYJ.&x-TTRI..WA{MVPD.B.J7C7KTTR.Q{VJ6ERP.DBY65C7KTT}.QXWQ7LR.1EBY.7C'KTTPIQ]WA7LRP0@BYJ7C7KT4VIQ\WA.wPP2EB.J7S7KDTRIQHWA'LRP0EBIJ7C7KTTRIQX.T5L.P0EB9H7..JTTRIQXWA7LRP0EBYJ7C7KTTRI..VA+LRP0EBYJ7C7KTTRIQXWA7LRP0EB.G5CwKTTRIQXWA7LR.1E.XJ7C7KTTRIQXWA7LRP0EBYJ7C7Kz 71%XWA/.SP0UBYJ.B7KPTRIQXWA7LRP0EByJ7#.905&(QX.,7LR.1EB7J7C.JTTRIQXWA7LRP0.BY..'V?5TRI.hWA7lPP0SBYJ=A7KTTRIQXWA7LR.0E.w8D1TKTTn.PXW!5LR.1EByH7C7KTTRIQXWA7.RPpEBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTRIQXWA7LRP0EBYJ7C7KTTR

C:\Users\user\AppData\Local\Temp\autAB85.tmp

Download File

Process:	C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe
File Type:	data
Category:	dropped
Size (bytes):	9918
Entropy (8bit):	7.586155216709603
Encrypted:	false
SSDEEP:	192:XLNAVE7gS2MYdl+6SgtVppxuBhQKQuA8fng3jJMkaFxgdwqo:7NAygS2MYdlfSgnppEhQfuA8Pg3WkaF1
MD5:	D74AEED0A2041F84A9B3E91DA6BBDDA9
SHA1:	F8BCA5A2E195CFB1B9AA1462737D89391587156C
SHA-256:	7051BD983E42B4FF0F5D5B219C322F8071FB4D302C050B4D9034FFC6FEAEEF5D
SHA-512:	5E88F2D371F7BE363D60315A3C20B406F656A73524CE44871A335491B7AFA9ADCB2EA7654A06B145D9E33FAE5836706F85A9CAD70157AB9AF6A4C67CEF6FE628
Malicious:	false
Reputation:	low
Preview:	EA06..p>...9..a5.N(S...aA.Q&.*,.i7.P.....g4...4Y..E.L...-.k0.Qf.j..g1.Q(S...k5.X..9...c....)...5.Mf.)......&.i..s4..&.)..j.%. ..a......N...(...a.6.,v+....m.YlS........s3.Z...9.X.3 ...f....a4.6.&.........6\|s...gc.0....T...4.Y..`...k....l.1../.q5.N..2....$......x. ..$h.3.....#`...Mf...L.d.!...Mf.....' .Y...n.....0.N&.....d.U..&.<...l.U..'.5_....U..,`5_....U..f.5_..d.U.(..1......V...Nf.`..N&.`..M.^....j.7..$zn.....r..... !..Y&.G[....A6...f../.n.u.M.`>_L........)@...[..a6...z.2.... =........K<.l...$..6.{......0......r\|3K%....L.6>....4...l......_......4\|.+(.7.c...\|3K%.d....f.9....c..i\|v0F...a.l.,`.\..lsy...4.Y.o...mc..,s.$.k3.....f...`.....fcb..l.i....l..np..Y.....M..14.X@..4.......7d.N..;c...,.8.'.!....@!....f .....0.......Brb.....f.)...b..@!...g,. ....36.M&V`.......vd.....l3.,...B.B3p.N...;3.X..Q7...&..8.....f`...M.'I...x..C.....,vh...4.c9.L..@....`...g.,58..,.+..E3.....c.P..Y,3.....`Nf...N.@.;5.X.c9.w.!....f......n...X@A.$...`...g..38.X..I..(...Xl.b.,...#V9..s9..@

C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	45984
Entropy (8bit):	6.16795797263964
Encrypted:	false
SSDEEP:	768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
MD5:	9D352BC46709F0CB5EC974633A0C3C94
SHA1:	1969771B2F022F9A86D77AC4D4D239BECDF08D07
SHA-256:	2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
SHA-512:	13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: NUEVA ORDEN DE COMPRAsxlx..exe, Detection: malicious, Browse Filename: OSE - PO & FCST - ___-LT24052303183991-01.exe, Detection: malicious, Browse Filename: msimg32.dll, Detection: malicious, Browse Filename: DHL INVOICE.scr.exe, Detection: malicious, Browse Filename: DHL INVOICE.scr.exe, Detection: malicious, Browse Filename: Hesap hesaphareketi-01.exe, Detection: malicious, Browse Filename: FW CMA SHZ Freight invoice CHN1080769.exe, Detection: malicious, Browse Filename: USD BANK DETAILS.PNG.exe, Detection: malicious, Browse Filename: new order.exe, Detection: malicious, Browse Filename: New order.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........\|...P...........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t........0..(....... ....s$........o%....X..(....-...o&....0...........('......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1141
Entropy (8bit):	4.442398121585593
Encrypted:	false
SSDEEP:	24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
MD5:	6FB4D27A716A8851BC0505666E7C7A10
SHA1:	AD2A232C6E709223532C4D1AB892303273D8C814
SHA-256:	1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE
SHA-512:	3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.128611658803271
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Shipping Documents inv. 523435300XX.exe
File size:	1'137'664 bytes
MD5:	efae427357884a8d496facd0298f6af8
SHA1:	a69384c7d0d889050d55e557b51e97aa8a3554f7
SHA256:	b86258bbf5182d3da8292cbff6262a90cef9dd418fd8b6706fde5747662da2ae
SHA512:	fa5c041de19a1c812351cad0eb2b040677584969838f37e4e752e9abb85c9db78488f5371015d08e39a33dcbddbc9292f28da23fddea1c5dbfab1ea252ef3a52
SSDEEP:	24576:NAHnh+eWsN3skA4RV1Hom2KXMmHazOnIiLQiAQJGyzq925:sh+ZkldoPK8YazOIiLQiRYyzV
TLSH:	C535AD02B3D2D036FFAB92735B6AF20196BD79250133852F13982DB9B9701B1277D663
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	4f050d0d0d054f90

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6654721D [Mon May 27 11:44:29 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FEB00D74B4Dh
jmp 00007FEB00D67904h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FEB00D67A8Ah
cmp edi, eax
jc 00007FEB00D67DEEh
bt dword ptr [004C41FCh], 01h
jnc 00007FEB00D67A89h
rep movsb
jmp 00007FEB00D67D9Ch
cmp ecx, 00000080h
jc 00007FEB00D67C54h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FEB00D67A90h
bt dword ptr [004BF324h], 01h
jc 00007FEB00D67F60h
bt dword ptr [004C41FCh], 00000000h
jnc 00007FEB00D67C2Dh
test edi, 00000003h
jne 00007FEB00D67C3Eh
test esi, 00000003h
jne 00007FEB00D67C1Dh
bt edi, 02h
jnc 00007FEB00D67A8Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FEB00D67A93h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FEB00D67AE5h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x4b468	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x114000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x4b468	0x4b600	de1f60c0a07c8e43b310bc979e7a60ca	False	0.963023424543947	data	7.95994554290634	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x114000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc8458	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc8580	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc86a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc87d0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	Great Britain	0.3079268292682927
RT_MENU	0xc9878	0x50	data	English	Great Britain	0.9
RT_STRING	0xc98c8	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xc9e5c	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xca4e8	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xca978	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcaf74	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcb5d0	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcba38	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcbb90	0x473bc	data			1.0003290240324636
RT_GROUP_ICON	0x112f4c	0x14	data	English	Great Britain	1.2
RT_GROUP_ICON	0x112f60	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x112f74	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x112f88	0x14	data	English	Great Britain	1.25
RT_VERSION	0x112f9c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x113078	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2024 18:33:55.708791018 CEST	49704	443	192.168.2.5	172.67.74.152
May 27, 2024 18:33:55.708884954 CEST	443	49704	172.67.74.152	192.168.2.5
May 27, 2024 18:33:55.708976984 CEST	49704	443	192.168.2.5	172.67.74.152
May 27, 2024 18:33:55.716439962 CEST	49704	443	192.168.2.5	172.67.74.152
May 27, 2024 18:33:55.716474056 CEST	443	49704	172.67.74.152	192.168.2.5
May 27, 2024 18:33:56.196393013 CEST	443	49704	172.67.74.152	192.168.2.5
May 27, 2024 18:33:56.196528912 CEST	49704	443	192.168.2.5	172.67.74.152
May 27, 2024 18:33:56.201195955 CEST	49704	443	192.168.2.5	172.67.74.152
May 27, 2024 18:33:56.201246977 CEST	443	49704	172.67.74.152	192.168.2.5
May 27, 2024 18:33:56.201553106 CEST	443	49704	172.67.74.152	192.168.2.5
May 27, 2024 18:33:56.251765966 CEST	49704	443	192.168.2.5	172.67.74.152
May 27, 2024 18:33:56.266360998 CEST	49704	443	192.168.2.5	172.67.74.152
May 27, 2024 18:33:56.306514025 CEST	443	49704	172.67.74.152	192.168.2.5
May 27, 2024 18:33:56.438494921 CEST	443	49704	172.67.74.152	192.168.2.5
May 27, 2024 18:33:56.438559055 CEST	443	49704	172.67.74.152	192.168.2.5
May 27, 2024 18:33:56.438626051 CEST	49704	443	192.168.2.5	172.67.74.152
May 27, 2024 18:33:56.446104050 CEST	49704	443	192.168.2.5	172.67.74.152
May 27, 2024 18:33:57.127834082 CEST	49705	587	192.168.2.5	64.233.184.108
May 27, 2024 18:33:57.132750988 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:33:57.132894993 CEST	49705	587	192.168.2.5	64.233.184.108
May 27, 2024 18:33:57.805881023 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:33:57.806200981 CEST	49705	587	192.168.2.5	64.233.184.108
May 27, 2024 18:33:57.813774109 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:33:57.991271019 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:33:57.991465092 CEST	49705	587	192.168.2.5	64.233.184.108
May 27, 2024 18:33:57.996400118 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:33:58.172422886 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:33:58.173077106 CEST	49705	587	192.168.2.5	64.233.184.108
May 27, 2024 18:33:58.178024054 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:33:58.354562998 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:33:58.354619026 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:33:58.354656935 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:33:58.354691982 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:33:58.354727983 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:33:58.354732037 CEST	49705	587	192.168.2.5	64.233.184.108
May 27, 2024 18:33:58.354769945 CEST	49705	587	192.168.2.5	64.233.184.108
May 27, 2024 18:33:58.361047983 CEST	49705	587	192.168.2.5	64.233.184.108
May 27, 2024 18:33:58.365936995 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:33:58.546506882 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:33:58.551806927 CEST	49705	587	192.168.2.5	64.233.184.108
May 27, 2024 18:33:58.557161093 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:33:58.733453035 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:33:58.734551907 CEST	49705	587	192.168.2.5	64.233.184.108
May 27, 2024 18:33:58.739562035 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:33:58.915560007 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:33:58.917058945 CEST	49705	587	192.168.2.5	64.233.184.108
May 27, 2024 18:33:58.921998978 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:33:59.263854027 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:33:59.264408112 CEST	49705	587	192.168.2.5	64.233.184.108
May 27, 2024 18:33:59.269332886 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:33:59.447335005 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:33:59.447849035 CEST	49705	587	192.168.2.5	64.233.184.108
May 27, 2024 18:33:59.453030109 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:33:59.629005909 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:33:59.629331112 CEST	49705	587	192.168.2.5	64.233.184.108
May 27, 2024 18:33:59.634260893 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:33:59.867702961 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:33:59.900993109 CEST	49705	587	192.168.2.5	64.233.184.108
May 27, 2024 18:33:59.901281118 CEST	49705	587	192.168.2.5	64.233.184.108
May 27, 2024 18:33:59.901319981 CEST	49705	587	192.168.2.5	64.233.184.108
May 27, 2024 18:33:59.907460928 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:33:59.907519102 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:33:59.909051895 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:33:59.943867922 CEST	49705	587	192.168.2.5	64.233.184.108
May 27, 2024 18:33:59.948942900 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:34:00.538177013 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:34:00.583358049 CEST	49705	587	192.168.2.5	64.233.184.108
May 27, 2024 18:35:38.632328033 CEST	49705	587	192.168.2.5	64.233.184.108
May 27, 2024 18:35:38.637339115 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:35:38.814635992 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:35:38.814657927 CEST	587	49705	64.233.184.108	192.168.2.5
May 27, 2024 18:35:38.814776897 CEST	49705	587	192.168.2.5	64.233.184.108
May 27, 2024 18:35:38.821899891 CEST	49705	587	192.168.2.5	64.233.184.108
May 27, 2024 18:35:38.828227043 CEST	587	49705	64.233.184.108	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2024 18:33:55.694422007 CEST	53502	53	192.168.2.5	1.1.1.1
May 27, 2024 18:33:55.702501059 CEST	53	53502	1.1.1.1	192.168.2.5
May 27, 2024 18:33:57.119949102 CEST	63250	53	192.168.2.5	1.1.1.1
May 27, 2024 18:33:57.127114058 CEST	53	63250	1.1.1.1	192.168.2.5
May 27, 2024 18:34:40.572654009 CEST	53	63491	162.159.36.2	192.168.2.5
May 27, 2024 18:34:41.080229044 CEST	53	55177	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 27, 2024 18:33:55.694422007 CEST	192.168.2.5	1.1.1.1	0x5543	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
May 27, 2024 18:33:57.119949102 CEST	192.168.2.5	1.1.1.1	0x37ce	Standard query (0)	smtp.gmail.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
May 27, 2024 18:33:55.702501059 CEST	1.1.1.1	192.168.2.5	0x5543	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
May 27, 2024 18:33:55.702501059 CEST	1.1.1.1	192.168.2.5	0x5543	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
May 27, 2024 18:33:55.702501059 CEST	1.1.1.1	192.168.2.5	0x5543	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
May 27, 2024 18:33:57.127114058 CEST	1.1.1.1	192.168.2.5	0x37ce	No error (0)	smtp.gmail.com	64.233.184.108	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	172.67.74.152	443	3992	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-27 16:33:56 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-05-27 16:33:56 UTC	211	IN	HTTP/1.1 200 OK Date: Mon, 27 May 2024 16:33:56 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 88a768d70fb07ce4-EWR
2024-05-27 16:33:56 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 37 35 Data Ascii: 8.46.123.175

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
May 27, 2024 18:33:57.805881023 CEST	587	49705	64.233.184.108	192.168.2.5	220 smtp.gmail.com ESMTP ffacd0b85a97d-35579d7de1bsm9452384f8f.13 - gsmtp
May 27, 2024 18:33:57.806200981 CEST	49705	587	192.168.2.5	64.233.184.108	EHLO 114127
May 27, 2024 18:33:57.991271019 CEST	587	49705	64.233.184.108	192.168.2.5	250-smtp.gmail.com at your service, [8.46.123.175] 250-SIZE 35882577 250-8BITMIME 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-CHUNKING 250 SMTPUTF8
May 27, 2024 18:33:57.991465092 CEST	49705	587	192.168.2.5	64.233.184.108	STARTTLS
May 27, 2024 18:33:58.172422886 CEST	587	49705	64.233.184.108	192.168.2.5	220 2.0.0 Ready to start TLS

Target ID:	0
Start time:	12:33:53
Start date:	27/05/2024
Path:	C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe"
Imagebase:	0xdc0000
File size:	1'137'664 bytes
MD5 hash:	EFAE427357884A8D496FACD0298F6AF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.1994390069.0000000002510000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:33:53
Start date:	27/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe"
Imagebase:	0x860000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3226494405.0000000002E0F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.3222160800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3226494405.0000000002DE4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3226494405.0000000002DE4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	12:34:08
Start date:	27/05/2024
Path:	C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe"
Imagebase:	0xe10000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:34:08
Start date:	27/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:34:16
Start date:	27/05/2024
Path:	C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe"
Imagebase:	0xa30000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:34:16
Start date:	27/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	2.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	61

Executed Functions

Function 00DC3B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00DC3B7A
IsDebuggerPresent.KERNEL32 ref: 00DC3B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,00E862F8,00E862E0,?,?), ref: 00DC3BFD

Part of subcall function 00DC7D2C: _memmove.LIBCMT ref: 00DC7D66

Part of subcall function 00DD0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00DC3C26,00E862F8,?,?,?), ref: 00DD0ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00DC3C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00E793F0,00000010), ref: 00DFD4BC
SetCurrentDirectoryW.KERNEL32(?,00E862F8,?,?,?), ref: 00DFD4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00E75D40,00E862F8,?,?,?), ref: 00DFD57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00DFD581

Part of subcall function 00DC3A58: GetSysColorBrush.USER32(0000000F), ref: 00DC3A62
Part of subcall function 00DC3A58: LoadCursorW.USER32(00000000,00007F00), ref: 00DC3A71
Part of subcall function 00DC3A58: LoadIconW.USER32(00000063), ref: 00DC3A88
Part of subcall function 00DC3A58: LoadIconW.USER32(000000A4), ref: 00DC3A9A
Part of subcall function 00DC3A58: LoadIconW.USER32(000000A2), ref: 00DC3AAC
Part of subcall function 00DC3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00DC3AD2
Part of subcall function 00DC3A58: RegisterClassExW.USER32(?), ref: 00DC3B28

Part of subcall function 00DC39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00DC3A15
Part of subcall function 00DC39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00DC3A36
Part of subcall function 00DC39E7: ShowWindow.USER32(00000000,?,?), ref: 00DC3A4A
Part of subcall function 00DC39E7: ShowWindow.USER32(00000000,?,?), ref: 00DC3A53

Part of subcall function 00DC43DB: _memset.LIBCMT ref: 00DC4401
Part of subcall function 00DC43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00DC44A6

Strings

%, xrefs: 00DC3C56
runas, xrefs: 00DFD575
This is a third-party compiled AutoIt script., xrefs: 00DFD4B4

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%
API String ID: 529118366-3343222573
Opcode ID: c84c96459332430f072fdaf15225056553f4bf88f8013af3aa4c064a6309f4b0
Instruction ID: 46081df31e90eaf123e955ef927f44e09ce7c70acb0d6a649a1bc9272180999a
Opcode Fuzzy Hash: c84c96459332430f072fdaf15225056553f4bf88f8013af3aa4c064a6309f4b0
Instruction Fuzzy Hash: A151F73090424AAECB11ABB5DC05FFD7B79EF45700F0481ADF459B71A2DA708A4ACB31

Function 00DC4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00DC4B2B

Part of subcall function 00DC7D2C: _memmove.LIBCMT ref: 00DC7D66

GetCurrentProcess.KERNEL32(?,00E4FAEC,00000000,00000000,?), ref: 00DC4BF8
IsWow64Process.KERNEL32(00000000), ref: 00DC4BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00DC4C45
FreeLibrary.KERNEL32(00000000), ref: 00DC4C50
GetSystemInfo.KERNEL32(00000000), ref: 00DC4C81
GetSystemInfo.KERNEL32(00000000), ref: 00DC4C8D

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 54686099531e2041b8d1d5fc8aa3464651012265a0aed45cb58795a17b398556
Instruction ID: 7d02d4e1eab28296c1c2f2f9d4a4cbe1250538eba88ede5534285c6ff028df28
Opcode Fuzzy Hash: 54686099531e2041b8d1d5fc8aa3464651012265a0aed45cb58795a17b398556
Instruction Fuzzy Hash: FB91D93154A7C5DEC731DB7885616AAFFE6AF2A300B488D5DE0CB93A41D230E948D739

Function 00DC4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00DC4EEE,?,?,00000000,00000000), ref: 00DC4FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00DC4EEE,?,?,00000000,00000000), ref: 00DC5010
LoadResource.KERNEL32(?,00000000,?,?,00DC4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00DC4F8F), ref: 00DFDD60
SizeofResource.KERNEL32(?,00000000,?,?,00DC4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00DC4F8F), ref: 00DFDD75
LockResource.KERNEL32(00DC4EEE,?,?,00DC4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00DC4F8F,00000000), ref: 00DFDD88

Strings

SCRIPT, xrefs: 00DC5006

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 4ee9293358816ccf34bf280081548fdea61c41b2a150b9a549819aae728ab895
Instruction ID: 5e8d9867e1ae72a0f35cc746da5f9f13f0f198080a71c8402493a8a7c859e5fb
Opcode Fuzzy Hash: 4ee9293358816ccf34bf280081548fdea61c41b2a150b9a549819aae728ab895
Instruction Fuzzy Hash: 76119A75200701AFD7218B66EC48F277BB9EBCAB12F24816CF406D6260DBA1E8459670

Function 00DCE800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Dt, xrefs: 00E03F1F
Variable must be of type 'Object'., xrefs: 00E0428C
Dt, xrefs: 00E03F58
Dt, xrefs: 00DCEC1A
Dt, xrefs: 00DCEC21

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID:
String ID: Dt$Dt$Dt$Dt$Variable must be of type 'Object'.
API String ID: 0-3952547859
Opcode ID: c6ae77c719eda2d301f124f3bd4387fdca66979130aef76593b77933c62c9b96
Instruction ID: 8c27b04fa7f1f31f78ad1df62891673810b802918709dd6b04af8b3e8c6623e9
Opcode Fuzzy Hash: c6ae77c719eda2d301f124f3bd4387fdca66979130aef76593b77933c62c9b96
Instruction Fuzzy Hash: C1A25CB5A04216CFCB24CF58C580FA9B7B2FF48314F28805DE956AB251D735ED86CB61

Function 00E24696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00DFE7C1), ref: 00E246A6
FindFirstFileW.KERNELBASE(?,?), ref: 00E246B7
FindClose.KERNEL32(00000000), ref: 00E246C7

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 14878318f2ff5975c83649b62c9123c7ece9b7beee439522ee2755f27f3ffab2
Instruction ID: c6780ea8f2af4f05a52e4fcd35973e67f55b52cd2c9b80e57576b6c20d38bb20
Opcode Fuzzy Hash: 14878318f2ff5975c83649b62c9123c7ece9b7beee439522ee2755f27f3ffab2
Instruction Fuzzy Hash: 0BE0D8754104109F42106738FC4D8EA775C9F07739F100715F935E10F0E7B059548599

Function 00DD0B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DD0BBB
timeGetTime.WINMM ref: 00DD0E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DD0FB3
TranslateMessage.USER32(?), ref: 00DD0FC7
DispatchMessageW.USER32(?), ref: 00DD0FD5
Sleep.KERNEL32(0000000A), ref: 00DD0FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 00DD105A
DestroyWindow.USER32 ref: 00DD1066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DD1080
Sleep.KERNEL32(0000000A,?,?), ref: 00E052AD
TranslateMessage.USER32(?), ref: 00E0608A
DispatchMessageW.USER32(?), ref: 00E06098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E060AC

Strings

@GUI_CTRLID, xrefs: 00E05364
pr, xrefs: 00E053D8
pr, xrefs: 00E0542D
pr, xrefs: 00E05383
@COM_EVENTOBJ, xrefs: 00E0591A
@TRAY_ID, xrefs: 00E05BB9
pr, xrefs: 00E05BDE
@GUI_CTRLHANDLE, xrefs: 00E0540E
@GUI_WINHANDLE, xrefs: 00E053B9

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pr$pr$pr$pr
API String ID: 4003667617-1825247661
Opcode ID: 40efc3c5892ea011351d64ea25b35c57042c0222a943d24f4d44404c3e6d4ff4
Instruction ID: af32d52e9cd4074d969b5482bbceaf1fedda42d64a40214ee2dde5b2d7982053
Opcode Fuzzy Hash: 40efc3c5892ea011351d64ea25b35c57042c0222a943d24f4d44404c3e6d4ff4
Instruction Fuzzy Hash: F5B29271608741DFD724DF24C884BAABBE5FF84304F14491EE499A72A1DB71E885CFA2

Function 00E293DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E291E9: __time64.LIBCMT ref: 00E291F3

Part of subcall function 00DC5045: _fseek.LIBCMT ref: 00DC505D

__wsplitpath.LIBCMT ref: 00E294BE

Part of subcall function 00DE432E: __wsplitpath_helper.LIBCMT ref: 00DE436E

_wcscpy.LIBCMT ref: 00E294D1
_wcscat.LIBCMT ref: 00E294E4
__wsplitpath.LIBCMT ref: 00E29509
_wcscat.LIBCMT ref: 00E2951F
_wcscat.LIBCMT ref: 00E29532

Part of subcall function 00E2922F: _memmove.LIBCMT ref: 00E29268
Part of subcall function 00E2922F: _memmove.LIBCMT ref: 00E29277

_wcscmp.LIBCMT ref: 00E29479

Part of subcall function 00E299BE: _wcscmp.LIBCMT ref: 00E29AAE
Part of subcall function 00E299BE: _wcscmp.LIBCMT ref: 00E29AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00E296DC
_wcsncpy.LIBCMT ref: 00E2974F
DeleteFileW.KERNEL32(?,?), ref: 00E29785
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00E2979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E297AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E297BE

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: a0a55f872af41575c6234b15f04a35203971c09e1f53920585e7ff0e28092715
Instruction ID: a809506919b33d94b80f6016d6f97d42d3baa2b16f5a0699199fd890ec549ecd
Opcode Fuzzy Hash: a0a55f872af41575c6234b15f04a35203971c09e1f53920585e7ff0e28092715
Instruction Fuzzy Hash: 37C128B1D00229AADF21DF95DC85EDEB7BDEF45300F0050AAE609E7152DB70AA848F65

Function 00DC3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00DC3074
RegisterClassExW.USER32(00000030), ref: 00DC309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00DC30AF
InitCommonControlsEx.COMCTL32(?), ref: 00DC30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00DC30DC
LoadIconW.USER32(000000A9), ref: 00DC30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00DC3101

Strings

0, xrefs: 00DC3056
TaskbarCreated, xrefs: 00DC30A4
+, xrefs: 00DC305D
AutoIt v3 GUI, xrefs: 00DC3090

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 398a91169e5ca14a457bd054b6efa2361307d280f5ebe5c2d130fce243548d6f
Instruction ID: 68ba6880344f915ce7e4dfd4f769b8eb8d0cece7a24163cbc5f58ae67181c743
Opcode Fuzzy Hash: 398a91169e5ca14a457bd054b6efa2361307d280f5ebe5c2d130fce243548d6f
Instruction Fuzzy Hash: F33156B5840309EFDB00CFA5E889AD9BBF4FB0A710F10416AE544B62A0D3B90549CF51

Function 00DC3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00DC3074
RegisterClassExW.USER32(00000030), ref: 00DC309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00DC30AF
InitCommonControlsEx.COMCTL32(?), ref: 00DC30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00DC30DC
LoadIconW.USER32(000000A9), ref: 00DC30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00DC3101

Strings

0, xrefs: 00DC3056
TaskbarCreated, xrefs: 00DC30A4
+, xrefs: 00DC305D
AutoIt v3 GUI, xrefs: 00DC3090

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: e42b59eb80f0fc4bd4917bb69b59370fa1ab435fed9a19e8b9b0646f79e80601
Instruction ID: b5e48c5830c10c657d976c7a41f10a488d217f028cd682f4658a26d1a29b6a1e
Opcode Fuzzy Hash: e42b59eb80f0fc4bd4917bb69b59370fa1ab435fed9a19e8b9b0646f79e80601
Instruction Fuzzy Hash: FA21C5B5D50218AFDB00DFA6E849B9DBBF4FB09B00F00412AF518B62A0D7B545498F95

Function 00DC71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DC4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00E862F8,?,00DC37C0,?), ref: 00DC4882

Part of subcall function 00DE074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00DC72C5), ref: 00DE0771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00DC7308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00DFECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00DFED32
RegCloseKey.ADVAPI32(?), ref: 00DFED70
_wcscat.LIBCMT ref: 00DFEDC9

Strings

\Include\, xrefs: 00DC72C5
Include, xrefs: 00DFECE8, 00DFED29
Software\AutoIt v3\AutoIt, xrefs: 00DC72FE
\, xrefs: 00DFEDEC

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 9c82c71a1203abf5da501da71b7a079951ab9810bee4fb5a16a49c3178425869
Instruction ID: 92fc7a0bcc9e0838285bf3c950ce1a59845d90fa2873b193eca6831964031e9b
Opcode Fuzzy Hash: 9c82c71a1203abf5da501da71b7a079951ab9810bee4fb5a16a49c3178425869
Instruction Fuzzy Hash: 7A717CB14083069EC314EF66EC8196BBBE8FF95750B54492EF589A31B0DB30D948CB71

Function 00DC3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00DC36D2
KillTimer.USER32(?,00000001), ref: 00DC36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00DC371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00DC372A
CreatePopupMenu.USER32 ref: 00DC373E
PostQuitMessage.USER32(00000000), ref: 00DC375F

Strings

%, xrefs: 00DFD2D1, 00DFD31F
TaskbarCreated, xrefs: 00DC3725

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%
API String ID: 129472671-3835587964
Opcode ID: b123129c58e12df72668716be78da0467eeba89fb5e3ddbb713ced683b943134
Instruction ID: 840ee1ca10c2b5564e976ca2b15bf5481b8fe8032cce1cd5b818b0f2f2280ade
Opcode Fuzzy Hash: b123129c58e12df72668716be78da0467eeba89fb5e3ddbb713ced683b943134
Instruction Fuzzy Hash: 044116B2254107BFDF146F68EC0AF793755EB41300F18812DF64AA72E1CA64DE1597B1

Function 00DC3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00DC3A62
LoadCursorW.USER32(00000000,00007F00), ref: 00DC3A71
LoadIconW.USER32(00000063), ref: 00DC3A88
LoadIconW.USER32(000000A4), ref: 00DC3A9A
LoadIconW.USER32(000000A2), ref: 00DC3AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00DC3AD2
RegisterClassExW.USER32(?), ref: 00DC3B28

Part of subcall function 00DC3041: GetSysColorBrush.USER32(0000000F), ref: 00DC3074
Part of subcall function 00DC3041: RegisterClassExW.USER32(00000030), ref: 00DC309E
Part of subcall function 00DC3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00DC30AF
Part of subcall function 00DC3041: InitCommonControlsEx.COMCTL32(?), ref: 00DC30CC
Part of subcall function 00DC3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00DC30DC
Part of subcall function 00DC3041: LoadIconW.USER32(000000A9), ref: 00DC30F2
Part of subcall function 00DC3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00DC3101

Strings

0, xrefs: 00DC3B06
AutoIt v3, xrefs: 00DC3B17
#, xrefs: 00DC3B0D

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: f8b25ca4da5d195f162d97417f12e905be1b56d88b226927a8b9878624e79fab
Instruction ID: edfe9a4524f8031ad3f375fba8a086c2c4949b9303446dbb0833f9dd1f18d40f
Opcode Fuzzy Hash: f8b25ca4da5d195f162d97417f12e905be1b56d88b226927a8b9878624e79fab
Instruction Fuzzy Hash: 4F214B75950308AFEB109FA6EC09B9D7BB5FB08710F00416AF508BB2B0D3BA56589F94

Function 00DC3778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteScript, xrefs: 00DC38CE
/ErrorStdOut, xrefs: 00DC388F
/AutoIt3ExecuteLine, xrefs: 00DC38B9
b, xrefs: 00DFD44E
CMDLINERAW, xrefs: 00DC380D
/AutoIt3OutputDebug, xrefs: 00DC38A4
CMDLINE, xrefs: 00DC3834
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00DC37C0

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$b
API String ID: 1825951767-3834736419
Opcode ID: 613f64c75d2d9b0951f48c5180803bc800665f2d7d5c25a2cf752f29c73ba445
Instruction ID: def6e43e59b05d1f29397f46423d0d8cb58f4064f9a7872276a3afc1b99f6451
Opcode Fuzzy Hash: 613f64c75d2d9b0951f48c5180803bc800665f2d7d5c25a2cf752f29c73ba445
Instruction Fuzzy Hash: 06A14A7191022A9ACB05EBA1DC96EEEB7B9FF14300F14452DF416B7191DF74AA09CB70

Function 00DCF8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DE03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00DE03D3
Part of subcall function 00DE03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00DE03DB
Part of subcall function 00DE03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00DE03E6
Part of subcall function 00DE03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00DE03F1
Part of subcall function 00DE03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00DE03F9
Part of subcall function 00DE03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00DE0401

Part of subcall function 00DD6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00DCFA90), ref: 00DD62B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00DCFB2D
OleInitialize.OLE32(00000000), ref: 00DCFBAA
CloseHandle.KERNEL32(00000000), ref: 00E049F2

Strings

%, xrefs: 00DCF8F6, 00DCF908, 00DCFACE, 00DCFBB1
c, xrefs: 00DCF94B
\d, xrefs: 00DCF957
<g, xrefs: 00DCFA90

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <g$\d$%$c
API String ID: 1986988660-619945097
Opcode ID: cd676ded48a0ee1862973d4d83b829e631adad6f78891d22675e056720430486
Instruction ID: f655133ecbd0f9a10ee078ac50f0019e207704e7766ec758fd7e2ae6f923aff4
Opcode Fuzzy Hash: cd676ded48a0ee1862973d4d83b829e631adad6f78891d22675e056720430486
Instruction Fuzzy Hash: 718187B09012508FC784EF7BA9556197BF5FB98708B10952AE42DFB272EB36440D8F61

Function 018E2640 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 018E2711
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 018E2937

Memory Dump Source

Source File: 00000000.00000002.1994207005.00000000018E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Shipping Documents inv.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
Instruction ID: 786f9cef17b5f25382c70191d57e93f6559b841fb782a6d6b553d87697d60ef4
Opcode Fuzzy Hash: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
Instruction Fuzzy Hash: F9A11B74E00219EBDB14CFA8C898BEEBBBAFF49304F108159E515BB281D7759A41CF54

Function 00DC39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00DC3A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00DC3A36
ShowWindow.USER32(00000000,?,?), ref: 00DC3A4A
ShowWindow.USER32(00000000,?,?), ref: 00DC3A53

Strings

AutoIt v3, xrefs: 00DC3A0D, 00DC3A12, 00DC3A13
edit, xrefs: 00DC3A30

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: e5b09fd313be7be75bf9ed2c0e3205f7c64fb3cfca67b2306bc9e5314ef149a5
Instruction ID: b681298598724a4a21520114c2e934d9de00abff1eb79439152c6f1925127dee
Opcode Fuzzy Hash: e5b09fd313be7be75bf9ed2c0e3205f7c64fb3cfca67b2306bc9e5314ef149a5
Instruction Fuzzy Hash: 2EF03A706802907EEA3017237C0DF273E7DD7C7F51B01006AF908B6170C2A51805DBB0

Function 018E2410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 143
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 018E2300: Sleep.KERNELBASE(000001F4), ref: 018E2311

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 018E252A

Strings

P0EBYJ7C7KTTRIQXWA7LR, xrefs: 018E258D, 018E2590

Memory Dump Source

Source File: 00000000.00000002.1994207005.00000000018E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Shipping Documents inv.jbxd

Similarity

API ID: CreateFileSleep
String ID: P0EBYJ7C7KTTRIQXWA7LR
API String ID: 2694422964-1317934175
Opcode ID: 6d1220da1c63102ae87c3d79b83ceb6e4ac97baed15dc85580efd6d15b6fbf27
Instruction ID: 6d15cd7ae1dae32868cb48f44eb7f309a8ce0f1a882f151bae04f0068d89de4b
Opcode Fuzzy Hash: 6d1220da1c63102ae87c3d79b83ceb6e4ac97baed15dc85580efd6d15b6fbf27
Instruction Fuzzy Hash: 61519470D0424DDAEF11D7E4C959BEFBBB9AF15304F004199E609BB2C1D6B90B44CB66

Function 00DC410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00DFD5EC

Part of subcall function 00DC7D2C: _memmove.LIBCMT ref: 00DC7D66

_memset.LIBCMT ref: 00DC418D
_wcscpy.LIBCMT ref: 00DC41E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00DC41F1

Strings

Line: , xrefs: 00DFD615

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 7c4337fb037c5b6b60f0f2442bf7f1af395d6687b0cd621f49e841dfc8212890
Instruction ID: 7cd1438e66e611c8db676ffe88b7f1f11bce71d20255a6bbd90db7db7a85e8eb
Opcode Fuzzy Hash: 7c4337fb037c5b6b60f0f2442bf7f1af395d6687b0cd621f49e841dfc8212890
Instruction Fuzzy Hash: 5D31B3710083469ED721EB60DC46FDB77ECAF54310F14455EF199A30A1DB70A648CBB2

Function 00DE564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DE56AB
_memcpy_s.LIBCMT ref: 00DE571D
__read_nolock.LIBCMT ref: 00DE577B
__filbuf.LIBCMT ref: 00DE579E
_memset.LIBCMT ref: 00DE57E2

Part of subcall function 00DE8D68: __getptd_noexit.LIBCMT ref: 00DE8D68

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: 0a920b27627c971385a35a90acd34806e44fb193a60d8cdc901edec887123f54
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: F251DB30A00B85DBDB24BF6AE84056E77A1EF403A8F68832DF865961D4D770DD608B70

Function 00DC69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00DC4F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00E862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00DC4F6F

_free.LIBCMT ref: 00DFE68C
_free.LIBCMT ref: 00DFE6D3

Part of subcall function 00DC6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00DC6D0D

Strings

Bad directive syntax error, xrefs: 00DFE6BB
>>>AUTOIT SCRIPT<<<, xrefs: 00DFE462

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: ecf2e6990750db7afc55c08d8b4b567ecfb283edcad21df67bb5214f1d23f64b
Instruction ID: 31637f956330e1e806d3b515569f29eab6a70672081012d3b4259e9f72538164
Opcode Fuzzy Hash: ecf2e6990750db7afc55c08d8b4b567ecfb283edcad21df67bb5214f1d23f64b
Instruction Fuzzy Hash: 3191597191025EAFCF04EFA4D8919EDB7B4FF19314B14846EE915AB2A1DB30E944CBB0

Function 00DC35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00DC35A1,SwapMouseButtons,00000004,?), ref: 00DC35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00DC35A1,SwapMouseButtons,00000004,?,?,?,?,00DC2754), ref: 00DC35F5
RegCloseKey.KERNELBASE(00000000,?,?,00DC35A1,SwapMouseButtons,00000004,?,?,?,?,00DC2754), ref: 00DC3617

Strings

Control Panel\Mouse, xrefs: 00DC35D2

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 11e725548e67b5ca645740d2485ca5f1c0a3a17b27becfc0a2be231bde49667e
Instruction ID: 13e8b7652fc7756b6f2cec7360b5b82b57304de34f5fe608a737b71a625ad726
Opcode Fuzzy Hash: 11e725548e67b5ca645740d2485ca5f1c0a3a17b27becfc0a2be231bde49667e
Instruction Fuzzy Hash: 11115775650209BFDB218F65DC80EEEBBB8EF45740F018469F805E7210E272AF459BB0

Function 018E1300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 018E1B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 018E1B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 018E1B73

Memory Dump Source

Source File: 00000000.00000002.1994207005.00000000018E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Shipping Documents inv.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction ID: ba654029896b1b16df2692c1dacd4e96e90602e97d1e2c03c0f3a342c6c8e43f
Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction Fuzzy Hash: CB620C30A14258DBEB24CFA4C854BDEB776EF59300F1091A9D20DEB390E7769E81CB59

Function 00DE493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DE49D0
__flush.LIBCMT ref: 00DE49F0
__write.LIBCMT ref: 00DE4A23
__flsbuf.LIBCMT ref: 00DE4A51

Part of subcall function 00DE8D68: __getptd_noexit.LIBCMT ref: 00DE8D68

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: 53283956dff9425c9f2d7bca29c4d4f1981475248a35ead35bdad423637f5655
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: 584116706007859BDF28EEABC8809AF77A6EF84374B28817DE859D7641D730DD408B74

Function 00DC4DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DC4E1A

Strings

AU3!P/, xrefs: 00DC4E14
EA06, xrefs: 00DFDCF5

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/$EA06
API String ID: 4104443479-182974850
Opcode ID: 01497a9b45496a5332be038111792a8aee362eb228a1aaf13d4679a240a37bf5
Instruction ID: 6cf09ee932dc615f0e96614ee290d1f606bd3f14af5a7ea3f4f6041d80622325
Opcode Fuzzy Hash: 01497a9b45496a5332be038111792a8aee362eb228a1aaf13d4679a240a37bf5
Instruction Fuzzy Hash: 1A415C31A0425A5BDF215B649871FBE7FAAEF05300F2D416DFC82DB286C6219D8087B1

Function 00DC73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DFEE62
GetOpenFileNameW.COMDLG32(?), ref: 00DFEEAC

Part of subcall function 00DC48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DC48A1,?,?,00DC37C0,?), ref: 00DC48CE

Part of subcall function 00DE09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00DE09F4

Strings

X, xrefs: 00DFEE7A

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: fff360b5f46089dc605121758a0ad9ca0383c53a09dc3ebaa10564e4a3167fea
Instruction ID: 0fd33a572aec8baaf825b9990469d68ebf3c4a0b23be0206603272bd8d7661b3
Opcode Fuzzy Hash: fff360b5f46089dc605121758a0ad9ca0383c53a09dc3ebaa10564e4a3167fea
Instruction Fuzzy Hash: 4B21A130A042989BCB159F94C845BEE7BF8DF49300F04805AE508F7242DBB49A898FB1

Function 00E2901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E29036
__fread_nolock.LIBCMT ref: 00E2904B

Strings

EA06, xrefs: 00E2907D

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 9e9de2637f3e2363efe68033b9a3a968ea131003f22360d3fac43715dfa28d32
Instruction ID: 6642ad9085289a449b372e43c7a5f2d62253e301dd305f7576722d228585fde4
Opcode Fuzzy Hash: 9e9de2637f3e2363efe68033b9a3a968ea131003f22360d3fac43715dfa28d32
Instruction Fuzzy Hash: 2D01F9729042586EDB28D6A9D856EEE7BF8DB01305F00419AF552D2181E575A6048770

Function 00E29B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00E29B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00E29B99

Strings

aut, xrefs: 00E29B93

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: b305d3f0af124bfeaf81f7cff7809e9a609c098657fb63de9f3ea9562f2bbf7d
Instruction ID: 8129b7586cbbe53b93cfb2a7e4ec1bed585cb38c0e59f1a7350a2b6d8e865f4c
Opcode Fuzzy Hash: b305d3f0af124bfeaf81f7cff7809e9a609c098657fb63de9f3ea9562f2bbf7d
Instruction Fuzzy Hash: 00D05E7954030DAFDB109B91DC0EF9A772CE704B01F0042B1FE64A10A1EEF155998B95

Function 00E3CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d12f12678d7ad772ba94ffd0c3d544bd885d6fb5d04bdfee2085f3d77434851
Instruction ID: fdeaaa882d4ca2d2f832aeebe9af9fc35a653a4c5fed7bed62c3007c0927ef37
Opcode Fuzzy Hash: 2d12f12678d7ad772ba94ffd0c3d544bd885d6fb5d04bdfee2085f3d77434851
Instruction Fuzzy Hash: 55F15870A083019FC714DF28D884A6ABBE5FF88314F14992EF899AB351D731E945CF92

Function 00DC43DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DC4401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00DC44A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00DC44C3

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 57bf6b8bdd791cda1ef415d8fda95dba9e1f55db6d30a355c304ae3381cd31ee
Instruction ID: 58616c4f2c096ad3107d2d012a796403163a194f447eed11a3d7cef2d7ab88c7
Opcode Fuzzy Hash: 57bf6b8bdd791cda1ef415d8fda95dba9e1f55db6d30a355c304ae3381cd31ee
Instruction Fuzzy Hash: B831BFB05083028FC724DF25D894B9BBBE8FB48304F14092EF59AD7250D7B5A948CBA2

Function 00DE594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00DE5963

Part of subcall function 00DEA3AB: __NMSG_WRITE.LIBCMT ref: 00DEA3D2
Part of subcall function 00DEA3AB: __NMSG_WRITE.LIBCMT ref: 00DEA3DC

__NMSG_WRITE.LIBCMT ref: 00DE596A

Part of subcall function 00DEA408: GetModuleFileNameW.KERNEL32(00000000,00E843BA,00000104,?,00000001,00000000), ref: 00DEA49A
Part of subcall function 00DEA408: ___crtMessageBoxW.LIBCMT ref: 00DEA548

Part of subcall function 00DE32DF: ___crtCorExitProcess.LIBCMT ref: 00DE32E5
Part of subcall function 00DE32DF: ExitProcess.KERNEL32 ref: 00DE32EE

Part of subcall function 00DE8D68: __getptd_noexit.LIBCMT ref: 00DE8D68

RtlAllocateHeap.NTDLL(01910000,00000000,00000001,00000000,?,?,?,00DE1013,?), ref: 00DE598F

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 7a619b0b1350988842e9699db26ae33d84ec776f3dba2e8774a0bd2d319dcf56
Instruction ID: 748cce2f8ee7d01d4a19d096bb1b14108deae91512b9bfbf35af5d8fdca843b7
Opcode Fuzzy Hash: 7a619b0b1350988842e9699db26ae33d84ec776f3dba2e8774a0bd2d319dcf56
Instruction Fuzzy Hash: 2401F931201B92DED6117767FC417AD7248CF417B8F540026F405AB2D2DE709D015B75

Function 00E29B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00E297D2,?,?,?,?,?,00000004), ref: 00E29B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00E297D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00E29B5B
CloseHandle.KERNEL32(00000000,?,00E297D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00E29B62

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 1a186793708bf9a79ffd08048c620ba3b4e1698196b96c69311a0b154e18349f
Instruction ID: 5fe8fac9e3851719af92764ff264a4c686a4ec9f01748178fcbba85e0d028d31
Opcode Fuzzy Hash: 1a186793708bf9a79ffd08048c620ba3b4e1698196b96c69311a0b154e18349f
Instruction Fuzzy Hash: 2DE08636181224BBDB211F55EC09FCA7B58AB06F65F104220FB54791E187B125169798

Function 00E28F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E28FA5

Part of subcall function 00DE2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00DE9C64), ref: 00DE2FA9
Part of subcall function 00DE2F95: GetLastError.KERNEL32(00000000,?,00DE9C64), ref: 00DE2FBB

_free.LIBCMT ref: 00E28FB6
_free.LIBCMT ref: 00E28FC8

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7d3b2028e624efae88516297b2f19128b0b5a47fb3bf7ffb404a5919715f4e12
Instruction ID: 9d7b3b71113e7af3179a3c923e6a66787b7d99f1bbc61beb22d8bf5a3029c993
Opcode Fuzzy Hash: 7d3b2028e624efae88516297b2f19128b0b5a47fb3bf7ffb404a5919715f4e12
Instruction Fuzzy Hash: 1EE012B170A7554AEA24B6BABF40AA357EE9F48355718181DB40DEB142DE24E8418134

Function 00DCAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00E0002B

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: f77770215a77ba99c0775ef3c387c88f69d46ec5473fb26b64de95858d14a93f
Instruction ID: 93e6369a5bf7cce5bebc5b994b2175c1382703253ce437af5616d55c701f585e
Opcode Fuzzy Hash: f77770215a77ba99c0775ef3c387c88f69d46ec5473fb26b64de95858d14a93f
Instruction Fuzzy Hash: 93223674608246CFC724DF18C495F6ABBE1FF44304F19895DE89A9B262D731EC85CBA2

Function 00DC492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00DC4992

Part of subcall function 00DE35AC: __lock.LIBCMT ref: 00DE35B2
Part of subcall function 00DE35AC: DecodePointer.KERNEL32(00000001,?,00DC49A7,00E181BC), ref: 00DE35BE
Part of subcall function 00DE35AC: EncodePointer.KERNEL32(?,?,00DC49A7,00E181BC), ref: 00DE35C9

Part of subcall function 00DC4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00DC4A73
Part of subcall function 00DC4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00DC4A88

Part of subcall function 00DC3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00DC3B7A
Part of subcall function 00DC3B4C: IsDebuggerPresent.KERNEL32 ref: 00DC3B8C
Part of subcall function 00DC3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00E862F8,00E862E0,?,?), ref: 00DC3BFD
Part of subcall function 00DC3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00DC3C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00DC49D2

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 261c54fac58d9da5917ee06ecdcf9c44415c6271aa75f5395b1dc287a6fe94a1
Instruction ID: ca32a43b8790d21094bd69c68f254ef0ff959cf0f10a24f53ee30d58ea61a433
Opcode Fuzzy Hash: 261c54fac58d9da5917ee06ecdcf9c44415c6271aa75f5395b1dc287a6fe94a1
Instruction Fuzzy Hash: E7118C719183129FC700EF2ADC49A0AFBE8EF94710F00451EF499A72B1DB709549CBA2

Function 00DC5DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00DC5981,?,?,?,?), ref: 00DC5E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00DC5981,?,?,?,?), ref: 00DFE19C

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 522812750d40227a81ebbbeb29797d06ed9241f4f7ef848367e8089d2f1f9c0a
Instruction ID: 945918a9c1dae03daff725aeacc91d60fc8cab2f33b1bb32ec06a6d07519fab7
Opcode Fuzzy Hash: 522812750d40227a81ebbbeb29797d06ed9241f4f7ef848367e8089d2f1f9c0a
Instruction Fuzzy Hash: 29017970244709BEF7250E15DC86F76379CEB05768F14C319FAE56B1E0C6B46E858B60

Function 00DE0FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DE594C: __FF_MSGBANNER.LIBCMT ref: 00DE5963
Part of subcall function 00DE594C: __NMSG_WRITE.LIBCMT ref: 00DE596A
Part of subcall function 00DE594C: RtlAllocateHeap.NTDLL(01910000,00000000,00000001,00000000,?,?,?,00DE1013,?), ref: 00DE598F

std::exception::exception.LIBCMT ref: 00DE102C
__CxxThrowException@8.LIBCMT ref: 00DE1041

Part of subcall function 00DE87DB: RaiseException.KERNEL32(?,?,?,00E7BAF8,00000000,?,?,?,?,00DE1046,?,00E7BAF8,?,00000001), ref: 00DE8830

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 736d094ee1571ba1a1afad4c8128106a36545196c4fafa42dde1fc96223da603
Instruction ID: 01728528240980f2795801546aa6bc4c58029e65704eae0357b8029b1f047edc
Opcode Fuzzy Hash: 736d094ee1571ba1a1afad4c8128106a36545196c4fafa42dde1fc96223da603
Instruction Fuzzy Hash: 12F0C83960039DA6CB20BA5AEC169DF7BACDF01351F500429FD08A6691DFB1CA8497F1

Function 00DE582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DE585C
__lock_file.LIBCMT ref: 00DE587D

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 5da88490bacbead166213e62477c02d1488cc55c245288a274595113011ab568
Instruction ID: b489864ea5da377694bc96c679f230cf64ee34996c9185af8f10127b6db69470
Opcode Fuzzy Hash: 5da88490bacbead166213e62477c02d1488cc55c245288a274595113011ab568
Instruction Fuzzy Hash: 58018871C00685EBCF12BF679C0559F7B61EF403A4F148215F8185B1A5DB31CA11EBB1

Function 00DE55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DE8D68: __getptd_noexit.LIBCMT ref: 00DE8D68

__lock_file.LIBCMT ref: 00DE561B

Part of subcall function 00DE6E4E: __lock.LIBCMT ref: 00DE6E71

__fclose_nolock.LIBCMT ref: 00DE5626

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 8dc94b9227b7383745f57a11bdef809e6b29e8ddd92fc0d5106e4db0a4dd438f
Instruction ID: c84237ab07e9a80774e9824d91f7b907ced2f904697e56053a4fb834bf4e892a
Opcode Fuzzy Hash: 8dc94b9227b7383745f57a11bdef809e6b29e8ddd92fc0d5106e4db0a4dd438f
Instruction Fuzzy Hash: 12F02471800B809AD720BF779C0276E77A0AF013B8F54820DE428AB0C5CF7C8901AB71

Function 018E12FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 018E1B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 018E1B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 018E1B73

Memory Dump Source

Source File: 00000000.00000002.1994207005.00000000018E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Shipping Documents inv.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction ID: fb6a62ceed82d1ba1512affeacec87650d36176512e8fc8250697f252f5d1968
Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction Fuzzy Hash: 8212ED24E24658C6EB24DF64D8547DEB272EF68300F1090E9910DEB7A4E77A4F81CF5A

Function 00DD2123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dab76cbeb5136c76f7d92803a8431a198b23c2ac9dddcd37096e5810fe43c07
Instruction ID: 4b5f9e7661580dbbf1aa220400ef328d7e54f9209e19dc54919a33b9e7c40c7c
Opcode Fuzzy Hash: 6dab76cbeb5136c76f7d92803a8431a198b23c2ac9dddcd37096e5810fe43c07
Instruction Fuzzy Hash: 5F517C35700605AFCF14EB64C996FAE77A6EF84310F1481A9F946AB392CA30ED40CB71

Function 00DC5C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00DC5CF6

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 27c810f5c2c8560f12aac949f44a81f2f630342f72aee02b78c08c58e26735fd
Instruction ID: a3206bffc1856306ab93ebdae144a9edc2eae07c4fdd6722fde4a8d3a408c9c9
Opcode Fuzzy Hash: 27c810f5c2c8560f12aac949f44a81f2f630342f72aee02b78c08c58e26735fd
Instruction Fuzzy Hash: AD313E71A00B0AAFCB18DF2DD584B6DB7B5FF44320F188619D81993714D771B9A0DBA0

Function 00E000D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00E000E1

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1a7a6857101e69709761d8acf8b3bff9491291f45f718df3ba9f964c994ed321
Instruction ID: 037108e1cae4b23803792b6c821442f91853313ae065fbcdd6bf42d06cadcb3f
Opcode Fuzzy Hash: 1a7a6857101e69709761d8acf8b3bff9491291f45f718df3ba9f964c994ed321
Instruction Fuzzy Hash: B341F574608351CFDB24DF18C484B1ABBE0BF45318F19889CE89A5B762C736E885CB62

Function 00DC5B19 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DC5B61

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 661e4ca0bdcdaa020e3aa7124f60c3742a776d6811e32ded9e00fac7a7d498c7
Instruction ID: 822328c4eda9032ff7899bc1d7fe4dab611aac13ad9c8fcbf3349a34780fee85
Opcode Fuzzy Hash: 661e4ca0bdcdaa020e3aa7124f60c3742a776d6811e32ded9e00fac7a7d498c7
Instruction Fuzzy Hash: 7821D130A00A0DEBDB149F16E885B7A7FB8FF00380F26C46EE589D6020EB7094E08771

Function 00DCC707 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 00DCC73D

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: 6607046b7c499c0f97db259352dfd6d17b10ca954c46bcfa27e52aa67848bf18
Instruction ID: 7ef3104b9f371c67b6ed2a69368565a5d4558d634248e085bd51ae6be5a28571
Opcode Fuzzy Hash: 6607046b7c499c0f97db259352dfd6d17b10ca954c46bcfa27e52aa67848bf18
Instruction Fuzzy Hash: F7119371A1411A9BCB14EBA9DC81EEEF778EF50350F10512AF915AB190DB709D45CBB0

Function 00DC4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC4D13: FreeLibrary.KERNEL32(00000000,?), ref: 00DC4D4D

Part of subcall function 00DE548B: __wfsopen.LIBCMT ref: 00DE5496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00E862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00DC4F6F

Part of subcall function 00DC4CC8: FreeLibrary.KERNEL32(00000000), ref: 00DC4D02

Part of subcall function 00DC4DD0: _memmove.LIBCMT ref: 00DC4E1A

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: ecdb258fb04e0ee8653d7530e6d9d652e9f869651b7140bf74dc52a7a7e1a752
Instruction ID: dafd6ed8f8765608b30f6ce2e6f81d292d3894327476f5a17e0a1ba19cd62b2b
Opcode Fuzzy Hash: ecdb258fb04e0ee8653d7530e6d9d652e9f869651b7140bf74dc52a7a7e1a752
Instruction Fuzzy Hash: 3711E33160030AAACF10FF70DC66FAE77A9DF80711F20842DF942A71C5DA719A059BB0

Function 00E001AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00E001BB

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 9f2f0a12e6d19a3338593ac02c294225b9e2a1db023a620874c667e4bb78770b
Instruction ID: 155b70be8b612ee9f6e7fb7fe43f6f19a1e97ea6568b73b94540fd800c0ae393
Opcode Fuzzy Hash: 9f2f0a12e6d19a3338593ac02c294225b9e2a1db023a620874c667e4bb78770b
Instruction Fuzzy Hash: 7821FF78608342DFCB14DF68C445B1ABBE4BB84718F09896CF98A57761D731E845CBA2

Function 00DC5D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00DC5807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00DC5D76

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: ee1397170c46469c967ebd10ebb8f906046529226098928f3cb37b1666062734
Instruction ID: 8e5a1d6a88b1203259be89680e20b4a7f91f332951de3f704de93225f0d16511
Opcode Fuzzy Hash: ee1397170c46469c967ebd10ebb8f906046529226098928f3cb37b1666062734
Instruction Fuzzy Hash: 61112571200B029FD3208F15E888F62B7E9EB45760F14892EE4AB87A54D7B1F985CB60

Function 00DCC6DC Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 00DCC73D

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: ea92242317d92e74360b8398ce36ede69cedab5c16cccd970a974c47b0ed9f39
Instruction ID: b1cbc7d5ce959e8f1fe9f2c140ddd66fdb3dc62851a22cd313080beaf5b0e782
Opcode Fuzzy Hash: ea92242317d92e74360b8398ce36ede69cedab5c16cccd970a974c47b0ed9f39
Instruction Fuzzy Hash: C0010032E142579FEB119B298840AAAFBB5EF46360F19409BD814AB2A1D2308C05CBB0

Function 00DC5BDA Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DFE141

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8e5742d8604840a39b4b52d433faf62baee0d16ba583a21fff711293b0587678
Instruction ID: 31f3c9b635d77c15a9c853fac0ab70246b8ad8efd50af91d0fa611d6b5ac6f06
Opcode Fuzzy Hash: 8e5742d8604840a39b4b52d433faf62baee0d16ba583a21fff711293b0587678
Instruction Fuzzy Hash: 30017CB9600542ABC305EB29D841E2AFBAAFF8A3103148159F819C7702DB30FC61CBF0

Function 00DE4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00DE4AD6

Part of subcall function 00DE8D68: __getptd_noexit.LIBCMT ref: 00DE8D68

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 4529e9b210220bdf501e779fefb68c204d8375e6f0d6d3ef47b71fce6a42d4c9
Instruction ID: b97c5e5ca00e55270b73879da5436c2f823c48c1b97f9dd7b55479727e710ed9
Opcode Fuzzy Hash: 4529e9b210220bdf501e779fefb68c204d8375e6f0d6d3ef47b71fce6a42d4c9
Instruction Fuzzy Hash: 17F031319402899BDB51BF668C0679E7661EF00329F188514B428AA1D1DB788951EF75

Function 00DC4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00E862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00DC4FDE

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 41a0e3e159e00813bf6f81bf43ed54e6aa87e54171b353f66aef951275ca1f66
Instruction ID: f98dda8b68242487887493614247dfff720a5ccc49287cbed4dfb33333148ddd
Opcode Fuzzy Hash: 41a0e3e159e00813bf6f81bf43ed54e6aa87e54171b353f66aef951275ca1f66
Instruction Fuzzy Hash: 49F03971105712CFCB349F65E4A4D12BBF1BF043293248A3EE5D683610C731A844DF60

Function 00DE09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00DE09F4

Part of subcall function 00DC7D2C: _memmove.LIBCMT ref: 00DC7D66

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 74ab72cf2ec1a13c1e8b31833368c476f305a7454f538f346875c57872802406
Instruction ID: dd9ebd084718fb662ef4a6e56d5a6d8a088bcbac30d898cb991557a4360d5111
Opcode Fuzzy Hash: 74ab72cf2ec1a13c1e8b31833368c476f305a7454f538f346875c57872802406
Instruction Fuzzy Hash: C5E0CD3690522C9BC721D658DC05FFA77EDDF89790F0541B5FD0CD7214D9A19C8186B0

Function 00E29129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00E2914B

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: 586c39da62b2c0387e6b18487addebd118fe28c379042e06353e3b03c1099267
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: C1E092B0104B405FD7388A24E8507E373E0EB06319F00181CF29A93342EB6278418759

Function 00DC5DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00DFE16B,?,?,00000000), ref: 00DC5DBF

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: a6a0fef9ece3320c4e95a6b9458631d9e0986f92d296a497ab8e54fd533c2909
Instruction ID: fc807aefe2b91234c38e5ddf3f2112cf3309371845bf9a5015353d348b62805a
Opcode Fuzzy Hash: a6a0fef9ece3320c4e95a6b9458631d9e0986f92d296a497ab8e54fd533c2909
Instruction Fuzzy Hash: 7DD0C77464020CBFE710DB81DC46FA9777CD705710F100294FD0466390D6B27D548795

Function 00DE548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00DE5496

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 1b2c04682042eaf6eb34b74b96f949375ec9850667421284890d764d1b135b52
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 17B0927684060C77DE022E82FC02A593B199B406B8F808020FB0C181A2A673A6A096A9

Function 00E2D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 00E2D46A

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 436da60f2c3f6a0dcb8e18dee0f480478ebe1070bbd5b12a2a78590b7545f5db
Instruction ID: dec377a830005e41ef2bf02323c598c00b678a81bb7042c7c58645bdedf3f4de
Opcode Fuzzy Hash: 436da60f2c3f6a0dcb8e18dee0f480478ebe1070bbd5b12a2a78590b7545f5db
Instruction Fuzzy Hash: E47150302083128FC714EF65E891F6AB7E0EF88314F04556DF5969B2A1DF70E949CB62

Function 00DE0E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00DE0EF7

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 4e5adbd2006c076c631ae867d72e4931e154699c38564a13ffe6b3daf7612e00
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: D1311670A00145DFC718EF5AD480969FBB6FF59700B688AA5E449CB651D7B0EDC1CBE0

Function 018E2300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 018E2311

Memory Dump Source

Source File: 00000000.00000002.1994207005.00000000018E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Shipping Documents inv.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: bec00c30b551d6ae08dcbc1e220d77b75665442dd1c98cebd0e8a9db1ea8b657
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: CAE0E67594010DDFDB00EFB4D54D69E7FF4EF04301F100561FD01D2281D6309E509A62

Non-executed Functions

Function 00E4CDAC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC2612: GetWindowLongW.USER32(?,000000EB), ref: 00DC2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00E4CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E4CE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00E4CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E4CF00
SendMessageW.USER32 ref: 00E4CF29
_wcsncpy.LIBCMT ref: 00E4CFA1
GetKeyState.USER32(00000011), ref: 00E4CFC2
GetKeyState.USER32(00000009), ref: 00E4CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E4CFE5
GetKeyState.USER32(00000010), ref: 00E4CFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E4D018
SendMessageW.USER32 ref: 00E4D03F
SendMessageW.USER32(?,00001030,?,00E4B602), ref: 00E4D145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00E4D15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00E4D16E
SetCapture.USER32(?), ref: 00E4D177
ClientToScreen.USER32(?,?), ref: 00E4D1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00E4D1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E4D203
ReleaseCapture.USER32 ref: 00E4D20E
GetCursorPos.USER32(?), ref: 00E4D248
ScreenToClient.USER32(?,?), ref: 00E4D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 00E4D2B1
SendMessageW.USER32 ref: 00E4D2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 00E4D31C
SendMessageW.USER32 ref: 00E4D34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00E4D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00E4D37B
GetCursorPos.USER32(?), ref: 00E4D39B
ScreenToClient.USER32(?,?), ref: 00E4D3A8
GetParent.USER32(?), ref: 00E4D3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 00E4D431
SendMessageW.USER32 ref: 00E4D462
ClientToScreen.USER32(?,?), ref: 00E4D4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00E4D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 00E4D51A
SendMessageW.USER32 ref: 00E4D53D
ClientToScreen.USER32(?,?), ref: 00E4D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00E4D5C3

Part of subcall function 00DC25DB: GetWindowLongW.USER32(?,000000EB), ref: 00DC25EC

GetWindowLongW.USER32(?,000000F0), ref: 00E4D65F

Strings

@GUI_DRAGID, xrefs: 00E4D1AA
pr, xrefs: 00E4D1BD
F, xrefs: 00E4D543

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pr
API String ID: 3977979337-1436871235
Opcode ID: 97945179a7a051d9bb96cdfbb38a78b00313f6e0932770a7e51a434385c0bb98
Instruction ID: a1b1ae5ddc2275e83ea6110b8ed23fe77b408f9cd0de697da789e67117d102a6
Opcode Fuzzy Hash: 97945179a7a051d9bb96cdfbb38a78b00313f6e0932770a7e51a434385c0bb98
Instruction Fuzzy Hash: 2342FD34609341AFC725CF29E844FAABBE5FF49718F24051DF699A72A0C731D845CBA2

Function 00E4804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00E4873F

Strings

%d/%02d/%02d, xrefs: 00E48478

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 63d21d98cbfcd3b9f856ab94c39cfffaa38203e4977feadb30489d7086b0d891
Instruction ID: 5adf82282d8b3954da609c70835b12a89e77b83094f28edc60952e443743d492
Opcode Fuzzy Hash: 63d21d98cbfcd3b9f856ab94c39cfffaa38203e4977feadb30489d7086b0d891
Instruction Fuzzy Hash: 68120270500204AFEB259F25ED49FAE7BB8EF49B14F20516AF915FA2E1DF708941CB60

Function 00DD710E Relevance: 50.6, APIs: 19, Strings: 7, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DD75C2
_memset.LIBCMT ref: 00DD76B1
_memmove.LIBCMT ref: 00DD7C4B
_memmove.LIBCMT ref: 00DD7E4F

Strings

DEFINE, xrefs: 00E125AF
[:<:]], xrefs: 00DD75F1
\b(?<=\w), xrefs: 00E13C41
[:>:]], xrefs: 00DD760A
0w, xrefs: 00E11F5B
\b(?=\w), xrefs: 00E13C34
Q\E, xrefs: 00DD81C1

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: _memmove$_memset
String ID: 0w$DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-3460961967
Opcode ID: ea0269753b9baa3eeff57dec6aaddfed6584659252ab7dd7c0c62d02d6c5bc93
Instruction ID: 290e9796d0142d6e5a4516d2bce2c7739880484adf718c5827cd9904f2933ad4
Opcode Fuzzy Hash: ea0269753b9baa3eeff57dec6aaddfed6584659252ab7dd7c0c62d02d6c5bc93
Instruction Fuzzy Hash: 9D938E71A002199BDB24CFA8D881BEDB7B1FF48714F25916AE955BB380E7709EC1CB50

Function 00DC4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00DC4A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00DFDA8E
IsIconic.USER32(?), ref: 00DFDA97
ShowWindow.USER32(?,00000009), ref: 00DFDAA4
SetForegroundWindow.USER32(?), ref: 00DFDAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00DFDAC4
GetCurrentThreadId.KERNEL32 ref: 00DFDACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 00DFDAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 00DFDAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 00DFDAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 00DFDAF8
SetForegroundWindow.USER32(?), ref: 00DFDAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 00DFDB10
keybd_event.USER32(00000012,00000000), ref: 00DFDB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00DFDB25
keybd_event.USER32(00000012,00000000), ref: 00DFDB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00DFDB33
keybd_event.USER32(00000012,00000000), ref: 00DFDB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 00DFDB42
keybd_event.USER32(00000012,00000000), ref: 00DFDB47
SetForegroundWindow.USER32(?), ref: 00DFDB4A
AttachThreadInput.USER32(?,?,00000000), ref: 00DFDB71

Strings

Shell_TrayWnd, xrefs: 00DFDA89

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: ccca4398a9d9f8e856582aeb1522fb9e3c53ebcd54809693a9e2b066606677af
Instruction ID: bc02e1ab9ed3616fab7b0471ada40cc3bdc27f7b54ef3f952f0752bde2e98744
Opcode Fuzzy Hash: ccca4398a9d9f8e856582aeb1522fb9e3c53ebcd54809693a9e2b066606677af
Instruction Fuzzy Hash: 31316275A4031CBEEB216F629C49F7F3E6DEB45F50F168065FA04FA1D0C6B09D01AAA0

Function 00E18858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00E18CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E18D0D
Part of subcall function 00E18CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E18D3A
Part of subcall function 00E18CC3: GetLastError.KERNEL32 ref: 00E18D47

_memset.LIBCMT ref: 00E1889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00E188ED
CloseHandle.KERNEL32(?), ref: 00E188FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00E18915
GetProcessWindowStation.USER32 ref: 00E1892E
SetProcessWindowStation.USER32(00000000), ref: 00E18938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00E18952

Part of subcall function 00E18713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E18851), ref: 00E18728
Part of subcall function 00E18713: CloseHandle.KERNEL32(?,?,00E18851), ref: 00E1873A

Strings

default, xrefs: 00E1894D
, xrefs: 00E188AA
winsta0, xrefs: 00E18910

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 84d7bbcacf8246a553bb5a58a1b69a1a41302c98285a4ffa2d970ff1ed331bae
Instruction ID: 7ed37b9439a9fde8481acaae40666174bca1e8c39f7b80832d9a8be2cc6606e1
Opcode Fuzzy Hash: 84d7bbcacf8246a553bb5a58a1b69a1a41302c98285a4ffa2d970ff1ed331bae
Instruction Fuzzy Hash: 3F817975900209AFDF11DFA1DE45AEEBBB8FF05709F08516AF820B2161DB318E95DB60

Function 00E3425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00E4F910), ref: 00E34284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00E34292
GetClipboardData.USER32(0000000D), ref: 00E3429A
CloseClipboard.USER32 ref: 00E342A6
GlobalLock.KERNEL32(00000000), ref: 00E342C2
CloseClipboard.USER32 ref: 00E342CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00E342E1
IsClipboardFormatAvailable.USER32(00000001), ref: 00E342EE
GetClipboardData.USER32(00000001), ref: 00E342F6
GlobalLock.KERNEL32(00000000), ref: 00E34303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00E34337
CloseClipboard.USER32 ref: 00E34447

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: aec910df08d69e30429ebb8a92907e732319ac1503b388da41c7da8a3fd11fc8
Instruction ID: ee6fe760edb2c845940dce2c713d596f6961a4f7bd15c57c78b7a3be2d4124d1
Opcode Fuzzy Hash: aec910df08d69e30429ebb8a92907e732319ac1503b388da41c7da8a3fd11fc8
Instruction Fuzzy Hash: 2C517E75204206AFD311AB61EC99F6F7BA8AF85B00F014529F556F31F1DF70A909CB62

Function 00E2C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00E2C9F8
FindClose.KERNEL32(00000000), ref: 00E2CA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E2CA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E2CA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 00E2CAAF
__swprintf.LIBCMT ref: 00E2CAFB
__swprintf.LIBCMT ref: 00E2CB3E

Part of subcall function 00DC7F41: _memmove.LIBCMT ref: 00DC7F82

__swprintf.LIBCMT ref: 00E2CB92

Part of subcall function 00DE38D8: __woutput_l.LIBCMT ref: 00DE3931

__swprintf.LIBCMT ref: 00E2CBE0

Part of subcall function 00DE38D8: __flsbuf.LIBCMT ref: 00DE3953
Part of subcall function 00DE38D8: __flsbuf.LIBCMT ref: 00DE396B

__swprintf.LIBCMT ref: 00E2CC2F
__swprintf.LIBCMT ref: 00E2CC7E
__swprintf.LIBCMT ref: 00E2CCCD

Strings

%4d, xrefs: 00E2CB38
%4d%02d%02d%02d%02d%02d, xrefs: 00E2CAF5
%02d, xrefs: 00E2CB86, 00E2CB90, 00E2CBDE, 00E2CC2D, 00E2CC7C, 00E2CCCB

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 7dbb475dc7caf35aaf7c07d3e1fe4d21e1d3229b525a0ec08cc6466348389e51
Instruction ID: 0af82fa80693394a488583af410dcc1bce2dea529e3c0baaa3eff840e4e0a22a
Opcode Fuzzy Hash: 7dbb475dc7caf35aaf7c07d3e1fe4d21e1d3229b525a0ec08cc6466348389e51
Instruction Fuzzy Hash: 4DA13DB1508345ABC700EBA5D895EAFB7ECEF94700F40492DF586D3191EA34EA09CB72

Function 00E2F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00E2F221
_wcscmp.LIBCMT ref: 00E2F236
_wcscmp.LIBCMT ref: 00E2F24D
GetFileAttributesW.KERNEL32(?), ref: 00E2F25F
SetFileAttributesW.KERNEL32(?,?), ref: 00E2F279
FindNextFileW.KERNEL32(00000000,?), ref: 00E2F291
FindClose.KERNEL32(00000000), ref: 00E2F29C
FindFirstFileW.KERNEL32(*.*,?), ref: 00E2F2B8
_wcscmp.LIBCMT ref: 00E2F2DF
_wcscmp.LIBCMT ref: 00E2F2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 00E2F308
SetCurrentDirectoryW.KERNEL32(00E7A5A0), ref: 00E2F326
FindNextFileW.KERNEL32(00000000,00000010), ref: 00E2F330
FindClose.KERNEL32(00000000), ref: 00E2F33D
FindClose.KERNEL32(00000000), ref: 00E2F34F

Strings

*.*, xrefs: 00E2F2B3

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 51c2d9902e6d54cb1882cc7c8bb036f01219bee229580b05960f0bd81e9b3862
Instruction ID: 9f14e40c1836ded3268560e5ad7fcac15341392b81b25bb25e9c1159dfaf9629
Opcode Fuzzy Hash: 51c2d9902e6d54cb1882cc7c8bb036f01219bee229580b05960f0bd81e9b3862
Instruction Fuzzy Hash: AD31D4765002296FDB10EFB1EC58AEE77BC9F4A725F145175E804F30A0EB70DA458B64

Function 00E40AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E40BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00E4F910,00000000,?,00000000,?,?), ref: 00E40C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00E40C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00E40D1D
RegCloseKey.ADVAPI32(?), ref: 00E4103D
RegCloseKey.ADVAPI32(00000000), ref: 00E4104A

Strings

REG_QWORD, xrefs: 00E40F8B
REG_SZ, xrefs: 00E40D5B
REG_EXPAND_SZ, xrefs: 00E40CBA
REG_MULTI_SZ, xrefs: 00E40E05
REG_DWORD, xrefs: 00E40F0E
REG_BINARY, xrefs: 00E40FD8

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 1c3c0b632954bcecc007799a88b1ea23a57c3e10b140d25a4a64aea4516aaac4
Instruction ID: 53e3b6940252dfea9af3ebb838f1d860d14956422988a908feba7aaa4336e2fe
Opcode Fuzzy Hash: 1c3c0b632954bcecc007799a88b1ea23a57c3e10b140d25a4a64aea4516aaac4
Instruction Fuzzy Hash: CF028E352006019FCB14EF25D895E2AB7E5FF88714F05985DF98AAB362CB30EC45CB61

Function 00E2F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00E2F37E
_wcscmp.LIBCMT ref: 00E2F393
_wcscmp.LIBCMT ref: 00E2F3AA

Part of subcall function 00E245C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00E245DC

FindNextFileW.KERNEL32(00000000,?), ref: 00E2F3D9
FindClose.KERNEL32(00000000), ref: 00E2F3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 00E2F400
_wcscmp.LIBCMT ref: 00E2F427
_wcscmp.LIBCMT ref: 00E2F43E
SetCurrentDirectoryW.KERNEL32(?), ref: 00E2F450
SetCurrentDirectoryW.KERNEL32(00E7A5A0), ref: 00E2F46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00E2F478
FindClose.KERNEL32(00000000), ref: 00E2F485
FindClose.KERNEL32(00000000), ref: 00E2F497

Strings

*.*, xrefs: 00E2F3FB

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: a4b02ccd56dca1dc47ce4a2af8ddb4aee88dc8f404ee2b4c55ce5f85c15f9064
Instruction ID: c957365b65eb5774212fd8171c52d88e414a07cb0453832dc76c7d0991838d3a
Opcode Fuzzy Hash: a4b02ccd56dca1dc47ce4a2af8ddb4aee88dc8f404ee2b4c55ce5f85c15f9064
Instruction Fuzzy Hash: 1131F2765002296FCB10FFA5FC88AEE77BC9F49725F145275E814B30A0DBB0DA45CA64

Function 00E181F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E1874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E18766
Part of subcall function 00E1874A: GetLastError.KERNEL32(?,00E1822A,?,?,?), ref: 00E18770
Part of subcall function 00E1874A: GetProcessHeap.KERNEL32(00000008,?,?,00E1822A,?,?,?), ref: 00E1877F
Part of subcall function 00E1874A: HeapAlloc.KERNEL32(00000000,?,00E1822A,?,?,?), ref: 00E18786
Part of subcall function 00E1874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E1879D

Part of subcall function 00E187E7: GetProcessHeap.KERNEL32(00000008,00E18240,00000000,00000000,?,00E18240,?), ref: 00E187F3
Part of subcall function 00E187E7: HeapAlloc.KERNEL32(00000000,?,00E18240,?), ref: 00E187FA
Part of subcall function 00E187E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00E18240,?), ref: 00E1880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E1825B
_memset.LIBCMT ref: 00E18270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00E1828F
GetLengthSid.ADVAPI32(?), ref: 00E182A0
GetAce.ADVAPI32(?,00000000,?), ref: 00E182DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00E182F9
GetLengthSid.ADVAPI32(?), ref: 00E18316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00E18325
HeapAlloc.KERNEL32(00000000), ref: 00E1832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00E1834D
CopySid.ADVAPI32(00000000), ref: 00E18354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00E18385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00E183AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00E183BF

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: a3b639d86cb5ad5b3b6c635e867ea8de9ff2f03e80dff94a6684817ed0e3df16
Instruction ID: 1e89bec27988e533b344c33f3287a901de6b843c5585d379a9213c2ae5fa6196
Opcode Fuzzy Hash: a3b639d86cb5ad5b3b6c635e867ea8de9ff2f03e80dff94a6684817ed0e3df16
Instruction Fuzzy Hash: 55616975900209AFDF049FA1DD84AEEBBB9FF04704F04916AE825B6291DB309A45DB60

Function 00DD6843 Relevance: 19.6, Strings: 15, Instructions: 883COMMON

Download Yara Rule

Strings

LIMIT_RECURSION=, xrefs: 00E11635
NO_AUTO_POSSESS), xrefs: 00E11567
ANYCRLF), xrefs: 00E11734
UTF), xrefs: 00E11533
LIMIT_MATCH=, xrefs: 00E115A9
ANY), xrefs: 00E11717
LF), xrefs: 00E116DD
CRLF), xrefs: 00E116FA
NO_START_OPT), xrefs: 00E11588
BSR_UNICODE), xrefs: 00E11771
UCP), xrefs: 00E11546
BSR_ANYCRLF), xrefs: 00E11757
CR), xrefs: 00E116C0
PJ, xrefs: 00DD68B3
UTF16), xrefs: 00E11508

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$PJ$UCP)$UTF)$UTF16)
API String ID: 0-1624373025
Opcode ID: da212ef6f6dbaf3fb58b5e9a0806c9711cdba063232acc79377ff7a08f614bc0
Instruction ID: 874c362223d1b2043422f9e4f7f359ff261652e576f9c0f54c33085f25cee0ce
Opcode Fuzzy Hash: da212ef6f6dbaf3fb58b5e9a0806c9711cdba063232acc79377ff7a08f614bc0
Instruction Fuzzy Hash: 44725E75E002199BDB24CF59D8807EEB7B5EF88710F1491ABE959FB380D7709981CBA0

Function 00E40665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E410A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E40038,?,?), ref: 00E410BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E40737

Part of subcall function 00DC9997: __itow.LIBCMT ref: 00DC99C2
Part of subcall function 00DC9997: __swprintf.LIBCMT ref: 00DC9A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00E407D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00E4086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00E40AAD
RegCloseKey.ADVAPI32(00000000), ref: 00E40ABA

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: b6aa36525ebfbc1f5bc351382edb3074ba6b7a05e6e582711216d058b3dc7ddf
Instruction ID: c3f640932be3541b1541ae679c1ef1a41583b8355a4ef1c5c0ff3277dbd8c59d
Opcode Fuzzy Hash: b6aa36525ebfbc1f5bc351382edb3074ba6b7a05e6e582711216d058b3dc7ddf
Instruction Fuzzy Hash: 2EE17D31204311AFCB14DF25D895E6ABBE4EF89714F04986DF54AEB2A2DB30ED05CB61

Function 00E20219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00E20241
GetAsyncKeyState.USER32(000000A0), ref: 00E202C2
GetKeyState.USER32(000000A0), ref: 00E202DD
GetAsyncKeyState.USER32(000000A1), ref: 00E202F7
GetKeyState.USER32(000000A1), ref: 00E2030C
GetAsyncKeyState.USER32(00000011), ref: 00E20324
GetKeyState.USER32(00000011), ref: 00E20336
GetAsyncKeyState.USER32(00000012), ref: 00E2034E
GetKeyState.USER32(00000012), ref: 00E20360
GetAsyncKeyState.USER32(0000005B), ref: 00E20378
GetKeyState.USER32(0000005B), ref: 00E2038A

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 42d45c8702a56434b5ec5c06ee816d267b9b83b193bb70e14a90907b0a1859b1
Instruction ID: 12004de3c3dcabf2992217822e478ca92a0ce56b109d1c41968d5c5bc2ec7e66
Opcode Fuzzy Hash: 42d45c8702a56434b5ec5c06ee816d267b9b83b193bb70e14a90907b0a1859b1
Instruction Fuzzy Hash: 5941A8345047E9AFFF31DB64A8083A5BFA06F16348F08509ED5C6761D3EBA45DC887A2

Function 00E386D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC9997: __itow.LIBCMT ref: 00DC99C2
Part of subcall function 00DC9997: __swprintf.LIBCMT ref: 00DC9A0C

CoInitialize.OLE32 ref: 00E38718
CoUninitialize.OLE32 ref: 00E38723
CoCreateInstance.OLE32(?,00000000,00000017,00E52BEC,?), ref: 00E38783
IIDFromString.OLE32(?,?), ref: 00E387F6
VariantInit.OLEAUT32(?), ref: 00E38890
VariantClear.OLEAUT32(?), ref: 00E388F1

Strings

Failed to create object, xrefs: 00E3878E, 00E38844
NULL Pointer assignment, xrefs: 00E387C8
Invalid parameter, xrefs: 00E3880F

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 1328df92402d62731efd2ff865c4d0eee8e8826c04e8763678625ae2cb1f4065
Instruction ID: 434c2006c432392e58df4637ebf258f88d8b79247a71eed9a2a8eb26b9ffbd61
Opcode Fuzzy Hash: 1328df92402d62731efd2ff865c4d0eee8e8826c04e8763678625ae2cb1f4065
Instruction Fuzzy Hash: 4E61BF706083019FD714DF24CA48F6ABBE4EF89714F54581EF985AB291CB70ED48CBA2

Function 00E34458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00E3447F
EmptyClipboard.USER32 ref: 00E34485
GlobalAlloc.KERNEL32(00000002,?), ref: 00E3449A
CloseClipboard.USER32 ref: 00E34539

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: d39bece8e40c5c93a6301b57ba829d676461697a4cf13ceb37e51a58b3e1d84c
Instruction ID: 6016150ea625f68e97e28b330422539a26c130c36120aced48e6c0971ababe71
Opcode Fuzzy Hash: d39bece8e40c5c93a6301b57ba829d676461697a4cf13ceb37e51a58b3e1d84c
Instruction Fuzzy Hash: 3621B779200611AFDB119F21EC1DF6D7BA8EF05B15F11806AF94AE72B1CB70AC01CB94

Function 00E23A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DC48A1,?,?,00DC37C0,?), ref: 00DC48CE

Part of subcall function 00E24CD3: GetFileAttributesW.KERNEL32(?,00E23947), ref: 00E24CD4

FindFirstFileW.KERNEL32(?,?), ref: 00E23ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00E23B87
MoveFileW.KERNEL32(?,?), ref: 00E23B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00E23BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00E23BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00E23BF5

Strings

\*.*, xrefs: 00E23A8A, 00E23A93, 00E23AA8

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: dc53b0ef7543420e3750dd8de099858bc6c07c4a4475ecb1196c7259c6932a6b
Instruction ID: 12e4607b88c7f1c77a13444aa3131e5c7cd2cf8e91d4780935bb73ee09162b70
Opcode Fuzzy Hash: dc53b0ef7543420e3750dd8de099858bc6c07c4a4475ecb1196c7259c6932a6b
Instruction Fuzzy Hash: 17516B3180115EAACF05EBA1EE92EEDB7B9AF14304F2451A9E40277091DF246F09CFB0

Function 00E2F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC7F41: _memmove.LIBCMT ref: 00DC7F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00E2F6AB
Sleep.KERNEL32(0000000A), ref: 00E2F6DB
_wcscmp.LIBCMT ref: 00E2F6EF
_wcscmp.LIBCMT ref: 00E2F70A
FindNextFileW.KERNEL32(?,?), ref: 00E2F7A8
FindClose.KERNEL32(00000000), ref: 00E2F7BE

Strings

*.*, xrefs: 00E2F690

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 4c404bc6f58c92c2ea23bbb2497278292954d1cff27103dc11b050a408753f13
Instruction ID: 096ea782704f0fcb2447691dc786dd21dae984c6892f772a9630d07dd3dd8eb9
Opcode Fuzzy Hash: 4c404bc6f58c92c2ea23bbb2497278292954d1cff27103dc11b050a408753f13
Instruction Fuzzy Hash: 65414B7591021A9FCB11EF64DC89AEEBBB4FF05314F14457AE815B31A1DB309A44CBA0

Function 00DD4140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00DD44DB
ERCP, xrefs: 00DD421F
VUUU, xrefs: 00E07B0C
VUUU, xrefs: 00DD4520
VUUU, xrefs: 00DD44ED

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: baf168b0d1049eaca349a376d1ea8cfbe06788dc820cc918c2b0b28a8ea5b062
Instruction ID: 8295695351b202e372a36b84afe8d4d09c7eaf0b75a4c9021c6dea168519902e
Opcode Fuzzy Hash: baf168b0d1049eaca349a376d1ea8cfbe06788dc820cc918c2b0b28a8ea5b062
Instruction Fuzzy Hash: A3A25C74E0421A8BDF24CF58C9907ADB7B1BF55314F1481AAD89AA7380D770AEC5DFA0

Function 00DD58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DD5A05
_memmove.LIBCMT ref: 00DD5A55
_memmove.LIBCMT ref: 00DD5ABB

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: df23882fee3c8ecaf2afc7c486a5358405b6a0c4d57bf70a1d36c601c3abba1c
Instruction ID: 342aa3625e59cb3a637665a915e00da174b826335854ba1c85bd0e68e286d7f0
Opcode Fuzzy Hash: df23882fee3c8ecaf2afc7c486a5358405b6a0c4d57bf70a1d36c601c3abba1c
Instruction Fuzzy Hash: 7F129A70A0060ADFDF14DFA5D981AEEB7F5FF48300F14426AE446A7254EB35AE91CB60

Function 00E2545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00E18CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E18D0D
Part of subcall function 00E18CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E18D3A
Part of subcall function 00E18CC3: GetLastError.KERNEL32 ref: 00E18D47

ExitWindowsEx.USER32(?,00000000), ref: 00E2549B

Strings

, xrefs: 00E25489
@, xrefs: 00E2548E
SeShutdownPrivilege, xrefs: 00E2546B

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: c181d304039d06b799563cae0eea2cb000846291ef741ef3e6df3c43799e5bee
Instruction ID: a72e8dad905ee5cc87744d0c80df2959e10e11ea893ef536380f5e2420eef8bd
Opcode Fuzzy Hash: c181d304039d06b799563cae0eea2cb000846291ef741ef3e6df3c43799e5bee
Instruction Fuzzy Hash: 31012832655A312EE7287774BE4ABFAF258AB01757F242021FC27F20D2D6B00C804590

Function 00E36596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00E365EF
WSAGetLastError.WSOCK32(00000000), ref: 00E365FE
bind.WSOCK32(00000000,?,00000010), ref: 00E3661A
listen.WSOCK32(00000000,00000005), ref: 00E36629
WSAGetLastError.WSOCK32(00000000), ref: 00E36643
closesocket.WSOCK32(00000000,00000000), ref: 00E36657

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: dab4309bbdd1b8fd53d62b6423a4efe91a0e94bee56454f192bbb06db015a27a
Instruction ID: 7b1e87719532d7af77c602763f5ac1488677553704aa3e89f2033c9c720c3f12
Opcode Fuzzy Hash: dab4309bbdd1b8fd53d62b6423a4efe91a0e94bee56454f192bbb06db015a27a
Instruction Fuzzy Hash: 94219135200200AFCB10AF65C94AF6EBBF9EF49724F158159E956F72D1CB70AD05CB61

Function 00DD5680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00DE0FF6: std::exception::exception.LIBCMT ref: 00DE102C
Part of subcall function 00DE0FF6: __CxxThrowException@8.LIBCMT ref: 00DE1041

_memmove.LIBCMT ref: 00E1062F
_memmove.LIBCMT ref: 00E10744
_memmove.LIBCMT ref: 00E107EB

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 81da1f4a8dd1f4d184e1a02b1b820eda4da8ca91184159bf268f3318e7bb30d6
Instruction ID: 1475892d1e9cace6df30879fdc39139557440685afc59c1528be3fe1389e54a8
Opcode Fuzzy Hash: 81da1f4a8dd1f4d184e1a02b1b820eda4da8ca91184159bf268f3318e7bb30d6
Instruction Fuzzy Hash: D7029170A00205DFDF14DF65D981AAE7BB5FF44300F14806AE80AEB395EB71DA94DBA1

Function 00DC1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00DC2612: GetWindowLongW.USER32(?,000000EB), ref: 00DC2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00DC19FA
GetSysColor.USER32(0000000F), ref: 00DC1A4E
SetBkColor.GDI32(?,00000000), ref: 00DC1A61

Part of subcall function 00DC1290: DefDlgProcW.USER32(?,00000020,?), ref: 00DC12D8

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 84bceb72f75809626221d66dd9a3689fbcbda7843cec302f54e71af4a60d6e64
Instruction ID: 09f6e51363d121f5f4b3cc68c4bc42cc2fa164998645db7a7a2c433be81da7ca
Opcode Fuzzy Hash: 84bceb72f75809626221d66dd9a3689fbcbda7843cec302f54e71af4a60d6e64
Instruction Fuzzy Hash: 32A1777810656BBEE628AB299C49F7F359DDB43351F29411EF543E7193CE20CC0296B2

Function 00E36A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00E380A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00E380CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00E36AB1
WSAGetLastError.WSOCK32(00000000), ref: 00E36ADA
bind.WSOCK32(00000000,?,00000010), ref: 00E36B13
WSAGetLastError.WSOCK32(00000000), ref: 00E36B20
closesocket.WSOCK32(00000000,00000000), ref: 00E36B34

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 57ec3bb53cc8c9b634748d8ec94c8afecaa2517eeaf8048e291b94021fa3275b
Instruction ID: 99d38e8c5e52b31e0e45e1a9f2793a888e76d7129b7550aa56714b350f26960d
Opcode Fuzzy Hash: 57ec3bb53cc8c9b634748d8ec94c8afecaa2517eeaf8048e291b94021fa3275b
Instruction Fuzzy Hash: A941B575700611AFEB10AF24DC9AF6EBBA9DB45B10F04805CF91AAB2D2CA705D018BB1

Function 00E455FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00E4564C
IsWindowEnabled.USER32 ref: 00E4565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00E45667
IsIconic.USER32 ref: 00E45675
IsZoomed.USER32 ref: 00E45683

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 4b9029a288644768ae024b62af67ccbe88f53f492623466c570e2b23b34f30aa
Instruction ID: 90e1ecd558988513d1b0ae1e431f92f49c80c056d333ce3a2e5690b39b6c1960
Opcode Fuzzy Hash: 4b9029a288644768ae024b62af67ccbe88f53f492623466c570e2b23b34f30aa
Instruction Fuzzy Hash: 7711C432700911AFE7212F27EC44B6FB798EF45721B425469F806F7252CB74DD02CAA5

Function 00E3C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00E01D88,?), ref: 00E3C312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00E3C324

Strings

kernel32.dll, xrefs: 00E3C30D
GetSystemWow64DirectoryW, xrefs: 00E3C31E

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 41e38b6f830fd3d27dcf31f2fcd8e656068bb6718fb112907ac1d4b471e69a10
Instruction ID: 69b395e221cda0fe0e13fdc93731c5358b3a0d299173e85336a83c9085ef6787
Opcode Fuzzy Hash: 41e38b6f830fd3d27dcf31f2fcd8e656068bb6718fb112907ac1d4b471e69a10
Instruction Fuzzy Hash: 54E01274601713CFDB205F26D808A567AD4EF09B59F90D479E895F2750E770D841CB60

Function 00DD3190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 9d249a96f78aef5593e27db045adfa527bab396e3559dcc45003af35fb871830
Instruction ID: c75e4777b1557b7b8568a66e87d7819e551c3287209ae77096cef50357f5d0a4
Opcode Fuzzy Hash: 9d249a96f78aef5593e27db045adfa527bab396e3559dcc45003af35fb871830
Instruction Fuzzy Hash: 03227A716083419FD724DF24C891B6BB7E4EF84704F14492EF89AA7391DB71EA44CBA2

Function 00E3F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00E3F151
Process32FirstW.KERNEL32(00000000,?), ref: 00E3F15F

Part of subcall function 00DC7F41: _memmove.LIBCMT ref: 00DC7F82

Process32NextW.KERNEL32(00000000,?), ref: 00E3F21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00E3F22E

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 8b7f3aa7f0f6422f58e863a6c0cba9db7725e406b3ab53eabe49d662a6168293
Instruction ID: 4e598bc541cde88857f9a190042f23fcd63d37ea309bf329d68854a3468f3f23
Opcode Fuzzy Hash: 8b7f3aa7f0f6422f58e863a6c0cba9db7725e406b3ab53eabe49d662a6168293
Instruction Fuzzy Hash: 67516B71504701AFD310EF21DC85F6BBBE8EF94710F10482DF495972A2EB70A909CBA2

Function 00E240B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00E240D1
_memset.LIBCMT ref: 00E240F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00E24144
CloseHandle.KERNEL32(00000000), ref: 00E2414D

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: c91b4676f4c68d616b2a0ced2d1acb3a92e246151f43c4d02a5dcab47f00b85a
Instruction ID: 1e4a77b77c96eda9e98bdaca6e036ba9e8cc3e5d533125a728e75e5a456d4b9e
Opcode Fuzzy Hash: c91b4676f4c68d616b2a0ced2d1acb3a92e246151f43c4d02a5dcab47f00b85a
Instruction Fuzzy Hash: DE11EB759012387AD7305BA5AC4DFABBB7CEF45B60F104196F908E7180D6744E848BA4

Function 00E1EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00E1EB19

Strings

(, xrefs: 00E1EB5F
|, xrefs: 00E1EB49

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 5a875221b302901e9b99a3567b7c9bfce31c46d458849ea8f50dffab06e8142f
Instruction ID: dbf5fc87fca90be5b2937333d78bc618edafc37d566f151cc22cc25160811d7c
Opcode Fuzzy Hash: 5a875221b302901e9b99a3567b7c9bfce31c46d458849ea8f50dffab06e8142f
Instruction Fuzzy Hash: 37321575A046059FDB28CF19C481AAAF7F1FF48310B15D56EE89AEB3A1D770E981CB40

Function 00E325E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00E326D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00E3270C

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 80e77b7a1c134047fb09c2c7e202352923101b9587e0ab790e9253672669483f
Instruction ID: 62376460f4835ae4ca84a4caeb0b9247c3ba02efe109773a0d44e7196141b95f
Opcode Fuzzy Hash: 80e77b7a1c134047fb09c2c7e202352923101b9587e0ab790e9253672669483f
Instruction Fuzzy Hash: 7C41D475900209BFEB209A55DC8AEBBBBBCEF40718F10506EF785B6140EA719E41D664

Function 00E2B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00E2B5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00E2B608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00E2B655

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: e9b37739a5a49076fbd217102f5ee0d80ba6d8a8918ba7ed24edb03bc23c5145
Instruction ID: 497ea893d44e1ad7b2826d8ece9680823de8576ab813f8fb3b341ecc0699934a
Opcode Fuzzy Hash: e9b37739a5a49076fbd217102f5ee0d80ba6d8a8918ba7ed24edb03bc23c5145
Instruction Fuzzy Hash: 25215135A00518EFCB00EF65D884EADBBB8FF49310F1480A9E905EB351DB31A956CB61

Function 00E18CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00DE0FF6: std::exception::exception.LIBCMT ref: 00DE102C
Part of subcall function 00DE0FF6: __CxxThrowException@8.LIBCMT ref: 00DE1041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E18D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E18D3A
GetLastError.KERNEL32 ref: 00E18D47

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 0016ce2036559c5d407d72e007e223548139aa6735a89cb5c735ec5a772b2fc9
Instruction ID: 7d1b7072a2975384910b421e60202ab60f6d9b79b0b54a83c9c6387516a4e8dd
Opcode Fuzzy Hash: 0016ce2036559c5d407d72e007e223548139aa6735a89cb5c735ec5a772b2fc9
Instruction Fuzzy Hash: 43118FB1514309AFD728AF55ED85DABB7BDEB44710B20852EF456A3241EF70AC818A70

Function 00E24C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00E24C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00E24C43
FreeSid.ADVAPI32(?), ref: 00E24C53

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 9ec13bb81f4d5dfa655bd07450a5139c98176029b48f4b0e36ba5d39374a0700
Instruction ID: 2518082c9f7bc8b913df2e9abb100a192f0f2699d552f23c5b3636df9cee8164
Opcode Fuzzy Hash: 9ec13bb81f4d5dfa655bd07450a5139c98176029b48f4b0e36ba5d39374a0700
Instruction Fuzzy Hash: 65F04F7591130CBFDF04DFF4DC89AAEB7BCEF08601F004469E501E2181D6705A048B50

Function 00E28B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00E28B25

Part of subcall function 00DE543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00E291F8,00000000,?,?,?,?,00E293A9,00000000,?), ref: 00DE5443
Part of subcall function 00DE543A: __aulldiv.LIBCMT ref: 00DE5463

Strings

0u, xrefs: 00E28B1C

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0u
API String ID: 2893107130-1339160046
Opcode ID: 37325b1baad02343805980a41979d427cfaccd48e2c865182562e731236eba45
Instruction ID: c88598cbae52aa1203a782038e8dbf5b1a22b5528638b079052545c74609dc83
Opcode Fuzzy Hash: 37325b1baad02343805980a41979d427cfaccd48e2c865182562e731236eba45
Instruction Fuzzy Hash: C321E4726355108FC329CF29E841A52B3E1EBA5311B289E6CD0F9DB2D0CA34B905CB94

Function 00DCE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb012a03c3a3767f6af1bbbc71b8e4e13e33f7088d65b67ee8dab42147fe73a
Instruction ID: 24d2fe0847a18565bf58087d2532194d164ff5e8e2b9cc865975855bee75ed68
Opcode Fuzzy Hash: 9bb012a03c3a3767f6af1bbbc71b8e4e13e33f7088d65b67ee8dab42147fe73a
Instruction Fuzzy Hash: 5C228CB4A00256CFDB24DF54C481BAAF7B4FF04300F18856DE896AB391D775E985CBA1

Function 00E2C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00E2C966
FindClose.KERNEL32(00000000), ref: 00E2C996

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: af485e27ff84cd4ef7714ed41c931f83dc130ac8c141f23f1250b1bf510ff17a
Instruction ID: a6007936e7e1ee49cad023815b31365de2b8ba9619a96b00f14893be15f78142
Opcode Fuzzy Hash: af485e27ff84cd4ef7714ed41c931f83dc130ac8c141f23f1250b1bf510ff17a
Instruction Fuzzy Hash: CE11A1366006109FD710EF29D859E2AF7E9FF85724F00851EF9AAD72A1DB70AC05CB91

Function 00E2A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00E3977D,?,00E4FB84,?), ref: 00E2A302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00E3977D,?,00E4FB84,?), ref: 00E2A314

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 1eb798d680c47b9c1e394383f8c41cb05f5daa134b398873bf44bc4e4bdb623f
Instruction ID: 12bfcf9603420f8f6ef9084d62ae19c8308df5f04a34ef3fc353fab3797fb1b6
Opcode Fuzzy Hash: 1eb798d680c47b9c1e394383f8c41cb05f5daa134b398873bf44bc4e4bdb623f
Instruction Fuzzy Hash: 28F0823554422DEBDB109FA4DC48FEA776DFF09761F008269F908E7191D6709944CBB1

Function 00E18713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E18851), ref: 00E18728
CloseHandle.KERNEL32(?,?,00E18851), ref: 00E1873A

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 1bd68e130924a5bb884e36d2d706ad805826cae22c17421f690f84eab194645a
Instruction ID: 892292392425ba06b587a85ffec66cb5629e6abbcf5d3f71f8d0c6c9b9775159
Opcode Fuzzy Hash: 1bd68e130924a5bb884e36d2d706ad805826cae22c17421f690f84eab194645a
Instruction Fuzzy Hash: 6CE0463A000640EEE7212B22EC09D73BBE9EB00750B608829F89680870CB32AC91DB20

Function 00DEA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00DE8F97,?,?,?,00000001), ref: 00DEA39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00DEA3A3

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 3bbe166617baf5e3fe0c366f6e3c61e201cd13cd73dd7d802de8f423a6ca18b0
Instruction ID: 65806b81f0b8b01e295ab784d81dfc6c87fd94c6873506a1f77404f8863261f3
Opcode Fuzzy Hash: 3bbe166617baf5e3fe0c366f6e3c61e201cd13cd73dd7d802de8f423a6ca18b0
Instruction Fuzzy Hash: 88B09235054208AFCA002F92EC09F883F68EB46EA2F404020F60D94060CB6254568A91

Function 00DEF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 373ae72873a9dd5428a0c6b4f5243a1a3b35d0822a45f538a27ff4165b093422
Instruction ID: e0c8aaf690deda72bda093ca335e693583bfff6765bfa444a4c89ce2764bbc70
Opcode Fuzzy Hash: 373ae72873a9dd5428a0c6b4f5243a1a3b35d0822a45f538a27ff4165b093422
Instruction Fuzzy Hash: 52325722D29F414DD767A636D872335A289AFB73C5F24DB37F819B59A6EB28C4C30110

Function 00DF267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36febdfefdbda6821b45435add5053c7f0b2269855afba790e737194d6a0e838
Instruction ID: ca6017961c2b3f989c9aea4fe2925e4206bed7dcbcee6852c34f0b94a50b0e54
Opcode Fuzzy Hash: 36febdfefdbda6821b45435add5053c7f0b2269855afba790e737194d6a0e838
Instruction Fuzzy Hash: 6FB1F520D2AF414DD72396398831336BB5CAFB72DAF56DB2BFC2674D22EB2185874141

Function 00E341FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00E34218

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 24fad1a2c06ec9b22fce0e47f115f41559d37df39458f5c6fce6205f35669967
Instruction ID: 5a4b1fa99b180ab4992f5c1249fb93008d507c187328f25be013fdfeb549361f
Opcode Fuzzy Hash: 24fad1a2c06ec9b22fce0e47f115f41559d37df39458f5c6fce6205f35669967
Instruction Fuzzy Hash: 30E012752401159FC7109F5AD448E9AFBD8EF54760F018019FC49E7261DA70A841CBA0

Function 00E24EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00E24F18

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 399695560d53086787ff6d5c37446074fe8d384a94a2c83b084ea2868c74df21
Instruction ID: b4b33bf5e21503531ccb3043f393c31c2848d6e0065247b0c347ff778e44a8de
Opcode Fuzzy Hash: 399695560d53086787ff6d5c37446074fe8d384a94a2c83b084ea2868c74df21
Instruction Fuzzy Hash: 74D05EF43642253CFC184B20BE0FFB60108E3C0B85F8879897205B98C5A8E56C00A835

Function 00E18C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00E188D1), ref: 00E18CB3

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: d54a45095211f01246239e51083258535a9a684fe07bb8e1ea2d65c482947880
Instruction ID: 65c4e923bce55535c964aabd4d84bdb8fa18a8207e397c6e48cbdcd72867d63f
Opcode Fuzzy Hash: d54a45095211f01246239e51083258535a9a684fe07bb8e1ea2d65c482947880
Instruction Fuzzy Hash: F1D05E3226050EAFEF018EA4DC01EAF3B69EB04B01F408111FE15D50A1C775D835AB60

Function 00E02230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00E02242

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: f3c097601cfefd9492a7089886ca4fb40c1cde8bf3fd407011e455536a3e749a
Instruction ID: 394203027f516d39cfa66912a4581a2e5c3050c2c2ffd36c98866348d81d8d66
Opcode Fuzzy Hash: f3c097601cfefd9492a7089886ca4fb40c1cde8bf3fd407011e455536a3e749a
Instruction Fuzzy Hash: 6BC048F5C00109DBDB15DBA0DA88DEEB7BCAB08304F2040A6E102F2140E7749B888E71

Function 00DEA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00DEA36A

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 858ac8bafb14a7aadebf86be8e703b1b147cc7413de6ca0df57505146ca65f91
Instruction ID: d11799791f4e730da05a94556677a59095dda3f7d17438f927cb2d93164397e5
Opcode Fuzzy Hash: 858ac8bafb14a7aadebf86be8e703b1b147cc7413de6ca0df57505146ca65f91
Instruction Fuzzy Hash: 01A0113000020CAB8A002F82EC08888BFACEB02AA0B008020F80C800228B32A8228A80

Function 00DD8A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78ffda75dab684ce9a02f572e14f235841d6b9c768d687c1e51fb2e332555097
Instruction ID: 157c2d9b1ae6d068f5afc7b2f025192a31f9e39d5c835b62f62e14e62a67e390
Opcode Fuzzy Hash: 78ffda75dab684ce9a02f572e14f235841d6b9c768d687c1e51fb2e332555097
Instruction Fuzzy Hash: C3223731511616CBDF3A8B2DC4846BDB7A1EB81344F29846BD896AB391DB30DDC1EB70

Function 00DE2405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 4e15ad774c136655ea18f342cc2d3a28dc3cd65654fd86075bc7ef886dc451e5
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: BAC16D372051D30ADB2D963B947413EBAE55EA27B131E0B6DE8B2CB5C4EF20D564E630

Function 00DE283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: fd5ee5448c34e92c9b539eff81d512daba644c0b501269c5eb369f559e50fe5f
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: C5C19D372091D30ADB2D563B887403EBBE55EA27B131E176DE4B2DB4C5EF20D564A630

Function 018E3660 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1994207005.00000000018E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Shipping Documents inv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: ec598096cdca35a20844d2768fce5e77af0118851b536844f2cc9bef7e56bd21
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: D741D371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB40

Function 018E3550 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1994207005.00000000018E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Shipping Documents inv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 91c2b2f5add9615308df817ea24e06a53f96234c2512c7e52e1a643de30e8408
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 3D018078A00209EFCB44DF99C5949AEFBF5FB49310B208599EC19A7701D730AE41DB80

Function 018E34F0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1994207005.00000000018E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Shipping Documents inv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: ae8c56a642fba5342049cd0877ae4a1370a5a602c33e1f5a878b8cfaa4b464ca
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 42018079A00209EFCB49DF99C5949AEF7F5FB49310B208599EC09A7701D731AE41DB80

Function 018E1ED0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1994207005.00000000018E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e0000_Shipping Documents inv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00E437F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00E4F910), ref: 00E438AF
IsWindowVisible.USER32(?), ref: 00E438D3

Strings

GETCURRENTLINE, xrefs: 00E43B75
TABLEFT, xrefs: 00E4390F
HIDEDROPDOWN, xrefs: 00E43988
ISCHECKED, xrefs: 00E43AC1
ISENABLED, xrefs: 00E438F3
GETLINE, xrefs: 00E43C23
GETLINECOUNT, xrefs: 00E43B4E
SETCURRENTSELECTION, xrefs: 00E43A3E
GETCURRENTCOL, xrefs: 00E43BB0
SELECTSTRING, xrefs: 00E43A8E
FINDSTRING, xrefs: 00E439FE
SHOWDROPDOWN, xrefs: 00E43968
UNCHECK, xrefs: 00E43B0B
ADDSTRING, xrefs: 00E4399E
TABRIGHT, xrefs: 00E43925
CURRENTTAB, xrefs: 00E43945
SENDCOMMANDID, xrefs: 00E43C62
DELSTRING, xrefs: 00E439D1
EDITPASTE, xrefs: 00E43BE7
CHECK, xrefs: 00E43AF5
GETSELECTED, xrefs: 00E43B2B
ISVISIBLE, xrefs: 00E438BF
GETCURRENTSELECTION, xrefs: 00E43A6B

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: e49872614786c16c8e209fefdeb0aac173182d734e10b2ab0c0c3e73c289e48c
Instruction ID: cb8699b13931fca7242574550fb016d41e0c93589da6dee4eadef2e85d34cd71
Opcode Fuzzy Hash: e49872614786c16c8e209fefdeb0aac173182d734e10b2ab0c0c3e73c289e48c
Instruction Fuzzy Hash: 39D1A330204205DBCB14EF21D855BAABBA1EF94354F11945CB8867B6A3DB70EE4ACB61

Function 00E4A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00E4A89F
GetSysColorBrush.USER32(0000000F), ref: 00E4A8D0
GetSysColor.USER32(0000000F), ref: 00E4A8DC
SetBkColor.GDI32(?,000000FF), ref: 00E4A8F6
SelectObject.GDI32(?,?), ref: 00E4A905
InflateRect.USER32(?,000000FF,000000FF), ref: 00E4A930
GetSysColor.USER32(00000010), ref: 00E4A938
CreateSolidBrush.GDI32(00000000), ref: 00E4A93F
FrameRect.USER32(?,?,00000000), ref: 00E4A94E
DeleteObject.GDI32(00000000), ref: 00E4A955
InflateRect.USER32(?,000000FE,000000FE), ref: 00E4A9A0
FillRect.USER32(?,?,?), ref: 00E4A9D2
GetWindowLongW.USER32(?,000000F0), ref: 00E4A9FD

Part of subcall function 00E4AB60: GetSysColor.USER32(00000012), ref: 00E4AB99
Part of subcall function 00E4AB60: SetTextColor.GDI32(?,?), ref: 00E4AB9D
Part of subcall function 00E4AB60: GetSysColorBrush.USER32(0000000F), ref: 00E4ABB3
Part of subcall function 00E4AB60: GetSysColor.USER32(0000000F), ref: 00E4ABBE
Part of subcall function 00E4AB60: GetSysColor.USER32(00000011), ref: 00E4ABDB
Part of subcall function 00E4AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E4ABE9
Part of subcall function 00E4AB60: SelectObject.GDI32(?,00000000), ref: 00E4ABFA
Part of subcall function 00E4AB60: SetBkColor.GDI32(?,00000000), ref: 00E4AC03
Part of subcall function 00E4AB60: SelectObject.GDI32(?,?), ref: 00E4AC10
Part of subcall function 00E4AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00E4AC2F
Part of subcall function 00E4AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E4AC46
Part of subcall function 00E4AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00E4AC5B

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 80b506baed1ff3c747cffcf6c5f511120dbda930c5d0b3199ec96e6542022ab8
Instruction ID: f0a16fcf5c3db14a19b1433f90e68d83f86bfc8d447d4db715ed236b47c6ef3f
Opcode Fuzzy Hash: 80b506baed1ff3c747cffcf6c5f511120dbda930c5d0b3199ec96e6542022ab8
Instruction Fuzzy Hash: 27A1CE76008301EFD7109F65EC08A6B7BA9FF89731F141A29F962B61E1C734D84ACB52

Function 00DC2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00DC2CA2
DeleteObject.GDI32(00000000), ref: 00DC2CE8
DeleteObject.GDI32(00000000), ref: 00DC2CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00DC2CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00DC2D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00DFC68B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00DFC6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00DFCAED

Part of subcall function 00DC1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00DC2036,?,00000000,?,?,?,?,00DC16CB,00000000,?), ref: 00DC1B9A

SendMessageW.USER32(?,00001053), ref: 00DFCB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00DFCB41
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00DFCB57
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00DFCB62

Strings

0, xrefs: 00DFC981

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: d322478d4fc441e4c26491f267f7510df1b3dc03d8393cb6d424db32c600bce1
Instruction ID: 3107e1429fa6640df9a9f7e47842756014dd9939dafb61c6cf20fbab4c266a82
Opcode Fuzzy Hash: d322478d4fc441e4c26491f267f7510df1b3dc03d8393cb6d424db32c600bce1
Instruction Fuzzy Hash: 4012A03451420AEFDB14DF24CA84BB9B7E1FF45300F199569EA85DB262C731EC66CBA0

Function 00E377BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00E377F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00E378B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00E378EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00E37900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00E37946
GetClientRect.USER32(00000000,?), ref: 00E37952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00E37996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00E379A5
GetStockObject.GDI32(00000011), ref: 00E379B5
SelectObject.GDI32(00000000,00000000), ref: 00E379B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00E379C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E379D2
DeleteDC.GDI32(00000000), ref: 00E379DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00E37A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00E37A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00E37A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00E37A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00E37A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00E37AAE
GetStockObject.GDI32(00000011), ref: 00E37AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00E37AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00E37ACE

Strings

static, xrefs: 00E37990, 00E37AA8
msctls_progress32, xrefs: 00E37A4F
AutoIt v3, xrefs: 00E3793E
DISPLAY, xrefs: 00E3799B

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: fd69ed18244d29331ae0f8420e7078492e1f3901441738bf6603b9d100f9c03c
Instruction ID: 4e0cf113a89b5c580e9b586a1a0cb599badb066897dcfa64e5dd99d526c46cdf
Opcode Fuzzy Hash: fd69ed18244d29331ae0f8420e7078492e1f3901441738bf6603b9d100f9c03c
Instruction Fuzzy Hash: 61A181B1A40215BFEB14DBA5DC4AFAEBBB9EB49710F004154FA14B72E0C774AD05CB60

Function 00E2AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00E2AF89
GetDriveTypeW.KERNEL32(?,00E4FAC0,?,\\.\,00E4F910), ref: 00E2B066
SetErrorMode.KERNEL32(00000000,00E4FAC0,?,\\.\,00E4F910), ref: 00E2B1C4

Strings

PhysicalDrive, xrefs: 00E2B012
Removable, xrefs: 00E2B0B8
ATA, xrefs: 00E2B13F
RAMDisk, xrefs: 00E2B090
Virtual, xrefs: 00E2B18C
Fibre, xrefs: 00E2B154
\\.\, xrefs: 00E2AFDB
MMC, xrefs: 00E2B185
SSD, xrefs: 00E2B0F1
Network, xrefs: 00E2B0A4
SAS, xrefs: 00E2B170
CDROM, xrefs: 00E2B09A
SATA, xrefs: 00E2B177
USB, xrefs: 00E2B15B
Fixed, xrefs: 00E2B0AE
FileBackedVirtual, xrefs: 00E2B193
SCSI, xrefs: 00E2B131
1394, xrefs: 00E2B146
ATAPI, xrefs: 00E2B138
Unknown, xrefs: 00E2B086, 00E2B12A
iSCSI, xrefs: 00E2B169
SSA, xrefs: 00E2B14D
RAID, xrefs: 00E2B162

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 193b6704c2b087f549515ba863babd79813dc73942419048cb024a05fcc09e4d
Instruction ID: bbe82f2cd2de1c8eea345d9f7f7489ce20770a544abfa0475c618174926c76d8
Opcode Fuzzy Hash: 193b6704c2b087f549515ba863babd79813dc73942419048cb024a05fcc09e4d
Instruction Fuzzy Hash: B151E430681716EB8B04DB10E9A2DBD73B1FF94745728B02AF40AB7290C734AD51DB52

Function 00DC6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00DC6A91
__wcsnicmp.LIBCMT ref: 00DC6AA9
__wcsnicmp.LIBCMT ref: 00DC6AC1
__wcsnicmp.LIBCMT ref: 00DC6AD9
__wcsnicmp.LIBCMT ref: 00DC6AF1
__wcsnicmp.LIBCMT ref: 00DC6B09
__wcsnicmp.LIBCMT ref: 00DC6B21
__wcsnicmp.LIBCMT ref: 00DC6B35
__wcsnicmp.LIBCMT ref: 00DC6B76
__wcsnicmp.LIBCMT ref: 00DC6B8A
__wcsnicmp.LIBCMT ref: 00DC6B9E
__wcsnicmp.LIBCMT ref: 00DC6BB2

Strings

#ce, xrefs: 00DC6BAC
#include, xrefs: 00DC6B03
#cs, xrefs: 00DC6B2F, 00DC6B84
#comments-start, xrefs: 00DC6B1B, 00DC6B70
#include-once, xrefs: 00DC6AEB
Bad directive syntax error, xrefs: 00DFE743
#notrayicon, xrefs: 00DC6AA3
#pragma compile, xrefs: 00DC6A8B
#OnAutoItStartRegister, xrefs: 00DC6AD3
Cannot parse #include, xrefs: 00DFE819
#requireadmin, xrefs: 00DC6ABB
Unterminated group of comments, xrefs: 00DFE82C
#comments-end, xrefs: 00DC6B98

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: a02196e4c83ad62f8bdadb0562788ff1d4f758e98543ad3db5284e8ad8b648e0
Instruction ID: f395bf6f64f411be6ac04aaa284e0dbd4877d7c657ba6475198e2ce5079e9d84
Opcode Fuzzy Hash: a02196e4c83ad62f8bdadb0562788ff1d4f758e98543ad3db5284e8ad8b648e0
Instruction Fuzzy Hash: FF81EA70640356AACB20BF61DC93FBE7759EF15700F088029FE45AB196EB70DA85C671

Function 00E4AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00E4AB99
SetTextColor.GDI32(?,?), ref: 00E4AB9D
GetSysColorBrush.USER32(0000000F), ref: 00E4ABB3
GetSysColor.USER32(0000000F), ref: 00E4ABBE
CreateSolidBrush.GDI32(?), ref: 00E4ABC3
GetSysColor.USER32(00000011), ref: 00E4ABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E4ABE9
SelectObject.GDI32(?,00000000), ref: 00E4ABFA
SetBkColor.GDI32(?,00000000), ref: 00E4AC03
SelectObject.GDI32(?,?), ref: 00E4AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 00E4AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E4AC46
GetWindowLongW.USER32(00000000,000000F0), ref: 00E4AC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00E4ACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00E4ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 00E4ACEC
DrawFocusRect.USER32(?,?), ref: 00E4ACF7
GetSysColor.USER32(00000011), ref: 00E4AD05
SetTextColor.GDI32(?,00000000), ref: 00E4AD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00E4AD21
SelectObject.GDI32(?,00E4A869), ref: 00E4AD38
DeleteObject.GDI32(?), ref: 00E4AD43
SelectObject.GDI32(?,?), ref: 00E4AD49
DeleteObject.GDI32(?), ref: 00E4AD4E
SetTextColor.GDI32(?,?), ref: 00E4AD54
SetBkColor.GDI32(?,?), ref: 00E4AD5E

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 5c0d86413dbefd8df256f5eba42a202c9493067961f61236c983dc58d282ed1d
Instruction ID: 9015afd13046f6ddbe28865694a304180e2270aada4b41ce96807ae3064d0302
Opcode Fuzzy Hash: 5c0d86413dbefd8df256f5eba42a202c9493067961f61236c983dc58d282ed1d
Instruction Fuzzy Hash: 59619B75900208EFDF109FA9EC48EAEBBB9EB09720F158125F911BB2A1D6759D41CF90

Function 00E48C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00E48D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E48D45
CharNextW.USER32(0000014E), ref: 00E48D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00E48DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00E48DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E48DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00E48DF9
SetWindowTextW.USER32(?,0000014E), ref: 00E48E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00E48E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00E48E8C
_memset.LIBCMT ref: 00E48EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00E48EFA
_memset.LIBCMT ref: 00E48F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00E48F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00E48FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00E49088
InvalidateRect.USER32(?,00000000,00000001), ref: 00E490AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E490F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E49121
DrawMenuBar.USER32(?), ref: 00E49130
SetWindowTextW.USER32(?,0000014E), ref: 00E49158

Strings

0, xrefs: 00E490C2

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 4a476c2eeae415bad50315e6154297d9dccc4ab32c231ef0c6500469fdf89e1d
Instruction ID: 3c6e252e5496fc9b7152a0defb5e947b7eb0fdd758b193e4bfa8608a17a36c03
Opcode Fuzzy Hash: 4a476c2eeae415bad50315e6154297d9dccc4ab32c231ef0c6500469fdf89e1d
Instruction Fuzzy Hash: F3E1B174901209AFDF209F61DC88EEF7BB9EF05714F009196F919BA291DB708A85DF60

Function 00E44B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00E44C51
GetDesktopWindow.USER32 ref: 00E44C66
GetWindowRect.USER32(00000000), ref: 00E44C6D
GetWindowLongW.USER32(?,000000F0), ref: 00E44CCF
DestroyWindow.USER32(?), ref: 00E44CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00E44D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E44D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00E44D68
SendMessageW.USER32(?,00000421,?,?), ref: 00E44D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00E44D90
IsWindowVisible.USER32(?), ref: 00E44DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00E44DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00E44DDF
GetWindowRect.USER32(?,?), ref: 00E44DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00E44E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00E44E37
CopyRect.USER32(?,?), ref: 00E44E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00E44EB9

Strings

(, xrefs: 00E44E2A
0, xrefs: 00E44BFC
tooltips_class32, xrefs: 00E44D1D

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 470428090162b953d2dddf38b41e47d4469ad03c2a1280f795179f32cebf2803
Instruction ID: 14b2a705adf7ceb9debad6ca6f8724a92ce87322b0576c186a811d2d6049e3ed
Opcode Fuzzy Hash: 470428090162b953d2dddf38b41e47d4469ad03c2a1280f795179f32cebf2803
Instruction Fuzzy Hash: 7EB18BB1604341AFDB04DF25D889B5ABBE4FF84714F00891CF599AB2A1DB70EC05CBA1

Function 00E246D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00E246E8
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00E2470E
_wcscpy.LIBCMT ref: 00E2473C
_wcscmp.LIBCMT ref: 00E24747
_wcscat.LIBCMT ref: 00E2475D
_wcsstr.LIBCMT ref: 00E24768
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00E24784
_wcscat.LIBCMT ref: 00E247CD
_wcscat.LIBCMT ref: 00E247D4
_wcsncpy.LIBCMT ref: 00E247FF

Strings

04090000, xrefs: 00E247BA
StringFileInfo\, xrefs: 00E24757
\VarFileInfo\Translation, xrefs: 00E2477C
DefaultLangCodepage, xrefs: 00E247E7
%u.%u.%u.%u, xrefs: 00E24862

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: fd1376e5c63171ec89d26ee2f5467e85e3b8f1aa3009477272cb5c33b10b83cc
Instruction ID: c6e88d196a4dbaaf0536f086388462ce850ea05493fe741af2b39e561413dbe3
Opcode Fuzzy Hash: fd1376e5c63171ec89d26ee2f5467e85e3b8f1aa3009477272cb5c33b10b83cc
Instruction Fuzzy Hash: 8A414776A003907BEB14BB729C47EBF77ACDF42710F04016AF905F6182EB74AA0196B5

Function 00DC27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00DC28BC
GetSystemMetrics.USER32(00000007), ref: 00DC28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00DC28EF
GetSystemMetrics.USER32(00000008), ref: 00DC28F7
GetSystemMetrics.USER32(00000004), ref: 00DC291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00DC2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00DC2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00DC297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00DC2990
GetClientRect.USER32(00000000,000000FF), ref: 00DC29AE
GetStockObject.GDI32(00000011), ref: 00DC29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00DC29D5

Part of subcall function 00DC2344: GetCursorPos.USER32(?), ref: 00DC2357
Part of subcall function 00DC2344: ScreenToClient.USER32(00E867B0,?), ref: 00DC2374
Part of subcall function 00DC2344: GetAsyncKeyState.USER32(00000001), ref: 00DC2399
Part of subcall function 00DC2344: GetAsyncKeyState.USER32(00000002), ref: 00DC23A7

SetTimer.USER32(00000000,00000000,00000028,00DC1256), ref: 00DC29FC

Strings

AutoIt v3 GUI, xrefs: 00DC2974

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: fe32f2e5ec24598692fe5d60196c6a95228e448ccb63e5c3d3d68bac5b58aa65
Instruction ID: 0968caa8192a9c5f4ea39387656bc4200c09da91461d8e236e6fd5977c3731ae
Opcode Fuzzy Hash: fe32f2e5ec24598692fe5d60196c6a95228e448ccb63e5c3d3d68bac5b58aa65
Instruction Fuzzy Hash: 63B16A75A0020AAFDB14DFA9DD45FAE7BB4FB08710F118129FA19E7290CB74E851CB60

Function 00E44069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00E440F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00E441B6

Strings

GETITEMCOUNT, xrefs: 00E44128
GETSUBITEMCOUNT, xrefs: 00E44141
FINDITEM, xrefs: 00E44329
SELECTINVERT, xrefs: 00E44286
VIEWCHANGE, xrefs: 00E44375
SELECTCLEAR, xrefs: 00E44235
DESELECT, xrefs: 00E442A4
ISSELECTED, xrefs: 00E441C1
SELECT, xrefs: 00E44250
SELECTALL, xrefs: 00E4421D
GETSELECTEDCOUNT, xrefs: 00E44199
GETTEXT, xrefs: 00E4415F
GETSELECTED, xrefs: 00E442E4

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: a276297ab4e03a53b3b840244ac06c9d885e8c8d8019b3c2ff91d6e3398f81a3
Instruction ID: 8b5d6f6af0121593184476b6cd9f1926830e395de07353634c67b4d36fae616e
Opcode Fuzzy Hash: a276297ab4e03a53b3b840244ac06c9d885e8c8d8019b3c2ff91d6e3398f81a3
Instruction Fuzzy Hash: C8A181703142029BCB14EF20D951F6AB7E5FF84314F14596CB89AAB6D2DB70EC45CB61

Function 00E352F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00E35309
LoadCursorW.USER32(00000000,00007F8A), ref: 00E35314
LoadCursorW.USER32(00000000,00007F00), ref: 00E3531F
LoadCursorW.USER32(00000000,00007F03), ref: 00E3532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00E35335
LoadCursorW.USER32(00000000,00007F01), ref: 00E35340
LoadCursorW.USER32(00000000,00007F81), ref: 00E3534B
LoadCursorW.USER32(00000000,00007F88), ref: 00E35356
LoadCursorW.USER32(00000000,00007F80), ref: 00E35361
LoadCursorW.USER32(00000000,00007F86), ref: 00E3536C
LoadCursorW.USER32(00000000,00007F83), ref: 00E35377
LoadCursorW.USER32(00000000,00007F85), ref: 00E35382
LoadCursorW.USER32(00000000,00007F82), ref: 00E3538D
LoadCursorW.USER32(00000000,00007F84), ref: 00E35398
LoadCursorW.USER32(00000000,00007F04), ref: 00E353A3
LoadCursorW.USER32(00000000,00007F02), ref: 00E353AE
GetCursorInfo.USER32(?), ref: 00E353BE
GetLastError.KERNEL32(00000001,00000000), ref: 00E353E9

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 5b525f6c788143e3634fb6d2e89c09a06fd857ea4366a1f0246f35d2a2132420
Instruction ID: 4c6345da6a117b03785c1f10faee4922039a8677c3877c4cc1c48d46c02b3142
Opcode Fuzzy Hash: 5b525f6c788143e3634fb6d2e89c09a06fd857ea4366a1f0246f35d2a2132420
Instruction Fuzzy Hash: 09417170E04319AADB109FBA8C49D6EFFF8EF51B10F10452FE519E7290DAB8A401CE61

Function 00E1AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00E1AAA5
__swprintf.LIBCMT ref: 00E1AB46
_wcscmp.LIBCMT ref: 00E1AB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00E1ABAE
_wcscmp.LIBCMT ref: 00E1ABEA
GetClassNameW.USER32(?,?,00000400), ref: 00E1AC21
GetDlgCtrlID.USER32(?), ref: 00E1AC73
GetWindowRect.USER32(?,?), ref: 00E1ACA9
GetParent.USER32(?), ref: 00E1ACC7
ScreenToClient.USER32(00000000), ref: 00E1ACCE
GetClassNameW.USER32(?,?,00000100), ref: 00E1AD48
_wcscmp.LIBCMT ref: 00E1AD5C
GetWindowTextW.USER32(?,?,00000400), ref: 00E1AD82
_wcscmp.LIBCMT ref: 00E1AD96

Part of subcall function 00DE386C: _iswctype.LIBCMT ref: 00DE3874

Strings

%s%u, xrefs: 00E1AB40

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: e692507d39ffe042013182c406686abfc6e48e35a5d90601652762389dae9c70
Instruction ID: 64e557f6c4ef321057994a95b123cd243ab66b80fe1ebb601b32d20e4ef73cd7
Opcode Fuzzy Hash: e692507d39ffe042013182c406686abfc6e48e35a5d90601652762389dae9c70
Instruction Fuzzy Hash: F3A1CE71205646AFD714DF20D884BFAF7E8FF44319F085629F999A2190DB30E985CBA2

Function 00E1B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00E1B3DB
_wcscmp.LIBCMT ref: 00E1B3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 00E1B414
CharUpperBuffW.USER32(?,00000000), ref: 00E1B431
_wcscmp.LIBCMT ref: 00E1B44F
_wcsstr.LIBCMT ref: 00E1B460
GetClassNameW.USER32(00000018,?,00000400), ref: 00E1B498
_wcscmp.LIBCMT ref: 00E1B4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 00E1B4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 00E1B518
_wcscmp.LIBCMT ref: 00E1B528
GetClassNameW.USER32(00000010,?,00000400), ref: 00E1B550
GetWindowRect.USER32(00000004,?), ref: 00E1B5B9

Strings

@, xrefs: 00E1B3BC
ThumbnailClass, xrefs: 00E1B4A3, 00E1B523

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 3b8dfe90d599e6ead9267d73f61f08802cf467a83030b6ecafa70680663293f9
Instruction ID: 5f4ddd1ca63f84355c8b0ca1d4a58d4e496e0f16c171483b33570c2db09707f0
Opcode Fuzzy Hash: 3b8dfe90d599e6ead9267d73f61f08802cf467a83030b6ecafa70680663293f9
Instruction Fuzzy Hash: C781D0710043059FDB04DF11C885FEA7BE9EF44718F04906AFD95AA0A2EB34DD89CBA1

Function 00E4C8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC2612: GetWindowLongW.USER32(?,000000EB), ref: 00DC2623

DragQueryPoint.SHELL32(?,?), ref: 00E4C917

Part of subcall function 00E4ADF1: ClientToScreen.USER32(?,?), ref: 00E4AE1A
Part of subcall function 00E4ADF1: GetWindowRect.USER32(?,?), ref: 00E4AE90
Part of subcall function 00E4ADF1: PtInRect.USER32(?,?,00E4C304), ref: 00E4AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 00E4C980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00E4C98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00E4C9AE
_wcscat.LIBCMT ref: 00E4C9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00E4C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 00E4CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 00E4CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 00E4CA47
DragFinish.SHELL32(?), ref: 00E4CA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00E4CB41

Strings

@GUI_DRAGID, xrefs: 00E4CAB9
@GUI_DRAGFILE, xrefs: 00E4CAF0
pr, xrefs: 00E4CA8B
@GUI_DROPID, xrefs: 00E4CA6E

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pr
API String ID: 169749273-2073472848
Opcode ID: f02035785d5f74cda19f7c1f04c62b893f9e4ca9f22a58d1c1fc2011b99b0d8e
Instruction ID: 0f66eeac3953641a9103e51b38f665f707f6352591f387aa05868b45e52623dc
Opcode Fuzzy Hash: f02035785d5f74cda19f7c1f04c62b893f9e4ca9f22a58d1c1fc2011b99b0d8e
Instruction Fuzzy Hash: 6A617D71508301AFC701EF61DC85E9FBBE8EF89750F00092EF595A31A1DB709A49CBA2

Function 00E1B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00E1B23F

Strings

[ACTIVE, xrefs: 00E1B22C
HANDLE=, xrefs: 00E1B238
LAST, xrefs: 00E1B204
[CLASS:, xrefs: 00E1B28F
[REGEXPTITLE:, xrefs: 00E1B267
CLASSNAME=, xrefs: 00E1B27C
[HANDLE:, xrefs: 00E1B24B
REGEXP=, xrefs: 00E1B254
[LAST, xrefs: 00E1B2EC
ALL, xrefs: 00E1B2D3
[ALL, xrefs: 00E1B2E5
ACTIVE, xrefs: 00E1B21A

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 50c44ea9ac27249a35f1c01bd92ed13959c5931a728a384b39008edbc4f41f7b
Instruction ID: ed7c16cbd4b0abe3493b21e4d7d4aebc7ebab0dc40edb02e6c8e61fd4efa0ce1
Opcode Fuzzy Hash: 50c44ea9ac27249a35f1c01bd92ed13959c5931a728a384b39008edbc4f41f7b
Instruction Fuzzy Hash: BD318B31A04306A6DB14FAA1DD43EEE77A8EF20750F605129F415B20E2EF61AE48CA71

Function 00E1C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00E1C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00E1C4E6
SetWindowTextW.USER32(?,?), ref: 00E1C4FD
GetDlgItem.USER32(?,000003EA), ref: 00E1C512
SetWindowTextW.USER32(00000000,?), ref: 00E1C518
GetDlgItem.USER32(?,000003E9), ref: 00E1C528
SetWindowTextW.USER32(00000000,?), ref: 00E1C52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00E1C54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00E1C569
GetWindowRect.USER32(?,?), ref: 00E1C572
SetWindowTextW.USER32(?,?), ref: 00E1C5DD
GetDesktopWindow.USER32 ref: 00E1C5E3
GetWindowRect.USER32(00000000), ref: 00E1C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00E1C636
GetClientRect.USER32(?,?), ref: 00E1C643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00E1C668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00E1C693

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 7989e9880e81e6ab2ea7b5783756f32b1a06ea4866acce8e3f5b0186fd4a7d0c
Instruction ID: db027ee00bfab576aab9ce65a69f9531168f50456dffeb1184a296bfbfd0af57
Opcode Fuzzy Hash: 7989e9880e81e6ab2ea7b5783756f32b1a06ea4866acce8e3f5b0186fd4a7d0c
Instruction Fuzzy Hash: B0515E70900709AFDB209FA9DD89BAEBBF5FF04B05F104528E696F25A0C774B945CB50

Function 00E4A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E4A4C8
DestroyWindow.USER32(?,?), ref: 00E4A542

Part of subcall function 00DC7D2C: _memmove.LIBCMT ref: 00DC7D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00E4A5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00E4A5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E4A5F1
DestroyWindow.USER32(00000000), ref: 00E4A613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00DC0000,00000000), ref: 00E4A64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E4A663
GetDesktopWindow.USER32 ref: 00E4A67C
GetWindowRect.USER32(00000000), ref: 00E4A683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00E4A69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00E4A6B3

Part of subcall function 00DC25DB: GetWindowLongW.USER32(?,000000EB), ref: 00DC25EC

Strings

0, xrefs: 00E4A4DE
tooltips_class32, xrefs: 00E4A5B5, 00E4A643

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: ded244737c86b9c68ceba50ccbfed8c6152be53921edb5095406eb35106c4088
Instruction ID: f66554a2e8d353c5513f8804b6a69db1c4e88464d5bd3c7465771c7a3dc30c84
Opcode Fuzzy Hash: ded244737c86b9c68ceba50ccbfed8c6152be53921edb5095406eb35106c4088
Instruction Fuzzy Hash: CE71DD71180205AFD724CF28DC49F6A7BE5FB88714F49456DF989A72A0C770E906CF62

Function 00E44619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00E446AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00E446F6

Strings

GETITEMCOUNT, xrefs: 00E447D8
EXISTS, xrefs: 00E4475F
UNCHECK, xrefs: 00E448D2
SELECT, xrefs: 00E448A7
COLLAPSE, xrefs: 00E4473C
GETTEXT, xrefs: 00E44849
GETTOTALCOUNT, xrefs: 00E446DD
CHECK, xrefs: 00E44716
ISCHECKED, xrefs: 00E44879
EXPAND, xrefs: 00E447A8
GETSELECTED, xrefs: 00E44806

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 31dc5c5a926ad2f1f0b6f86dc9760aa4682ca426c49b0e4506cb5eecd50a18cf
Instruction ID: 215ef2e5a665df89d13d10e9b52d749905b25269d46a84dadb59971fae16b2d5
Opcode Fuzzy Hash: 31dc5c5a926ad2f1f0b6f86dc9760aa4682ca426c49b0e4506cb5eecd50a18cf
Instruction Fuzzy Hash: 5F9161742047029FCB14EF20D451BAAB7E1EF84314F05A45DF89A6B7A2DB70ED46CB61

Function 00E4BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00E4BB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00E49431), ref: 00E4BBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E4BC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00E4BC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E4BC7D
FreeLibrary.KERNEL32(?), ref: 00E4BC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E4BC99
DestroyIcon.USER32(?,?,?,?,?,00E49431), ref: 00E4BCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00E4BCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00E4BCD1

Part of subcall function 00DE313D: __wcsicmp_l.LIBCMT ref: 00DE31C6

Strings

.icl, xrefs: 00E4BAE4
.exe, xrefs: 00E4BB04
.dll, xrefs: 00E4BB27

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: ba804bd891910f53c182fe462c277b9073f0f9adb9f39c7bb00c7c738a005d1d
Instruction ID: 063d220434efebbe34dcdbaa61d49ded65df285dc2f44b1aafffe82af2cb2712
Opcode Fuzzy Hash: ba804bd891910f53c182fe462c277b9073f0f9adb9f39c7bb00c7c738a005d1d
Instruction Fuzzy Hash: F061E271900215BEEB14DF65DC86FBEB7A8EB08B14F10411AF815E61C0DB74DA95CBA0

Function 00E2A0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00E4FB78), ref: 00E2A0FC

Part of subcall function 00DC7F41: _memmove.LIBCMT ref: 00DC7F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 00E2A11E
__swprintf.LIBCMT ref: 00E2A177
__swprintf.LIBCMT ref: 00E2A190
_wprintf.LIBCMT ref: 00E2A246
_wprintf.LIBCMT ref: 00E2A264

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00E2A241
Error: , xrefs: 00E2A20E
%, xrefs: 00E2A0C9
^ ERROR, xrefs: 00E2A1E8
Line %d (File "%s"):, xrefs: 00E2A171, 00E2A18A
"%s" (%d) : ==> %s:, xrefs: 00E2A25F

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%
API String ID: 311963372-1048875529
Opcode ID: 8b1810f64e24551be6a12b3f72dc1dc427d924a3b66a58bac5eb7e8f1e169f5b
Instruction ID: a5da5b5d6b742891dde77fc38c8dee0d0235a400898800d600632539011a0dbf
Opcode Fuzzy Hash: 8b1810f64e24551be6a12b3f72dc1dc427d924a3b66a58bac5eb7e8f1e169f5b
Instruction Fuzzy Hash: B151297290021AABCB15EBE0DD86EEEB779EF04300F1451A9B505730A1EB316E99DF71

Function 00E2A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00DC9997: __itow.LIBCMT ref: 00DC99C2
Part of subcall function 00DC9997: __swprintf.LIBCMT ref: 00DC9A0C

CharLowerBuffW.USER32(?,?), ref: 00E2A636
GetDriveTypeW.KERNEL32 ref: 00E2A683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E2A6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E2A702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E2A730

Part of subcall function 00DC7D2C: _memmove.LIBCMT ref: 00DC7D66

Strings

open, xrefs: 00E2A65D
type cdaudio alias cd wait, xrefs: 00E2A6AE
close, xrefs: 00E2A63C
set cd door , xrefs: 00E2A6D1
closed, xrefs: 00E2A64A, 00E2A653
wait, xrefs: 00E2A6ED
close cd wait, xrefs: 00E2A71B
open , xrefs: 00E2A692

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 4746307810f7cd247a129a2481cccac073bfc20e2d28ae6a3d8b8035556a89b0
Instruction ID: 4d3a52de0b3e1cabe6c1acbdc3f2c64dc0d110ff9cccd62bcbec5a05ae2f5e4c
Opcode Fuzzy Hash: 4746307810f7cd247a129a2481cccac073bfc20e2d28ae6a3d8b8035556a89b0
Instruction Fuzzy Hash: B0514D711043059FC700EF21D891D6AB7F4EF94718F18996DF89AA7251DB31AE0ACB62

Function 00E2A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00E2A47A
__swprintf.LIBCMT ref: 00E2A49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 00E2A4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00E2A4FE
_memset.LIBCMT ref: 00E2A51D
_wcsncpy.LIBCMT ref: 00E2A559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00E2A58E
CloseHandle.KERNEL32(00000000), ref: 00E2A599
RemoveDirectoryW.KERNEL32(?), ref: 00E2A5A2
CloseHandle.KERNEL32(00000000), ref: 00E2A5AC

Strings

:, xrefs: 00E2A4BD
\??\%s, xrefs: 00E2A496
\, xrefs: 00E2A4B2

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: edca7f150eccdf8d5bc6c9ad3b3673ba39afab44f1337076bbe90b21f217d5f0
Instruction ID: 096c49d698ff0baa67f9a8d3f8c275f5867f24ef09683d9a30f221202ec42273
Opcode Fuzzy Hash: edca7f150eccdf8d5bc6c9ad3b3673ba39afab44f1337076bbe90b21f217d5f0
Instruction Fuzzy Hash: BA31B0B5500219ABDB219FA1EC49FEB73BCEF89705F1441B6FA08E2160E77097458B35

Function 00E4C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC2612: GetWindowLongW.USER32(?,000000EB), ref: 00DC2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00E4C4EC
GetFocus.USER32 ref: 00E4C4FC
GetDlgCtrlID.USER32(00000000), ref: 00E4C507
_memset.LIBCMT ref: 00E4C632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00E4C65D
GetMenuItemCount.USER32(?), ref: 00E4C67D
GetMenuItemID.USER32(?,00000000), ref: 00E4C690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00E4C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00E4C70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E4C744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00E4C779

Strings

0, xrefs: 00E4C62A

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: d3c3f960a52000cf23d1f5ccf63471716926ccb7a3f53c6acaead22b10db9a8a
Instruction ID: 3bcba28d462e9214c790298952f68b9fda002508bdb3c473ae4a9ea350fef142
Opcode Fuzzy Hash: d3c3f960a52000cf23d1f5ccf63471716926ccb7a3f53c6acaead22b10db9a8a
Instruction Fuzzy Hash: 4481B3705093019FD750DF25E884A6BBBE8FF88718F20552EF999A3291D731D905CFA2

Function 00E183F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E1874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E18766
Part of subcall function 00E1874A: GetLastError.KERNEL32(?,00E1822A,?,?,?), ref: 00E18770
Part of subcall function 00E1874A: GetProcessHeap.KERNEL32(00000008,?,?,00E1822A,?,?,?), ref: 00E1877F
Part of subcall function 00E1874A: HeapAlloc.KERNEL32(00000000,?,00E1822A,?,?,?), ref: 00E18786
Part of subcall function 00E1874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E1879D

Part of subcall function 00E187E7: GetProcessHeap.KERNEL32(00000008,00E18240,00000000,00000000,?,00E18240,?), ref: 00E187F3
Part of subcall function 00E187E7: HeapAlloc.KERNEL32(00000000,?,00E18240,?), ref: 00E187FA
Part of subcall function 00E187E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00E18240,?), ref: 00E1880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E18458
_memset.LIBCMT ref: 00E1846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00E1848C
GetLengthSid.ADVAPI32(?), ref: 00E1849D
GetAce.ADVAPI32(?,00000000,?), ref: 00E184DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00E184F6
GetLengthSid.ADVAPI32(?), ref: 00E18513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00E18522
HeapAlloc.KERNEL32(00000000), ref: 00E18529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00E1854A
CopySid.ADVAPI32(00000000), ref: 00E18551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00E18582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00E185A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00E185BC

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 5b25a2c4fa1844218b3bfb293db6261a464b130239b60cbe766122782f31aa60
Instruction ID: b71943d124e54ec97f0d6ed26c0de3212923349a052977960abbeaa664f2961a
Opcode Fuzzy Hash: 5b25a2c4fa1844218b3bfb293db6261a464b130239b60cbe766122782f31aa60
Instruction Fuzzy Hash: 2F615675A0020AAFDF00DFA1DD44AEEBBBAFF45714F448269E815B7291DB309A45CF60

Function 00E3762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00E376A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00E376AE
CreateCompatibleDC.GDI32(?), ref: 00E376BA
SelectObject.GDI32(00000000,?), ref: 00E376C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00E3771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00E37757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00E3777B
SelectObject.GDI32(00000006,?), ref: 00E37783
DeleteObject.GDI32(?), ref: 00E3778C
DeleteDC.GDI32(00000006), ref: 00E37793
ReleaseDC.USER32(00000000,?), ref: 00E3779E

Strings

(, xrefs: 00E37723

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: b07e80a097543d6632c42c5684f59cf3255ae48bcc1a63aa733b6ac2b529c836
Instruction ID: 766351ce99a575ed2b9aaba80a0e98bee97b08299fef34a0b5db9d8b6000141e
Opcode Fuzzy Hash: b07e80a097543d6632c42c5684f59cf3255ae48bcc1a63aa733b6ac2b529c836
Instruction Fuzzy Hash: 8D515175904209EFCB25CFA9CC89EAEBBB9EF49710F14841DF989A7210D731A845CB60

Function 00DC6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00DE0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00DC6C6C,?,00008000), ref: 00DE0BB7

Part of subcall function 00DC48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DC48A1,?,?,00DC37C0,?), ref: 00DC48CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00DC6D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00DC6E5A

Part of subcall function 00DC59CD: _wcscpy.LIBCMT ref: 00DC5A05

Part of subcall function 00DE387D: _iswctype.LIBCMT ref: 00DE3885

Strings

Bad directive syntax error, xrefs: 00DFEBC6
Unterminated string, xrefs: 00DFEC0D
>>>AUTOIT SCRIPT<<<, xrefs: 00DFE8BF
EA06, xrefs: 00DFE87B
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00DFE84A
AU3!, xrefs: 00DC6CC1
Error opening the file, xrefs: 00DFE866, 00DFE8E1

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 6798107f9f51a4ddbcd2ce492ac6644d21e719806e3f2b32d3bd0d59c6086028
Instruction ID: bd769db663e13c9efa367d126d514db86631a38d7a71e44d78c47b487d768bb2
Opcode Fuzzy Hash: 6798107f9f51a4ddbcd2ce492ac6644d21e719806e3f2b32d3bd0d59c6086028
Instruction Fuzzy Hash: 6E026B301083469FC724EF24C891EAFBBE5EF95354F14491DF58A972A1DB30E989CB62

Function 00DC45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DC45F9
GetMenuItemCount.USER32(00E86890), ref: 00DFD7CD
GetMenuItemCount.USER32(00E86890), ref: 00DFD87D
GetCursorPos.USER32(?), ref: 00DFD8C1
SetForegroundWindow.USER32(00000000), ref: 00DFD8CA
TrackPopupMenuEx.USER32(00E86890,00000000,?,00000000,00000000,00000000), ref: 00DFD8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00DFD8E9

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: cff7d631f948d82514c43181df0a3e6b0631494718c65ea1223485844067c442
Instruction ID: 68aa801549692f54e19c784c29800a23ee35f0b1f23ab3b79ddb75373bc8e890
Opcode Fuzzy Hash: cff7d631f948d82514c43181df0a3e6b0631494718c65ea1223485844067c442
Instruction Fuzzy Hash: A571263164020ABEEB319F55DC45FBABF66FF05764F24821AF615AA1E0C7B19C10DBA0

Function 00E38BC0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E38BEC
CoInitialize.OLE32(00000000), ref: 00E38C19
CoUninitialize.OLE32 ref: 00E38C23
GetRunningObjectTable.OLE32(00000000,?), ref: 00E38D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00E38E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00E52C0C), ref: 00E38E84
CoGetObject.OLE32(?,00000000,00E52C0C,?), ref: 00E38EA7
SetErrorMode.KERNEL32(00000000), ref: 00E38EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00E38F3A
VariantClear.OLEAUT32(?), ref: 00E38F4A

Strings

,,, xrefs: 00E38BD6

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,
API String ID: 2395222682-1556401989
Opcode ID: c43b372652c0b6ecd268224bab1060aec2e4b8caa16e4fe08089ec74c1ecf36d
Instruction ID: a721eda8a577dd0fd04fe33797144ce0aaa2636b4bcf5820b726777d038948dd
Opcode Fuzzy Hash: c43b372652c0b6ecd268224bab1060aec2e4b8caa16e4fe08089ec74c1ecf36d
Instruction Fuzzy Hash: DBC15571208305AFC700DF64C98892BBBE9FF89708F00595DF58AAB251DB71ED06CB62

Function 00E410A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E40038,?,?), ref: 00E410BC

Strings

HKU, xrefs: 00E411CE
HKCR, xrefs: 00E41164
HKEY_CLASSES_ROOT, xrefs: 00E4114F
HKEY_CURRENT_USER, xrefs: 00E4119B
HKEY_LOCAL_MACHINE, xrefs: 00E41125
HKLM, xrefs: 00E4113A
HKEY_USERS, xrefs: 00E411BD
HKCC, xrefs: 00E4118A
HKCU, xrefs: 00E411AC
HKEY_CURRENT_CONFIG, xrefs: 00E41179

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: dce0f73992a10d29487e16699be6897e6a5b3a5f2cbd8ff8885dbf66f0da0f60
Instruction ID: 1b1f21aec8106d7f5090093bb2d11e2a00caeecdc2b333e79617bcc5c7763fc2
Opcode Fuzzy Hash: dce0f73992a10d29487e16699be6897e6a5b3a5f2cbd8ff8885dbf66f0da0f60
Instruction Fuzzy Hash: 8C416F3015128E8BCF10EF91EC91AEA3B24FF51314F505498FD95AB691DB70AD9ACB70

Function 00E25569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00DC7D2C: _memmove.LIBCMT ref: 00DC7D66

Part of subcall function 00DC7A84: _memmove.LIBCMT ref: 00DC7B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00E255D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00E255E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E255F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00E2560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00E2561C

Strings

alias PlayMe, xrefs: 00E255AB
play PlayMe, xrefs: 00E25617
play PlayMe wait, xrefs: 00E25606
close PlayMe, xrefs: 00E255E3, 00E25610
status PlayMe mode, xrefs: 00E255CD
open , xrefs: 00E25581

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: e4fbcf6b1e495c85273bb1314cefdff03bf1e1d253092f1e1e943707a2fc9d98
Instruction ID: 95b4b52f4efa9b2eba47d27840ea9f165e1e2d4db1239087953b53071df6ad92
Opcode Fuzzy Hash: e4fbcf6b1e495c85273bb1314cefdff03bf1e1d253092f1e1e943707a2fc9d98
Instruction Fuzzy Hash: FF11602155026A79E720BAA2DC8AEFF7B7CEFD1B00F485469B419B70D1DEA01D05CAB1

Function 00E248F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00E2490E
gethostname.WSOCK32(?,00000100), ref: 00E24928
gethostbyname.WSOCK32(?), ref: 00E24935
_wcscpy.LIBCMT ref: 00E2495D
_memmove.LIBCMT ref: 00E24970
inet_ntoa.WSOCK32(?), ref: 00E2497B
_strcat.LIBCMT ref: 00E24989
_wcscpy.LIBCMT ref: 00E249A0
WSACleanup.WSOCK32 ref: 00E249AE
_wcscpy.LIBCMT ref: 00E249BC

Strings

0.0.0.0, xrefs: 00E24957

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 6efe967804797e8f539c359bb75276f48c417d04ef4f3be04cf1ed348485d49b
Instruction ID: 1a91bf94fb8067f2f5f79f99577ee386dd2a6a2fec72a364d18ed50c0c78569a
Opcode Fuzzy Hash: 6efe967804797e8f539c359bb75276f48c417d04ef4f3be04cf1ed348485d49b
Instruction Fuzzy Hash: 69110575904125AFDB24EB21EC4AEEF77ACDF81B10F040176F405B6091EF749AC68671

Function 00E25217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00E2521C

Part of subcall function 00DE0719: timeGetTime.WINMM(?,75A8B400,00DD0FF9), ref: 00DE071D

Sleep.KERNEL32(0000000A), ref: 00E25248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00E2526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00E2528E
SetActiveWindow.USER32 ref: 00E252AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00E252BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 00E252DA
Sleep.KERNEL32(000000FA), ref: 00E252E5
IsWindow.USER32 ref: 00E252F1
EndDialog.USER32(00000000), ref: 00E25302

Strings

BUTTON, xrefs: 00E25280

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: ac34d1c9ed07f982834f62529d31d03c6283b49632fc624b33634247504d6419
Instruction ID: cb31d47b66461e8e449b2aa71a8fe30cdd632e26991dcd9745e38172a2995ad9
Opcode Fuzzy Hash: ac34d1c9ed07f982834f62529d31d03c6283b49632fc624b33634247504d6419
Instruction Fuzzy Hash: 3121C676104714EFE7005B32FE89B263B6AEB4679AF103474F009B11B1DBB59C498B71

Function 00E2D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC9997: __itow.LIBCMT ref: 00DC99C2
Part of subcall function 00DC9997: __swprintf.LIBCMT ref: 00DC9A0C

CoInitialize.OLE32(00000000), ref: 00E2D855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00E2D8E8
SHGetDesktopFolder.SHELL32(?), ref: 00E2D8FC
CoCreateInstance.OLE32(00E52D7C,00000000,00000001,00E7A89C,?), ref: 00E2D948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00E2D9B7
CoTaskMemFree.OLE32(?,?), ref: 00E2DA0F
_memset.LIBCMT ref: 00E2DA4C
SHBrowseForFolderW.SHELL32(?), ref: 00E2DA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00E2DAAB
CoTaskMemFree.OLE32(00000000), ref: 00E2DAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00E2DAE9
CoUninitialize.OLE32(00000001,00000000), ref: 00E2DAEB

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 73f91a2798651efc2cccfc206be2c0f893ae953e01057e6d95c18036373f6f8c
Instruction ID: a07c947cfaa74773b311b6659037334cfac278c9058d2f07e524dc050eccaa99
Opcode Fuzzy Hash: 73f91a2798651efc2cccfc206be2c0f893ae953e01057e6d95c18036373f6f8c
Instruction Fuzzy Hash: 48B10B75A00119AFDB04DF65DC88EAEBBF9EF48304B1484A9F909EB251DB30ED45CB60

Function 00E2052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00E205A7
SetKeyboardState.USER32(?), ref: 00E20612
GetAsyncKeyState.USER32(000000A0), ref: 00E20632
GetKeyState.USER32(000000A0), ref: 00E20649
GetAsyncKeyState.USER32(000000A1), ref: 00E20678
GetKeyState.USER32(000000A1), ref: 00E20689
GetAsyncKeyState.USER32(00000011), ref: 00E206B5
GetKeyState.USER32(00000011), ref: 00E206C3
GetAsyncKeyState.USER32(00000012), ref: 00E206EC
GetKeyState.USER32(00000012), ref: 00E206FA
GetAsyncKeyState.USER32(0000005B), ref: 00E20723
GetKeyState.USER32(0000005B), ref: 00E20731

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 58951b7e044831b79b90d5b7fcc3ec3ea288fc9032c76d12a216be01556145ca
Instruction ID: 05796e8c1d397c144bde1dee415995eea8c7739f8b30f0e9dcc87548e4f5e411
Opcode Fuzzy Hash: 58951b7e044831b79b90d5b7fcc3ec3ea288fc9032c76d12a216be01556145ca
Instruction Fuzzy Hash: 63512C30A047A819FB35EBB0A4547EABFF49F11384F08559AC5C2765C3DA649B8CCF61

Function 00E1C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00E1C746
GetWindowRect.USER32(00000000,?), ref: 00E1C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00E1C7B6
GetDlgItem.USER32(?,00000002), ref: 00E1C7C1
GetWindowRect.USER32(00000000,?), ref: 00E1C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00E1C827
GetDlgItem.USER32(?,000003E9), ref: 00E1C835
GetWindowRect.USER32(00000000,?), ref: 00E1C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00E1C889
GetDlgItem.USER32(?,000003EA), ref: 00E1C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00E1C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 00E1C8C1

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 1ced92245293d37b24b994100113b1e574ec90df011eb57d351b7cb57027edb4
Instruction ID: 5db6ad371d7c4db9145aa00cc00534d370a57742dc26f32aeac4973ac83d8371
Opcode Fuzzy Hash: 1ced92245293d37b24b994100113b1e574ec90df011eb57d351b7cb57027edb4
Instruction Fuzzy Hash: BD517075B00205AFDB08CF69DD89AAEBBB6EB89710F14812DF515E7290D770AD44CB50

Function 00DC201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00DC2036,?,00000000,?,?,?,?,00DC16CB,00000000,?), ref: 00DC1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00DC20D3
KillTimer.USER32(-00000001,?,?,?,?,00DC16CB,00000000,?,?,00DC1AE2,?,?), ref: 00DC216E
DestroyAcceleratorTable.USER32(00000000), ref: 00DFBEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00DC16CB,00000000,?,?,00DC1AE2,?,?), ref: 00DFBF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00DC16CB,00000000,?,?,00DC1AE2,?,?), ref: 00DFBF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00DC16CB,00000000,?,?,00DC1AE2,?,?), ref: 00DFBF5A
DeleteObject.GDI32(00000000), ref: 00DFBF6C

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 7443283d7baff8e59435e2e0d081be9b2eeba874b98264155e855dc067811dab
Instruction ID: 32f13e3657276a15b3eed0d03a35b3e4b1d71127d3506db639148c96803fafca
Opcode Fuzzy Hash: 7443283d7baff8e59435e2e0d081be9b2eeba874b98264155e855dc067811dab
Instruction Fuzzy Hash: 25617A34500616DFCB299F15DD48B39B7F1FF41322F18842EE18A67960C776A895EFA0

Function 00DC21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00DC25DB: GetWindowLongW.USER32(?,000000EB), ref: 00DC25EC

GetSysColor.USER32(0000000F), ref: 00DC21D3

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: eeb37af4496280b30a200e323727cd32a85ebc64fd02b611135fa64d04ea7fd3
Instruction ID: 030931566f228210f7552dd32e28147900f92ab031fcd388af769745d14f3916
Opcode Fuzzy Hash: eeb37af4496280b30a200e323727cd32a85ebc64fd02b611135fa64d04ea7fd3
Instruction Fuzzy Hash: 2541CF35000245AFDB219F28DC88FB97B65EB06731F184269FE659B2E2C7318C42DB35

Function 00E2AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00E4F910), ref: 00E2AB76
GetDriveTypeW.KERNEL32(00000061,00E7A620,00000061), ref: 00E2AC40
_wcscpy.LIBCMT ref: 00E2AC6A

Strings

removable, xrefs: 00E2ABA8
network, xrefs: 00E2ABD4
ramdisk, xrefs: 00E2ABEA
cdrom, xrefs: 00E2AB92
unknown, xrefs: 00E2AC01
fixed, xrefs: 00E2ABBE
all, xrefs: 00E2AB7C

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 0adc7d2617591614594c67fbcb29373e125754594faad2128bcb4900b096fd10
Instruction ID: b2c34860f882af3d30e3ae3b2041c59b3efc46013b4392fc0852f5ed749f70d9
Opcode Fuzzy Hash: 0adc7d2617591614594c67fbcb29373e125754594faad2128bcb4900b096fd10
Instruction Fuzzy Hash: C851A0301083529FC714EF14D892EAEB7A5EF80714F18582DF496A72A2DB71DD49CB63

Function 00E4C27C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC2612: GetWindowLongW.USER32(?,000000EB), ref: 00DC2623

Part of subcall function 00DC2344: GetCursorPos.USER32(?), ref: 00DC2357
Part of subcall function 00DC2344: ScreenToClient.USER32(00E867B0,?), ref: 00DC2374
Part of subcall function 00DC2344: GetAsyncKeyState.USER32(00000001), ref: 00DC2399
Part of subcall function 00DC2344: GetAsyncKeyState.USER32(00000002), ref: 00DC23A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00E4C2E4
ImageList_EndDrag.COMCTL32 ref: 00E4C2EA
ReleaseCapture.USER32 ref: 00E4C2F0
SetWindowTextW.USER32(?,00000000), ref: 00E4C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00E4C3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00E4C48F

Strings

pr, xrefs: 00E4C3FD
@GUI_DRAGFILE, xrefs: 00E4C424
@GUI_DROPID, xrefs: 00E4C3E1
pr, xrefs: 00E4C438

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$pr$pr
API String ID: 1924731296-488423084
Opcode ID: 8ffca48b33ef7eb29c08eadd81ed60c7c1723761e9186d44f2c86e6e922ff4ba
Instruction ID: 0f62c5d8dbde1b073f83e3205227c1aa742b07fae4d32fe6cb0abde9c89657b7
Opcode Fuzzy Hash: 8ffca48b33ef7eb29c08eadd81ed60c7c1723761e9186d44f2c86e6e922ff4ba
Instruction Fuzzy Hash: B851BB74204301AFD704EF21D896F6A7BE1EF88714F10852DF599AB2E1CB70A948CB62

Function 00DC9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00DC99C2
__swprintf.LIBCMT ref: 00DC9A0C
__i64tow.LIBCMT ref: 00DFFA0F

Strings

False, xrefs: 00DFF9D7
True, xrefs: 00DFF9D0
%.15g, xrefs: 00DC9A06
0x%p, xrefs: 00DFF9F1

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: c5bbb91441a92bf582ae0295371295bdda912c8a6e6b24ad5a91aa1235293c9b
Instruction ID: 28df43ea7b0e3cad2cedf010ef6c792094d633988dd61ed51c515f63663f0c9f
Opcode Fuzzy Hash: c5bbb91441a92bf582ae0295371295bdda912c8a6e6b24ad5a91aa1235293c9b
Instruction Fuzzy Hash: AF41B57160420AAADB24AB35D846F7AB7E8EF45300F24846EE689D7291EE71D941CF31

Function 00E473C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E473D9
CreateMenu.USER32 ref: 00E473F4
SetMenu.USER32(?,00000000), ref: 00E47403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E47490
IsMenu.USER32(?), ref: 00E474A6
CreatePopupMenu.USER32 ref: 00E474B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E474DD
DrawMenuBar.USER32 ref: 00E474E5

Strings

F, xrefs: 00E474D1
0, xrefs: 00E473CF

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 5f54432dad1394430be08bb98fd45421b1d8d232f6824b57aeda194b54124316
Instruction ID: 93a53197d91210b2f3b47ad9480d8008f21f40dfdb12c7d33881a19e50e5a9e3
Opcode Fuzzy Hash: 5f54432dad1394430be08bb98fd45421b1d8d232f6824b57aeda194b54124316
Instruction Fuzzy Hash: 4B415A78A00205EFDB10DF65E844EAABBF5FF49305F144029E959B7350D735AD14CBA0

Function 00E4772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00E477CD
CreateCompatibleDC.GDI32(00000000), ref: 00E477D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00E477E7
SelectObject.GDI32(00000000,00000000), ref: 00E477EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 00E477FA
DeleteDC.GDI32(00000000), ref: 00E47803
GetWindowLongW.USER32(?,000000EC), ref: 00E4780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00E47821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00E4782D

Strings

static, xrefs: 00E47765

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 7de898756c30d695dc626237ac9c3b8ae7a38b455c2fa5c37e38db4020cad467
Instruction ID: cf1af90808e945b8ab6b1f845cb6d3c0277657d9129f8c972eb79d984e5cafa6
Opcode Fuzzy Hash: 7de898756c30d695dc626237ac9c3b8ae7a38b455c2fa5c37e38db4020cad467
Instruction Fuzzy Hash: 6A31AA36101215AFDF119FA5EC08FDA3B69EF0E725F110225FA55B60A0C731D826DBA0

Function 00DE7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DE707B

Part of subcall function 00DE8D68: __getptd_noexit.LIBCMT ref: 00DE8D68

__gmtime64_s.LIBCMT ref: 00DE7114
__gmtime64_s.LIBCMT ref: 00DE714A
__gmtime64_s.LIBCMT ref: 00DE7167
__allrem.LIBCMT ref: 00DE71BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DE71D9
__allrem.LIBCMT ref: 00DE71F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DE720E
__allrem.LIBCMT ref: 00DE7225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DE7243
__invoke_watson.LIBCMT ref: 00DE72B4

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: dd04f5fc0f126df7dca2295590aa031b35da4e929d4369efd1ca897a67aa3cb5
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: FA71F871A04757ABD754BE7ACC42B6AB3B8FF10320F15822AF614E7681E770E94087B4

Function 00E22A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E22A31
GetMenuItemInfoW.USER32(00E86890,000000FF,00000000,00000030), ref: 00E22A92
SetMenuItemInfoW.USER32(00E86890,00000004,00000000,00000030), ref: 00E22AC8
Sleep.KERNEL32(000001F4), ref: 00E22ADA
GetMenuItemCount.USER32(?), ref: 00E22B1E
GetMenuItemID.USER32(?,00000000), ref: 00E22B3A
GetMenuItemID.USER32(?,-00000001), ref: 00E22B64
GetMenuItemID.USER32(?,?), ref: 00E22BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E22BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E22C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E22C24

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 477be848895ea2cb25704c7ba6041a421a78c2393c3930b16715821cce0e0ad7
Instruction ID: 011d5f3bc2a42354e74ebac56de31034ca235a235c5eea8aa6449e05ee9b910f
Opcode Fuzzy Hash: 477be848895ea2cb25704c7ba6041a421a78c2393c3930b16715821cce0e0ad7
Instruction Fuzzy Hash: 5061BFB0900259BFDB21CF64EC88EEEBBB8EB41308F14556DEA41B7251D731AD06DB20

Function 00E47192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00E47214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00E47217
GetWindowLongW.USER32(?,000000F0), ref: 00E4723B
_memset.LIBCMT ref: 00E4724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E4725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00E472D6

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 2e1e44449717b312f46c6c63f2d75a860580d75e71490c1c136695e48f6f7c05
Instruction ID: 2e24f9e8118ae7d45446c173c99159ecfb64bd25f5a11fd2419d958e3a826cd6
Opcode Fuzzy Hash: 2e1e44449717b312f46c6c63f2d75a860580d75e71490c1c136695e48f6f7c05
Instruction Fuzzy Hash: 37616875A00208AFDB10DFA4DC81EEE77F8EB09714F144199FA58B72A1C771AA45DBA0

Function 00E1710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00E17135
SafeArrayAllocData.OLEAUT32(?), ref: 00E1718E
VariantInit.OLEAUT32(?), ref: 00E171A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 00E171C0
VariantCopy.OLEAUT32(?,?), ref: 00E17213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00E17227
VariantClear.OLEAUT32(?), ref: 00E1723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00E17249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E17252
VariantClear.OLEAUT32(?), ref: 00E17264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E1726F

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: a9748bb90c40b051ee89351efb7b97a36a03de043cf4fcd3afbf49c5f412b224
Instruction ID: e7fe2bd7eba04471011f8cf6130439e000f1c80a8385b15cd5816fa68610eda8
Opcode Fuzzy Hash: a9748bb90c40b051ee89351efb7b97a36a03de043cf4fcd3afbf49c5f412b224
Instruction Fuzzy Hash: F6414075A04219AFCB04DF65D848DEEBBB8FF48754F008069F955B7261CB30A986CBA0

Function 00E35A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00E35AA6
inet_addr.WSOCK32(?,?,?), ref: 00E35AEB
gethostbyname.WSOCK32(?), ref: 00E35AF7
IcmpCreateFile.IPHLPAPI ref: 00E35B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00E35B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00E35B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00E35C00
WSACleanup.WSOCK32 ref: 00E35C06

Strings

Ping, xrefs: 00E35B29

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 603e69085e7b5c3a836e8414fcf9d2e8f55ce1522866606d6a89684a9b2d3166
Instruction ID: 17f8ed18fe7c43c42d9ed49368d6e6e702b76ebb36cb969ab9dd5db4f15cb753
Opcode Fuzzy Hash: 603e69085e7b5c3a836e8414fcf9d2e8f55ce1522866606d6a89684a9b2d3166
Instruction Fuzzy Hash: 6951BE322047019FD710EF25DC49B6ABBE4EF48714F04992AF95AEB3A1DB70E844CB21

Function 00E2B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00E2B73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00E2B7B1
GetLastError.KERNEL32 ref: 00E2B7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 00E2B828

Strings

READY, xrefs: 00E2B801
UNKNOWN, xrefs: 00E2B7E0
INVALID, xrefs: 00E2B7FA
READONLY, xrefs: 00E2B7F3
NOTREADY, xrefs: 00E2B7E7

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 6957f81aee824f54f89e72d6f715b602217310c28b050da0b08380a38a359739
Instruction ID: ad68ff98bafcc7609803cf0bb2e93b9c1f9bf6d80a02efe57b37e637a687d862
Opcode Fuzzy Hash: 6957f81aee824f54f89e72d6f715b602217310c28b050da0b08380a38a359739
Instruction Fuzzy Hash: 9C31A135A002159FDB04EF64E889EAEB7B4EF84704F14912AF405F7292DB719942CB61

Function 00E19471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC7F41: _memmove.LIBCMT ref: 00DC7F82

Part of subcall function 00E1B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E1B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00E194F6
GetDlgCtrlID.USER32 ref: 00E19501
GetParent.USER32 ref: 00E1951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00E19520
GetDlgCtrlID.USER32(?), ref: 00E19529
GetParent.USER32(?), ref: 00E19545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00E19548

Strings

ListBox, xrefs: 00E194B3
ComboBox, xrefs: 00E1947E

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: cb1dc12f4be5760c5e5b9a684e8f6abcbf65e2e646471b41d895cf82bf480712
Instruction ID: 14d672b526d08734a2fdfab2b3cf9ae3b98e0f29d8dd5b1f969b1a15eb8ca266
Opcode Fuzzy Hash: cb1dc12f4be5760c5e5b9a684e8f6abcbf65e2e646471b41d895cf82bf480712
Instruction Fuzzy Hash: 0421E074E00204AFDF00ABA1CCD5EFEBBA5EF49300F104169F922A72A2DB7559599B70

Function 00E1955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC7F41: _memmove.LIBCMT ref: 00DC7F82

Part of subcall function 00E1B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E1B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00E195DF
GetDlgCtrlID.USER32 ref: 00E195EA
GetParent.USER32 ref: 00E19606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00E19609
GetDlgCtrlID.USER32(?), ref: 00E19612
GetParent.USER32(?), ref: 00E1962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00E19631

Strings

ListBox, xrefs: 00E1959E
ComboBox, xrefs: 00E19569

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 9ac0fe2ef5721266583f7851432afb00cddab2dbd963bf2d5f59b4d6c959428c
Instruction ID: 0e4dd3ef8be1031fef74e6143653dcaf93d5fcf162683bcc1b49970198612823
Opcode Fuzzy Hash: 9ac0fe2ef5721266583f7851432afb00cddab2dbd963bf2d5f59b4d6c959428c
Instruction Fuzzy Hash: 5921CF74E00204BFDF00ABA1CC95EFEBBA8EF49300F114059F921A72A2DB7599599B70

Function 00E19645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00E19651
GetClassNameW.USER32(00000000,?,00000100), ref: 00E19666
_wcscmp.LIBCMT ref: 00E19678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00E196F3

Strings

largeicons, xrefs: 00E19687
smallicons, xrefs: 00E196BB
list, xrefs: 00E196D5
details, xrefs: 00E196A1
SHELLDLL_DefView, xrefs: 00E19672

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: dc3bdd0a29a35da4da8e434dfd91127b8354fc97f165eaa10c27418676e48d21
Instruction ID: 6e6a5e0e12d952c2d81e95483f7129b0087c9b3d54724e08b99a12d0a6818d09
Opcode Fuzzy Hash: dc3bdd0a29a35da4da8e434dfd91127b8354fc97f165eaa10c27418676e48d21
Instruction Fuzzy Hash: E7113A36248313BAFA063621DC2ADE6779CDF01764B201026F904B60D3FE5169814678

Function 00E24189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00E2419D
__swprintf.LIBCMT ref: 00E241AA

Part of subcall function 00DE38D8: __woutput_l.LIBCMT ref: 00DE3931

FindResourceW.KERNEL32(?,?,0000000E), ref: 00E241D4
LoadResource.KERNEL32(?,00000000), ref: 00E241E0
LockResource.KERNEL32(00000000), ref: 00E241ED
FindResourceW.KERNEL32(?,?,00000003), ref: 00E2420D
LoadResource.KERNEL32(?,00000000), ref: 00E2421F
SizeofResource.KERNEL32(?,00000000), ref: 00E2422E
LockResource.KERNEL32(?), ref: 00E2423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00E2429B

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: d5e1b6eb5d0349f3f0af5982ce39930888d8ebb912a0c85377a8c560b30a1d3f
Instruction ID: f3ab323f4370f484c8cf76a1a0ebdc659822ed8edee22f36a5315471b720d723
Opcode Fuzzy Hash: d5e1b6eb5d0349f3f0af5982ce39930888d8ebb912a0c85377a8c560b30a1d3f
Instruction Fuzzy Hash: B43182B650522AAFDB119FA2EC48EBF7BACEF05705F004525F905F21A0D770DA618BB4

Function 00E216DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00E21700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00E20778,?,00000001), ref: 00E21714
GetWindowThreadProcessId.USER32(00000000), ref: 00E2171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E20778,?,00000001), ref: 00E2172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00E2173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E20778,?,00000001), ref: 00E21755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E20778,?,00000001), ref: 00E21767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00E20778,?,00000001), ref: 00E217AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00E20778,?,00000001), ref: 00E217C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00E20778,?,00000001), ref: 00E217CC

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: ba01f7d8ef81e1cde5e4ad0c5d4b1fa5ed05126293958edf2a18b9737b5b4cc4
Instruction ID: 7dea5563c36a3678f53da0f3be29e813b951275b16f7550f1e7acd27ccb08b53
Opcode Fuzzy Hash: ba01f7d8ef81e1cde5e4ad0c5d4b1fa5ed05126293958edf2a18b9737b5b4cc4
Instruction Fuzzy Hash: B531C375600214BFEB119F16EC84F7A37E9EBA6B15F2140A6F904F62A0D774DE48CB60

Function 00DCFBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00DCFC06
OleUninitialize.OLE32(?,00000000), ref: 00DCFCA5
UnregisterHotKey.USER32(?), ref: 00DCFDFC
DestroyWindow.USER32(?), ref: 00E04A00
FreeLibrary.KERNEL32(?), ref: 00E04A65
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00E04A92

Strings

close all, xrefs: 00DCFC01

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 884aa6eca17a34b69246ea5e981b65816a94a978f390aa5fc5d36f0d7e4cf673
Instruction ID: 3eb6c353c55ee127bdfbc7dfd042099f5b050ee6b2f9f72ae351898b7ef21398
Opcode Fuzzy Hash: 884aa6eca17a34b69246ea5e981b65816a94a978f390aa5fc5d36f0d7e4cf673
Instruction Fuzzy Hash: CAA16AB07012128FCB29EF55C594F69F7A5EF04700F1452ADE90AAB2A2DB30ED56CF64

Function 00E39428 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E3947C
VariantInit.OLEAUT32(?), ref: 00E3954D
VariantInit.OLEAUT32(?), ref: 00E3964E
VariantClear.OLEAUT32(?), ref: 00E39658
VariantClear.OLEAUT32(?), ref: 00E396B5

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00E39631
,,, xrefs: 00E394FA
Null Object assignment in FOR..IN loop, xrefs: 00E394DD, 00E3960B, 00E396C3

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-218231672
Opcode ID: 72230b9b50dc436e5db87e2abdb5c20c38a944564d6f5f81b19ac2578019065c
Instruction ID: 5df22b40517a769f89f56fada94fdc6c2b0ae1dafee8ded9aba59e35759d3b4b
Opcode Fuzzy Hash: 72230b9b50dc436e5db87e2abdb5c20c38a944564d6f5f81b19ac2578019065c
Instruction Fuzzy Hash: 3791E071A00215AFDF24DFA5C889FAEBBB8EF85314F109059F515BB282D7B09945CFA0

Function 00E1A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00E1AA64), ref: 00E1A9A2

Strings

CLASSNN, xrefs: 00E1A744
CLASS, xrefs: 00E1A721
NAME, xrefs: 00E1A7D4
TEXT, xrefs: 00E1A8D9
REGEXPCLASS, xrefs: 00E1A767
INSTANCE, xrefs: 00E1A8B0

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 17421a25e25b5598a8991215ae0ff5d86f281f9c7d959fe9a3ea7e2fef7b4219
Instruction ID: f1a2ad53aac47006d5770cc25213f79cbf30f4f062adb95a8d65d0738fe7afab
Opcode Fuzzy Hash: 17421a25e25b5598a8991215ae0ff5d86f281f9c7d959fe9a3ea7e2fef7b4219
Instruction Fuzzy Hash: BB919230601646AADB08EF60D482BF9FB75FF44314F189129D89AB7151DB306AD9CBB1

Function 00DC2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00DC2EAE

Part of subcall function 00DC1DB3: GetClientRect.USER32(?,?), ref: 00DC1DDC
Part of subcall function 00DC1DB3: GetWindowRect.USER32(?,?), ref: 00DC1E1D
Part of subcall function 00DC1DB3: ScreenToClient.USER32(?,?), ref: 00DC1E45

GetDC.USER32 ref: 00DFCF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00DFCF95
SelectObject.GDI32(00000000,00000000), ref: 00DFCFA3
SelectObject.GDI32(00000000,00000000), ref: 00DFCFB8
ReleaseDC.USER32(?,00000000), ref: 00DFCFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00DFD04B

Strings

U, xrefs: 00DFCF20

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 657682f02a3eb1ba4d6475602ed43afdb26c96a7d76fe4bbf84d84fd5cbbf2bd
Instruction ID: 2f41ef2c707642ea15c47fbf0a99a68e07225a7df56b6a8f1292115bd009d6e0
Opcode Fuzzy Hash: 657682f02a3eb1ba4d6475602ed43afdb26c96a7d76fe4bbf84d84fd5cbbf2bd
Instruction Fuzzy Hash: C271A230500209DFCF259F64C984ABA7BB6FF49350F19826AFE55AB1A6C7318852DB70

Function 00E38F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00E4F910), ref: 00E3903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00E4F910), ref: 00E39071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00E391EB
SysFreeString.OLEAUT32(?), ref: 00E39215

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 196d7643b90c93a4d93e75960297c5cdb2a3eab8a890852a51a0556235296e85
Instruction ID: 0cf7f682ea590fbe3f2d53333c54b6de8999ac7b80f0730d8a876523926512b0
Opcode Fuzzy Hash: 196d7643b90c93a4d93e75960297c5cdb2a3eab8a890852a51a0556235296e85
Instruction Fuzzy Hash: 41F11A75A00209EFDB04DF94C888EAEBBB9FF89314F108059F515BB251DB71AE45CB60

Function 00E3F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E3F9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E3FB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E3FB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E3FBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E3FBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E3FD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00E3FD90
CloseHandle.KERNEL32(?), ref: 00E3FDBF
CloseHandle.KERNEL32(?), ref: 00E3FE36

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 3136e7f1745b8ab493e22d0e83f2a12b5d62f9f7d4cab2b71bbaaf10bfa6383d
Instruction ID: a932ef4352a9afe7deb3921c38ee12b03965daa3668b5d3b58c1bb0c1b6e0784
Opcode Fuzzy Hash: 3136e7f1745b8ab493e22d0e83f2a12b5d62f9f7d4cab2b71bbaaf10bfa6383d
Instruction Fuzzy Hash: 74E1C331604341DFCB14EF25C899B6ABBE1EF84714F14956DF899AB2A2CB30DC45CB62

Function 00E24F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E248AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E238D3,?), ref: 00E248C7

Part of subcall function 00E248AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E238D3,?), ref: 00E248E0

Part of subcall function 00E24CD3: GetFileAttributesW.KERNEL32(?,00E23947), ref: 00E24CD4

lstrcmpiW.KERNEL32(?,?), ref: 00E24FE2
_wcscmp.LIBCMT ref: 00E24FFC
MoveFileW.KERNEL32(?,?), ref: 00E25017

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 68e27d5898586662696ef97253e6e604dd4e1c9bb2ee23b72e7d63569e9d874f
Instruction ID: ccd90a91452f2a824399dd3f628fdf0650bf67ea6c340071239e0442947c2e56
Opcode Fuzzy Hash: 68e27d5898586662696ef97253e6e604dd4e1c9bb2ee23b72e7d63569e9d874f
Instruction Fuzzy Hash: D25143B20087959BD724EB60DC819DFB3ECEF85341F00592EF185E3191EE74A6888B76

Function 00E488B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00E4896E

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 629babccd5cbc53cbf9fcc1c0a05815e4a986a124071c0eb8f471a5f008a2635
Instruction ID: c949a33e1531fe21ba58ad1c66a66dc20327e7f3f2cd403a47bf6435ec7d68cd
Opcode Fuzzy Hash: 629babccd5cbc53cbf9fcc1c0a05815e4a986a124071c0eb8f471a5f008a2635
Instruction Fuzzy Hash: F651E530500204BFDF349F25EE85BAD7BA5FB05354F606116F614F65A0CFB1A980DB91

Function 00DC2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00DFC547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00DFC569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00DFC581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00DFC59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00DFC5C0
DestroyIcon.USER32(00000000), ref: 00DFC5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00DFC5EC
DestroyIcon.USER32(?), ref: 00DFC5FB

Part of subcall function 00E4A71E: DeleteObject.GDI32(00000000), ref: 00E4A757

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 33845584564ec560bf309182f46193a1f60c313558ed3147709971df7d61a307
Instruction ID: 5db5a018e1836ff62533ef81c97d335698f04dd4119bfecaef92586dc0ac9f44
Opcode Fuzzy Hash: 33845584564ec560bf309182f46193a1f60c313558ed3147709971df7d61a307
Instruction Fuzzy Hash: B1519874A1020AAFDB24DF25DC45FBA3BB5EB48720F14452CF946A72A0DB70ED90DB60

Function 00E18E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00E18A84,00000B00,?,?), ref: 00E18E0C
HeapAlloc.KERNEL32(00000000,?,00E18A84,00000B00,?,?), ref: 00E18E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00E18A84,00000B00,?,?), ref: 00E18E28
GetCurrentProcess.KERNEL32(?,00000000,?,00E18A84,00000B00,?,?), ref: 00E18E30
DuplicateHandle.KERNEL32(00000000,?,00E18A84,00000B00,?,?), ref: 00E18E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00E18A84,00000B00,?,?), ref: 00E18E43
GetCurrentProcess.KERNEL32(00E18A84,00000000,?,00E18A84,00000B00,?,?), ref: 00E18E4B
DuplicateHandle.KERNEL32(00000000,?,00E18A84,00000B00,?,?), ref: 00E18E4E
CreateThread.KERNEL32(00000000,00000000,00E18E74,00000000,00000000,00000000), ref: 00E18E68

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: b3300dc8eb5ca4c056fa0b8e08cb996b68447d455e67e53f5056fe973305c0c9
Instruction ID: 9948d8fcdab1c4caafb93d9a978ae26871249c139e5db07c96eed07d787278fb
Opcode Fuzzy Hash: b3300dc8eb5ca4c056fa0b8e08cb996b68447d455e67e53f5056fe973305c0c9
Instruction Fuzzy Hash: C301BF79641304FFE710ABA5DC4DF573BACEB89B11F004421FA05EB2A2CA70D805CB60

Function 00E39A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00E17652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E1758C,80070057,?,?,?,00E1799D), ref: 00E1766F
Part of subcall function 00E17652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E1758C,80070057,?,?), ref: 00E1768A
Part of subcall function 00E17652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E1758C,80070057,?,?), ref: 00E17698
Part of subcall function 00E17652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E1758C,80070057,?), ref: 00E176A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00E39B1B
_memset.LIBCMT ref: 00E39B28
_memset.LIBCMT ref: 00E39C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00E39C97
CoTaskMemFree.OLE32(?), ref: 00E39CA2

Strings

NULL Pointer assignment, xrefs: 00E39CF0

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: d8a95db168dc407eb8a1cb0eb0a18d4517f04157e55c0dda7351a57c24c18ab0
Instruction ID: bc49d688db7592d862527a3b576b304ccf445d6f41164eba5ba3a6a4c7c3c8b3
Opcode Fuzzy Hash: d8a95db168dc407eb8a1cb0eb0a18d4517f04157e55c0dda7351a57c24c18ab0
Instruction Fuzzy Hash: 1C910771D00229ABDB10DFA5DC85EDEBBB9EF08710F20415AF519B7281DB716A45CFA0

Function 00E46FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00E47093
SendMessageW.USER32(?,00001036,00000000,?), ref: 00E470A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00E470C1
_wcscat.LIBCMT ref: 00E4711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00E47133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00E47161

Strings

SysListView32, xrefs: 00E47065

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 5bf65c376d1d82315434495a1b5fd993ec99d8adfbaa5965c29f00eccc647171
Instruction ID: 4f4ce4e3d2a4a5630c301ee79e9a89aca459545cb1e7a8bbe91af700330fd235
Opcode Fuzzy Hash: 5bf65c376d1d82315434495a1b5fd993ec99d8adfbaa5965c29f00eccc647171
Instruction Fuzzy Hash: B941C470904308AFEB219F64DC85BEE77E8EF08754F10146AF588B7291D7729D848BA0

Function 00E3EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00E23E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00E23EB6
Part of subcall function 00E23E91: Process32FirstW.KERNEL32(00000000,?), ref: 00E23EC4
Part of subcall function 00E23E91: CloseHandle.KERNEL32(00000000), ref: 00E23F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E3ECB8
GetLastError.KERNEL32 ref: 00E3ECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E3ECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 00E3ED77
GetLastError.KERNEL32(00000000), ref: 00E3ED82
CloseHandle.KERNEL32(00000000), ref: 00E3EDB7

Strings

SeDebugPrivilege, xrefs: 00E3ECD6

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: aff39694c0c371b33ffa66b4dcd7a351c29adcc206b1a6d4025eb712e812c678
Instruction ID: fee3d50522ee76d276dc925cd14a13ceec78837eb209c5c11acf67ca38dedcc2
Opcode Fuzzy Hash: aff39694c0c371b33ffa66b4dcd7a351c29adcc206b1a6d4025eb712e812c678
Instruction Fuzzy Hash: 42419E712002019FDB15EF24C899F6EBBA1AF40714F088459F846AB3C2DBB5A849CBA1

Function 00E23226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00E232C5

Strings

info, xrefs: 00E23266
blank, xrefs: 00E23247
stop, xrefs: 00E23296
question, xrefs: 00E2327E
warning, xrefs: 00E232AE

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 9f29109feeda4ce8c20646e0d7f97de0e4a7143c8f2fc3364610273be822ae90
Instruction ID: 7e252cd8d5aa803d718f78e1ab7dbf86a0ea338dc7b05ab4283431bc8373349b
Opcode Fuzzy Hash: 9f29109feeda4ce8c20646e0d7f97de0e4a7143c8f2fc3364610273be822ae90
Instruction Fuzzy Hash: C91127332083A6FAE7056B65FC42CAEB3DCDF19774F20102AF504B6192E6A96B404DB5

Function 00E24534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00E2454E
LoadStringW.USER32(00000000), ref: 00E24555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00E2456B
LoadStringW.USER32(00000000), ref: 00E24572
_wprintf.LIBCMT ref: 00E24598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00E245B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00E24593

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 54caf658e16f764c195cfcfa79a86a9795663913557ce060a19e30dfde20f37f
Instruction ID: de29a3fc3d7535bb8bd716e305b0c56e194cb086bbcc5d72aa5ca689271055c3
Opcode Fuzzy Hash: 54caf658e16f764c195cfcfa79a86a9795663913557ce060a19e30dfde20f37f
Instruction Fuzzy Hash: E7014FF6900218BFE710E7A59D89EE7776CDB08701F0005A5FB49F2152EA749E8A8B70

Function 00E4D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC2612: GetWindowLongW.USER32(?,000000EB), ref: 00DC2623

GetSystemMetrics.USER32(0000000F), ref: 00E4D78A
GetSystemMetrics.USER32(0000000F), ref: 00E4D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00E4D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00E4DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00E4DA24
ShowWindow.USER32(00000003,00000000), ref: 00E4DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 00E4DA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 00E4DA8B

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: c73826263a4300b4e08e3c56af7b33daf3f07df93aa074b665d4bde39e5fc51e
Instruction ID: 463ed97cfc29d91d34a5f49d017d5bd1e2ad76a31db44bb98edc28c1d7e6308e
Opcode Fuzzy Hash: c73826263a4300b4e08e3c56af7b33daf3f07df93aa074b665d4bde39e5fc51e
Instruction Fuzzy Hash: B2B1B931604225EFDF18CF69D9897BD7BB1FF48704F08906AED48AB295D734A950CBA0

Function 00DC2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00DFC417,00000004,00000000,00000000,00000000), ref: 00DC2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00DFC417,00000004,00000000,00000000,00000000,000000FF), ref: 00DC2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00DFC417,00000004,00000000,00000000,00000000), ref: 00DFC46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00DFC417,00000004,00000000,00000000,00000000), ref: 00DFC4D6

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 2634ff31b5000a9441e996304f3030927a3fd177de58da8962fa9d2d4300c4c6
Instruction ID: 5dec6f2bd67ea202fceb33d86be5cb70a68cae359bf5b9b571640ea6b540f7f4
Opcode Fuzzy Hash: 2634ff31b5000a9441e996304f3030927a3fd177de58da8962fa9d2d4300c4c6
Instruction Fuzzy Hash: 854128302146869EC7398B299D9CF7B3BA2AF86310F1DC81DE18BD75A0C675E856D730

Function 00E27368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00E2737F

Part of subcall function 00DE0FF6: std::exception::exception.LIBCMT ref: 00DE102C
Part of subcall function 00DE0FF6: __CxxThrowException@8.LIBCMT ref: 00DE1041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00E273B6
EnterCriticalSection.KERNEL32(?), ref: 00E273D2
_memmove.LIBCMT ref: 00E27420
_memmove.LIBCMT ref: 00E2743D
LeaveCriticalSection.KERNEL32(?), ref: 00E2744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00E27461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00E27480

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 90d5f336195c0e876818f150ce9f0bb580b65d101f9b51a08e4df32a82943add
Instruction ID: ae1e818638874146054e8f31e7779c01a30164182c009d3b7bac9210e011b8b7
Opcode Fuzzy Hash: 90d5f336195c0e876818f150ce9f0bb580b65d101f9b51a08e4df32a82943add
Instruction Fuzzy Hash: AE31BA36A04205EFCF10EF66DC85AAFBBB8EF45710B1440A5F904AB256DB70DA54CBB0

Function 00E46442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00E4645A
GetDC.USER32(00000000), ref: 00E46462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E4646D
ReleaseDC.USER32(00000000,00000000), ref: 00E46479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00E464B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00E464C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00E49299,?,?,000000FF,00000000,?,000000FF,?), ref: 00E46500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00E46520

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 7644b319bb20a5dfed483ed40025add7fa8976e16f0586fa5e3314b82c03eb4c
Instruction ID: 74950ff54bebe326d35e6d76b7ba95a796a19fedc54a830f301ba5578cbb709c
Opcode Fuzzy Hash: 7644b319bb20a5dfed483ed40025add7fa8976e16f0586fa5e3314b82c03eb4c
Instruction Fuzzy Hash: 7E319176201210BFEF108F51DC49FEB3FA9EF4A765F050065FE08AA191C6759C42CBA0

Function 00E1C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00E1C087
_memcmp.LIBCMT ref: 00E1C0A9
_memcmp.LIBCMT ref: 00E1C0C1
_memcmp.LIBCMT ref: 00E1C0D4
_memcmp.LIBCMT ref: 00E1C0EE
_memcmp.LIBCMT ref: 00E1C101
_memcmp.LIBCMT ref: 00E1C119
_memcmp.LIBCMT ref: 00E1C134

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: dc772621cd8f864ef515af9c019135457c7a635c4f1a7369936ac3be7832444f
Instruction ID: b336449fd0a9ba94932f145175a8e7cee0ddbe1397fb3fba4f16fce38aaf5ce5
Opcode Fuzzy Hash: dc772621cd8f864ef515af9c019135457c7a635c4f1a7369936ac3be7832444f
Instruction Fuzzy Hash: CD21C5767C1305B7D210B5218C42FEB23ACEF15399B242028FE09F6283E761DD55C2B6

Function 00E2ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00DC9997: __itow.LIBCMT ref: 00DC99C2
Part of subcall function 00DC9997: __swprintf.LIBCMT ref: 00DC9A0C

Part of subcall function 00DDFEC6: _wcscpy.LIBCMT ref: 00DDFEE9

_wcstok.LIBCMT ref: 00E2EEFF
_wcscpy.LIBCMT ref: 00E2EF8E
_memset.LIBCMT ref: 00E2EFC1

Strings

X, xrefs: 00E2EFFE

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 36ee23c142ea3bd33fbaa7a38176e4be9a87213bdd4fffe3153d76bf5c9b9a87
Instruction ID: 4ab8f0d8e722325603aa938cba3d3b1e2d989587eb8a20aed5ce54f1e6bc4207
Opcode Fuzzy Hash: 36ee23c142ea3bd33fbaa7a38176e4be9a87213bdd4fffe3153d76bf5c9b9a87
Instruction Fuzzy Hash: B7C1AF316083519FD724EF24D995E5AB7E4FF84314F00492DF899AB2A2DB30ED45CBA2

Function 00E36E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00E36F14
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00E36F35
WSAGetLastError.WSOCK32(00000000), ref: 00E36F48
htons.WSOCK32(?,?,?,00000000,?), ref: 00E36FFE
inet_ntoa.WSOCK32(?), ref: 00E36FBB

Part of subcall function 00E1AE14: _strlen.LIBCMT ref: 00E1AE1E
Part of subcall function 00E1AE14: _memmove.LIBCMT ref: 00E1AE40

_strlen.LIBCMT ref: 00E37058
_memmove.LIBCMT ref: 00E370C1

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 61da58be3be94d81447c93409a77594591c3a403f3d4269f764760d19bf17318
Instruction ID: d8a3299e0f1824c17a4a5d37d6b806946abd39a1bc9cd410b99dad18b8cb539a
Opcode Fuzzy Hash: 61da58be3be94d81447c93409a77594591c3a403f3d4269f764760d19bf17318
Instruction Fuzzy Hash: 6481F171108301AFC724EB24CC99F6BBBE9EF84714F10851CF555AB292DA71AD45CB62

Function 00DC1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b7b42cb65c9e5f8dad0cc539310a556fa8013dd2fd57ea9dd3be426d8cf8f6
Instruction ID: c023e70d1d4a52a7bc4bf21f752acfd3a0d993fcc4b91be944f056ca72d52d7e
Opcode Fuzzy Hash: 52b7b42cb65c9e5f8dad0cc539310a556fa8013dd2fd57ea9dd3be426d8cf8f6
Instruction Fuzzy Hash: 9E714B3890411AEFCB049F58C845EBEBB79FF86324F248159F915AB252C734AA51CFB4

Function 00E4B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(019257E8), ref: 00E4B6A5
IsWindowEnabled.USER32(019257E8), ref: 00E4B6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00E4B795
SendMessageW.USER32(019257E8,000000B0,?,?), ref: 00E4B7CC
IsDlgButtonChecked.USER32(?,?), ref: 00E4B809
GetWindowLongW.USER32(019257E8,000000EC), ref: 00E4B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00E4B843

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: b7b8b356100c64cc7674248a83de4b49ebb2fc372ccc16213c47ccb39b853bb7
Instruction ID: ed42d88f36e028eeca0616da8357eb7bbfd3bb18c020a2646f79b33747645c02
Opcode Fuzzy Hash: b7b8b356100c64cc7674248a83de4b49ebb2fc372ccc16213c47ccb39b853bb7
Instruction Fuzzy Hash: F671BE34A00204AFDB249F65E898FAA7BB9FF89304F1551AAF949B7261C731E941CB50

Function 00E3F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E3F75C
_memset.LIBCMT ref: 00E3F825
ShellExecuteExW.SHELL32(?), ref: 00E3F86A

Part of subcall function 00DC9997: __itow.LIBCMT ref: 00DC99C2
Part of subcall function 00DC9997: __swprintf.LIBCMT ref: 00DC9A0C

Part of subcall function 00DDFEC6: _wcscpy.LIBCMT ref: 00DDFEE9

GetProcessId.KERNEL32(00000000), ref: 00E3F8E1
CloseHandle.KERNEL32(00000000), ref: 00E3F910

Strings

@, xrefs: 00E3F839

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 4010d098dba53c20ba48ccc0c614b2df4a5c21bfbdf38a0a9628f78a8c662e0d
Instruction ID: fff7abb672548c1eb4b2f06408ca816d13e9d3e65b71335ac605b3ccb04cf8e1
Opcode Fuzzy Hash: 4010d098dba53c20ba48ccc0c614b2df4a5c21bfbdf38a0a9628f78a8c662e0d
Instruction Fuzzy Hash: 2B619E75E006199FCB18EF65C499AADBBB1FF48310F14846DE84ABB351CB30AD41CBA0

Function 00E2145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00E2149C
GetKeyboardState.USER32(?), ref: 00E214B1
SetKeyboardState.USER32(?), ref: 00E21512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00E21540
PostMessageW.USER32(?,00000101,00000011,?), ref: 00E2155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00E215A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00E215C8

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 7c6630cbceb1ea23e939b8db73fb6129a401b1e52a340cb0a4792349cba7fa64
Instruction ID: 3aa9cca3c073b8cc97bb7e662cf59785b70439de040bb173a446382044b1398f
Opcode Fuzzy Hash: 7c6630cbceb1ea23e939b8db73fb6129a401b1e52a340cb0a4792349cba7fa64
Instruction Fuzzy Hash: A15104A0A447E53EFB3246349C05BBA7EE95B56308F0C54C9E1D9658C2C3E8DEC4D750

Function 00E21276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00E212B5
GetKeyboardState.USER32(?), ref: 00E212CA
SetKeyboardState.USER32(?), ref: 00E2132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00E21357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00E21374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00E213B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00E213D9

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8a72f88718ffe3962e1a9ef71d5ffb38cd8093a09726285c179b8a1e88ad517e
Instruction ID: 55f11056aff209d66c52adccbe898fba429e6b46df46c5766c61e3f6a2f246b4
Opcode Fuzzy Hash: 8a72f88718ffe3962e1a9ef71d5ffb38cd8093a09726285c179b8a1e88ad517e
Instruction Fuzzy Hash: 2A5139A05043E57DFB3287249C05B7A7FAA5F17308F0854C9F1D8668C2D395EE88E760

Function 00E2589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00E258AC
_wcsncpy.LIBCMT ref: 00E258E1
_wcsncpy.LIBCMT ref: 00E25913
_wcsncpy.LIBCMT ref: 00E25946
_wcsncpy.LIBCMT ref: 00E25988
_wcsncpy.LIBCMT ref: 00E259C2
_wcsncpy.LIBCMT ref: 00E259F1

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 15ddd74b802ee4fe7fdcc25098123735c90a84b93941449c6eb3c64aa9d62f64
Instruction ID: a5abb4d583352b4bc32723fa249efaceaf91b93674959ca4aff7a95103bf7a22
Opcode Fuzzy Hash: 15ddd74b802ee4fe7fdcc25098123735c90a84b93941449c6eb3c64aa9d62f64
Instruction Fuzzy Hash: EA41AFAAC2026876CB11FBB5888B9DFB3ACDF04710F509866F518E3121E634E714C7B9

Function 00E1DA5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00E1DAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00E1DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00E1DB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00E1DB8E

Strings

,,, xrefs: 00E1DA69
DllGetClassObject, xrefs: 00E1DB01

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,$DllGetClassObject
API String ID: 753597075-2867008933
Opcode ID: 02446b430e9583f939536bf5259774f20fd413c73481fb24b240f6261d23ef74
Instruction ID: 290ff33dea09c85473f5a004c635c54e126aa2356f39d1bbe8555f6ebc368db0
Opcode Fuzzy Hash: 02446b430e9583f939536bf5259774f20fd413c73481fb24b240f6261d23ef74
Instruction Fuzzy Hash: 5D418FB1608208EFDB15CF55CC84EDABBA9EF44310F1591A9ED06AF206D7B1DD84CBA0

Function 00E238AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E248AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E238D3,?), ref: 00E248C7

Part of subcall function 00E248AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E238D3,?), ref: 00E248E0

lstrcmpiW.KERNEL32(?,?), ref: 00E238F3
_wcscmp.LIBCMT ref: 00E2390F
MoveFileW.KERNEL32(?,?), ref: 00E23927
_wcscat.LIBCMT ref: 00E2396F
SHFileOperationW.SHELL32(?), ref: 00E239DB

Strings

\*.*, xrefs: 00E23969

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: bfc3d8f9fd9e7273d9ac594d44256b7719fb73a557af9ba6f2db1b1b8944337f
Instruction ID: 52abe5b3d2cb241b2b99621089335615584f6f1eec511fd9479070e8922f140f
Opcode Fuzzy Hash: bfc3d8f9fd9e7273d9ac594d44256b7719fb73a557af9ba6f2db1b1b8944337f
Instruction Fuzzy Hash: 084183B15083949EC751EF64D441AEFB7ECEF89340F00192EF489E3151EA74D688CB62

Function 00E47500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E47519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E475C0
IsMenu.USER32(?), ref: 00E475D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E47620
DrawMenuBar.USER32 ref: 00E47633

Strings

0, xrefs: 00E4750D

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 6c0760203d542ce5a226afe9c9d5b2176116396570fe880e8528ddb85b3291e3
Instruction ID: 61abbeb9c34dab9a3c4a94db876bd5bf1c43199cdb1cb74ce66cd916ab794578
Opcode Fuzzy Hash: 6c0760203d542ce5a226afe9c9d5b2176116396570fe880e8528ddb85b3291e3
Instruction Fuzzy Hash: AF416974A04608EFDB10DF55E884E9ABBF9FB04314F058069ED99AB250D730AD44CFE0

Function 00E4122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00E4125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E41286
FreeLibrary.KERNEL32(00000000), ref: 00E4133D

Part of subcall function 00E4122D: RegCloseKey.ADVAPI32(?), ref: 00E412A3
Part of subcall function 00E4122D: FreeLibrary.KERNEL32(?), ref: 00E412F5
Part of subcall function 00E4122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00E41318

RegDeleteKeyW.ADVAPI32(?,?), ref: 00E412E0

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 7b60beb70e7d591b2200118638b8f0ff19c29994a92c91e1df0fad669a15d7b7
Instruction ID: 4b406f84cef87f3e2f94fbcd43bf80b52102351ebfe02beb16c38fb1c6034515
Opcode Fuzzy Hash: 7b60beb70e7d591b2200118638b8f0ff19c29994a92c91e1df0fad669a15d7b7
Instruction Fuzzy Hash: 11314BB5901119BFDF149F91EC89EFEB7BCEF09304F0001A9E501F2151EA74AE899AA4

Function 00E4653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00E4655B
GetWindowLongW.USER32(019257E8,000000F0), ref: 00E4658E
GetWindowLongW.USER32(019257E8,000000F0), ref: 00E465C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00E465F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00E4661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00E46630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00E4664A

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 107049982258426b811b462b66958391a478c964fe4ef7c608dbe45d4271df9a
Instruction ID: ab6e3e1f777897b23b6ada3ba0096e492a7f20b66e0d8ef62365e8dcf387c179
Opcode Fuzzy Hash: 107049982258426b811b462b66958391a478c964fe4ef7c608dbe45d4271df9a
Instruction Fuzzy Hash: AF313534604210AFDB20CF19EC84F553BE1FB4A718F1A11A8F509AB2B5CB75EC44DB82

Function 00E36486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00E380A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00E380CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00E364D9
WSAGetLastError.WSOCK32(00000000), ref: 00E364E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00E36521
connect.WSOCK32(00000000,?,00000010), ref: 00E3652A
WSAGetLastError.WSOCK32 ref: 00E36534
closesocket.WSOCK32(00000000), ref: 00E3655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00E36576

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 1428352cdca54f5c842c4c996182bfe17451cb9c157494e180ee37865b18b6ac
Instruction ID: df181c043a13bdbb716aad8b2888805c019abc7a2a68dde695eee841a8c84d67
Opcode Fuzzy Hash: 1428352cdca54f5c842c4c996182bfe17451cb9c157494e180ee37865b18b6ac
Instruction Fuzzy Hash: 8231A135600218BFDB109F24DC89FBE7BA8EB45714F018029F909BB291DB74AD09CB61

Function 00E1E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E1E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E1E120
SysAllocString.OLEAUT32(00000000), ref: 00E1E123
SysAllocString.OLEAUT32 ref: 00E1E144
SysFreeString.OLEAUT32 ref: 00E1E14D
StringFromGUID2.OLE32(?,?,00000028), ref: 00E1E167
SysAllocString.OLEAUT32(?), ref: 00E1E175

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: fca93628af60f8538827f6cdd2a804476bb9106fc4a44c09017714c5dea06f28
Instruction ID: 860ee337807efc06942db9c118b1dc5689225588ee879a98ac04a0f3c9d9e22f
Opcode Fuzzy Hash: fca93628af60f8538827f6cdd2a804476bb9106fc4a44c09017714c5dea06f28
Instruction Fuzzy Hash: 16217136705108BF9B10AFA9DC88CEB77ECEB09760B508125FD15EB360DA70DC858B64

Function 00E4783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00DC1D73
Part of subcall function 00DC1D35: GetStockObject.GDI32(00000011), ref: 00DC1D87
Part of subcall function 00DC1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00DC1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00E478A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00E478AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00E478B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00E478C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00E478D4

Strings

Msctls_Progress32, xrefs: 00E47872

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: d04ae392f7e391113d2560df9b1de753a00b8b478400cc0e953c8b845f02e77d
Instruction ID: a027717172a8d1cf6bf80f625fef8f080c34b391657a6207f713e38add7043c1
Opcode Fuzzy Hash: d04ae392f7e391113d2560df9b1de753a00b8b478400cc0e953c8b845f02e77d
Instruction Fuzzy Hash: 64118EB2510229BFEF159E60CC85EE77F6DEF0C798F015115FA48A6090C7729C21DBA0

Function 00DE41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00DE4292,?), ref: 00DE41E3
GetProcAddress.KERNEL32(00000000), ref: 00DE41EA
EncodePointer.KERNEL32(00000000), ref: 00DE41F6
DecodePointer.KERNEL32(00000001,00DE4292,?), ref: 00DE4213

Strings

RoInitialize, xrefs: 00DE41D2
combase.dll, xrefs: 00DE41DE

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: b2d3799b608db49b48e3cdd1484191a797e98a7263d514dce6db70c7dc76131b
Instruction ID: 2131053e9f5418b47d01569d5bbf08897ef6e18770a0bc105b61cd472abebf95
Opcode Fuzzy Hash: b2d3799b608db49b48e3cdd1484191a797e98a7263d514dce6db70c7dc76131b
Instruction Fuzzy Hash: 35E0EDB45913419FEB216F73EC0DB0436A4BB52B42F504424F555F50E0DBB5409E8B14

Function 00DE429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00DE41B8), ref: 00DE42B8
GetProcAddress.KERNEL32(00000000), ref: 00DE42BF
EncodePointer.KERNEL32(00000000), ref: 00DE42CA
DecodePointer.KERNEL32(00DE41B8), ref: 00DE42E5

Strings

combase.dll, xrefs: 00DE42B3
RoUninitialize, xrefs: 00DE42A7

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 7cf493eb058980f3c87ae31335956d2c21520b32f0a814a880b0227857b0d41c
Instruction ID: 2f26160e7c4bb1ca3149294b7877ebfd2330ba9c592abfe63ec6c36afb62cf44
Opcode Fuzzy Hash: 7cf493eb058980f3c87ae31335956d2c21520b32f0a814a880b0227857b0d41c
Instruction Fuzzy Hash: 0FE09ABC5427019FEA109F62EC0DB053AA4F715F46F145428F505F11E0DBB4454D8B18

Function 00E2675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E268AD
_memmove.LIBCMT ref: 00E267E8

Part of subcall function 00DC9997: __itow.LIBCMT ref: 00DC99C2
Part of subcall function 00DC9997: __swprintf.LIBCMT ref: 00DC9A0C

_memmove.LIBCMT ref: 00E2685B
_memmove.LIBCMT ref: 00E26942
_memmove.LIBCMT ref: 00E2695B
_memmove.LIBCMT ref: 00E26977

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 098b8ee0abcba1c93daae97b287bbce549b7c57b5af713911995613890a12945
Instruction ID: 7d08fb2dfea5dde60c205e130ca9c01118668a40b7139f1b625788f090fc448f
Opcode Fuzzy Hash: 098b8ee0abcba1c93daae97b287bbce549b7c57b5af713911995613890a12945
Instruction Fuzzy Hash: 39619A315002AAABCF15EF20D896FFE77A5EF44708F044659F8596B192DE34AD42CBB0

Function 00E4046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC7F41: _memmove.LIBCMT ref: 00DC7F82

Part of subcall function 00E410A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E40038,?,?), ref: 00E410BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E40548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E40588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00E405AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00E405D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00E40617
RegCloseKey.ADVAPI32(00000000), ref: 00E40624

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 4b139eef98394b1e79a1dee3a17da6c614ded5e3e02e426a383f5a98c24933be
Instruction ID: bb7e5c60a7961a1bffcc1fc9df6085143eb5fe885cf82121f9e62d9b12add117
Opcode Fuzzy Hash: 4b139eef98394b1e79a1dee3a17da6c614ded5e3e02e426a383f5a98c24933be
Instruction Fuzzy Hash: FC517A31208241AFCB10EF64D885E6FBBE8FF89714F04496DF545A72A1DB31E945CB62

Function 00E45A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00E45A82
GetMenuItemCount.USER32(00000000), ref: 00E45AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00E45AE1
GetMenuItemID.USER32(?,?), ref: 00E45B50
GetSubMenu.USER32(?,?), ref: 00E45B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00E45BAF

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: f46c1c40df9aa522f35c05f205bbffa48ebf44356f50d012414d931eea90c600
Instruction ID: dfe8c204554cb891763152803676c17b33de534599be61ced945714c1d10d5f1
Opcode Fuzzy Hash: f46c1c40df9aa522f35c05f205bbffa48ebf44356f50d012414d931eea90c600
Instruction Fuzzy Hash: 0D518136A00615EFCF15EFA5D845AAEB7B4EF48710F104469E815BB352CB70AE41CBA0

Function 00E1F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E1F3F7
VariantClear.OLEAUT32(00000013), ref: 00E1F469
VariantClear.OLEAUT32(00000000), ref: 00E1F4C4
_memmove.LIBCMT ref: 00E1F4EE
VariantClear.OLEAUT32(?), ref: 00E1F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00E1F569

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 82d91dafc10058a50f6db8de0d13723c0cd73382537c7f6e785c8cb76491042e
Instruction ID: b9d853c913d5ff0236bdd9393874acc35a3ca02f8f23e0b49cdce93e95c959b6
Opcode Fuzzy Hash: 82d91dafc10058a50f6db8de0d13723c0cd73382537c7f6e785c8cb76491042e
Instruction Fuzzy Hash: 175168B5A00209EFCB14CF58D880AAAB7F9FF4C314B158169E959EB300D730E952CBA0

Function 00E226F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E22747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E22792
IsMenu.USER32(00000000), ref: 00E227B2
CreatePopupMenu.USER32 ref: 00E227E6
GetMenuItemCount.USER32(000000FF), ref: 00E22844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00E22875

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: c9dab6f6ca287e4ae9fa0d3c80fdd85e1b059c2a49ce6c6a261b058bba5d6e0f
Instruction ID: 80b8286bc6a91f3f945854d8005d2aa6f62c7750a64724b435a36031ebd75526
Opcode Fuzzy Hash: c9dab6f6ca287e4ae9fa0d3c80fdd85e1b059c2a49ce6c6a261b058bba5d6e0f
Instruction Fuzzy Hash: F6517070900269EFDF2CCF64E888AADBBF5AF45318F10525DE611BB291D7709944CB51

Function 00DC1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00DC2612: GetWindowLongW.USER32(?,000000EB), ref: 00DC2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00DC179A
GetWindowRect.USER32(?,?), ref: 00DC17FE
ScreenToClient.USER32(?,?), ref: 00DC181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00DC182C
EndPaint.USER32(?,?), ref: 00DC1876

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: ccfbe252b2c6e928da7a77de7c878a4e5d3b869fec2b7db3d566cbf577b11803
Instruction ID: c520a0674eaa63007b143268865ab06f3f6a80c63037945d9628bb055f5b1e0f
Opcode Fuzzy Hash: ccfbe252b2c6e928da7a77de7c878a4e5d3b869fec2b7db3d566cbf577b11803
Instruction Fuzzy Hash: B541BC74104212AFD710DF25CC84FBA7BF8EB4A724F14466DFA989B2A2C7309809DB71

Function 00E4B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00E867B0,00000000,019257E8,?,?,00E867B0,?,00E4B862,?,?), ref: 00E4B9CC
EnableWindow.USER32(00000000,00000000), ref: 00E4B9F0
ShowWindow.USER32(00E867B0,00000000,019257E8,?,?,00E867B0,?,00E4B862,?,?), ref: 00E4BA50
ShowWindow.USER32(00000000,00000004,?,00E4B862,?,?), ref: 00E4BA62
EnableWindow.USER32(00000000,00000001), ref: 00E4BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00E4BAA9

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: f702949893fcbd3f31d6e0eaa19b1bdefabd4bf45aaf3a394918fb2ad53f0723
Instruction ID: dd4e791b8d74e836c627d6da01924b13f178b65a2cb1eece5d613fb2f051e1c7
Opcode Fuzzy Hash: f702949893fcbd3f31d6e0eaa19b1bdefabd4bf45aaf3a394918fb2ad53f0723
Instruction Fuzzy Hash: 3B416334600241AFDB21CF15E489B957BE0FF49718F1852B9FA58AF2A2C731E84ADB51

Function 00E373B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00E35134,?,?,00000000,00000001), ref: 00E373BF

Part of subcall function 00E33C94: GetWindowRect.USER32(?,?), ref: 00E33CA7

GetDesktopWindow.USER32 ref: 00E373E9
GetWindowRect.USER32(00000000), ref: 00E373F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00E37422

Part of subcall function 00E254E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E2555E

GetCursorPos.USER32(?), ref: 00E3744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00E374AC

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: ef03fc8305efbf299c12f5787331694d6e6caacee957a6c7107e27db5b2e6957
Instruction ID: 933dff173b37555d156c6356a22b588cc491ce2d13fa1c2d12f28064c359ba95
Opcode Fuzzy Hash: ef03fc8305efbf299c12f5787331694d6e6caacee957a6c7107e27db5b2e6957
Instruction Fuzzy Hash: 1031F272508305AFD720DF14D849F9BBBE9FF89304F001919F899A7191CA30E909CB92

Function 00E18D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E185F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E18608
Part of subcall function 00E185F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E18612
Part of subcall function 00E185F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E18621
Part of subcall function 00E185F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00E18628
Part of subcall function 00E185F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E1863E

GetLengthSid.ADVAPI32(?,00000000,00E18977), ref: 00E18DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00E18DB8
HeapAlloc.KERNEL32(00000000), ref: 00E18DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00E18DD8
GetProcessHeap.KERNEL32(00000000,00000000,00E18977), ref: 00E18DEC
HeapFree.KERNEL32(00000000), ref: 00E18DF3

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: f9e722edce993ebef1a94d070f3f0d5df05a294622556e2870fa73dcc6ed884d
Instruction ID: bb2779d2f51b2cd795061fd820f3bad269913aa4fe6f65b586dafb70c671d448
Opcode Fuzzy Hash: f9e722edce993ebef1a94d070f3f0d5df05a294622556e2870fa73dcc6ed884d
Instruction Fuzzy Hash: 5011DC35901604FFDB108FA5ED49BEE7BADEF42319F104129E845B3251CB329985CB60

Function 00E18AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00E18B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00E18B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00E18B40
CloseHandle.KERNEL32(00000004), ref: 00E18B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E18B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00E18B8E

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 3e2d78d8297006c73f8d51de0217d4d6a887afcf8a5283447b61fa216b87004b
Instruction ID: 2c6b1711eaef5ce6cc964488f4bbcb64466fb9a0940803011a28f6705ec38e1e
Opcode Fuzzy Hash: 3e2d78d8297006c73f8d51de0217d4d6a887afcf8a5283447b61fa216b87004b
Instruction Fuzzy Hash: 531189BA504209AFDF018FA5ED49FDA7BA9EF49708F045025FE04B2060C7768DA5EB60

Function 00E4C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00DC12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00DC134D
Part of subcall function 00DC12F3: SelectObject.GDI32(?,00000000), ref: 00DC135C
Part of subcall function 00DC12F3: BeginPath.GDI32(?), ref: 00DC1373
Part of subcall function 00DC12F3: SelectObject.GDI32(?,00000000), ref: 00DC139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00E4C1C4
LineTo.GDI32(00000000,00000003,?), ref: 00E4C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00E4C1E6
LineTo.GDI32(00000000,00000000,?), ref: 00E4C1F6
EndPath.GDI32(00000000), ref: 00E4C206
StrokePath.GDI32(00000000), ref: 00E4C216

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 23f04778486245c8e29506376d2ae905ed0ddf12db38f5cfc4c50c21886ce23f
Instruction ID: 4101a3445a609198a89b8a25da1b3929eb7eb6f0eb8e619ef0922d4fa426d47e
Opcode Fuzzy Hash: 23f04778486245c8e29506376d2ae905ed0ddf12db38f5cfc4c50c21886ce23f
Instruction Fuzzy Hash: 7A111B7A40014DBFDF119F91EC88FAA7FADEB09354F048021FA186A162C7B19D59DBA0

Function 00DE03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00DE03D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 00DE03DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00DE03E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00DE03F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00DE03F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00DE0401

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 7a8607281c51e1e925a83036a6b11267b3cd1adef2f7017f3d4dcb518da5aa9e
Instruction ID: fad603145508c08e3093f60d611cef4c7c459242fa10b0caaf3f6b676c3f6fd6
Opcode Fuzzy Hash: 7a8607281c51e1e925a83036a6b11267b3cd1adef2f7017f3d4dcb518da5aa9e
Instruction Fuzzy Hash: 9F016CB09027597DE3008F5A8C85B52FFA8FF19754F00415BE15C47941C7F5A868CBE5

Function 00E2568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00E2569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00E256B1
GetWindowThreadProcessId.USER32(?,?), ref: 00E256C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E256CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E256D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E256E0

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 294f83ce871208edbb75ffe1bc569bc80dc5e8588417aab6112d41d680116477
Instruction ID: d8adb0f239460f1b03c5a74e88596cff695267e07fbe04e96057d49b65332dbf
Opcode Fuzzy Hash: 294f83ce871208edbb75ffe1bc569bc80dc5e8588417aab6112d41d680116477
Instruction Fuzzy Hash: 34F06D36241158BFE3205BA3AC0DEAB7A7CEBC7F11F0001A9FA00E105196A01A0686B5

Function 00E274D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00E274E5
EnterCriticalSection.KERNEL32(?,?,00DD1044,?,?), ref: 00E274F6
TerminateThread.KERNEL32(00000000,000001F6,?,00DD1044,?,?), ref: 00E27503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00DD1044,?,?), ref: 00E27510

Part of subcall function 00E26ED7: CloseHandle.KERNEL32(00000000,?,00E2751D,?,00DD1044,?,?), ref: 00E26EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00E27523
LeaveCriticalSection.KERNEL32(?,?,00DD1044,?,?), ref: 00E2752A

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: ffbb917c861d475d27f56b2c38309f3375269ffb4b54151bfe0609a075f66f6f
Instruction ID: 111a62710f17d7ef2d2d97668a75b46517226ae2fc39bb92bc5753480ad4c6d2
Opcode Fuzzy Hash: ffbb917c861d475d27f56b2c38309f3375269ffb4b54151bfe0609a075f66f6f
Instruction Fuzzy Hash: 10F05E3E540A22EFEB111B65FC8C9EB776AEF46B02B001531F602B10B1CBB55906CB54

Function 00E18E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00E18E7F
UnloadUserProfile.USERENV(?,?), ref: 00E18E8B
CloseHandle.KERNEL32(?), ref: 00E18E94
CloseHandle.KERNEL32(?), ref: 00E18E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00E18EA5
HeapFree.KERNEL32(00000000), ref: 00E18EAC

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 79e54bb73e72a93563807899bbe13a6b078f6c5da9605a5b378bea5a1d8e56f1
Instruction ID: ddc7595a3c5debe27343e73dc1c7b3b26dfc140c251f054a50ea0752258c9135
Opcode Fuzzy Hash: 79e54bb73e72a93563807899bbe13a6b078f6c5da9605a5b378bea5a1d8e56f1
Instruction Fuzzy Hash: 3BE0C23A004001FFDA011FE2EC0C90ABBA9FB8AB22B108231F219A1571CB32942ADB50

Function 00E17A78 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00E52C7C,?), ref: 00E17C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00E52C7C,?), ref: 00E17C4A
CLSIDFromProgID.OLE32(?,?,00000000,00E4FB80,000000FF,?,00000000,00000800,00000000,?,00E52C7C,?), ref: 00E17C6F
_memcmp.LIBCMT ref: 00E17C90

Strings

,,, xrefs: 00E17A85

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,
API String ID: 314563124-1556401989
Opcode ID: 8ef31edc093d60177ea2f69178d91880a47ddb8a0b3ff14efbffff7b528786fc
Instruction ID: 7516fff94688a0366f29c177c00b6547b998b52274db05aff1e9c073fd7791a9
Opcode Fuzzy Hash: 8ef31edc093d60177ea2f69178d91880a47ddb8a0b3ff14efbffff7b528786fc
Instruction Fuzzy Hash: D4812A76A04109EFCB04DF94C884EEEB7B9FF89715F204198E546BB250DB31AE46CB60

Function 00E38902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E38928
CharUpperBuffW.USER32(?,?), ref: 00E38A37
VariantClear.OLEAUT32(?), ref: 00E38BAF

Part of subcall function 00E27804: VariantInit.OLEAUT32(00000000), ref: 00E27844
Part of subcall function 00E27804: VariantCopy.OLEAUT32(00000000,?), ref: 00E2784D
Part of subcall function 00E27804: VariantClear.OLEAUT32(00000000), ref: 00E27859

Strings

Incorrect Parameter format, xrefs: 00E38960, 00E38B22
AUTOIT.ERROR, xrefs: 00E38A3D

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 4ba775a73150b4b6194ac98390772e8dea897157813be98f9aad6af245e41a07
Instruction ID: 7edae620b705d002e9b25eb6e435f9c148f3d7e0ed534d336dbee036116c8f70
Opcode Fuzzy Hash: 4ba775a73150b4b6194ac98390772e8dea897157813be98f9aad6af245e41a07
Instruction Fuzzy Hash: 6D91AF746083029FC710DF24C588E5ABBE4EFC8704F14996EF89A9B361DB31E945CB62

Function 00E22F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DDFEC6: _wcscpy.LIBCMT ref: 00DDFEE9

_memset.LIBCMT ref: 00E23077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E230A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E23159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00E23187

Strings

0, xrefs: 00E23063

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 7789ad9a90823b91442518c80549d534496947737dddb9699ba552c73814cd97
Instruction ID: aacac3739eca154b2e401000a5586ea5da38a162158fa501eb2b3751fcbcd81e
Opcode Fuzzy Hash: 7789ad9a90823b91442518c80549d534496947737dddb9699ba552c73814cd97
Instruction Fuzzy Hash: F651E1316093609ED725AF38E845A6BB7E4EF85314F041A2DF885F3191DB78CE548B62

Function 00E22C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E22CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00E22CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00E22D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00E86890,00000000), ref: 00E22D5A

Strings

0, xrefs: 00E22CA4

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 7b8f268537fd8c0fa0413f7266c0c5d5fe848544dd0cb16a6682121b67af59a1
Instruction ID: 9cb72ea3ca719c0a7ff31c2693965b306cdbb7c3def2010ca027bcce8f78cb4a
Opcode Fuzzy Hash: 7b8f268537fd8c0fa0413f7266c0c5d5fe848544dd0cb16a6682121b67af59a1
Instruction Fuzzy Hash: B441C130204312AFD724DF24E845B5BBBE8EF85324F00461DFA65A72E1DB70E905CBA2

Function 00E3DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00E3DAD9

Part of subcall function 00DC79AB: _memmove.LIBCMT ref: 00DC79F9

Strings

stdcall, xrefs: 00E3DB5B
cdecl, xrefs: 00E3DB30
none, xrefs: 00E3DBB4
winapi, xrefs: 00E3DB4A

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 1e1adf7c760cb5242f0dacc520013de4a40c481314545457351d10f0c3b242c8
Instruction ID: c43cd1b00141bbefad64ced34415a69909ed4c6a1e57def2ce22772583f39a75
Opcode Fuzzy Hash: 1e1adf7c760cb5242f0dacc520013de4a40c481314545457351d10f0c3b242c8
Instruction Fuzzy Hash: 6731A17090421AAFCF00EF94DC819EEF7B4FF45324F108629E865A76D1CB71A905CBA0

Function 00E19372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC7F41: _memmove.LIBCMT ref: 00DC7F82

Part of subcall function 00E1B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E1B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00E193F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00E19409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00E19439

Part of subcall function 00DC7D2C: _memmove.LIBCMT ref: 00DC7D66

Strings

ListBox, xrefs: 00E193B5
ComboBox, xrefs: 00E19380

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 76f1630963fdd2bc490f9b2ba2bfb9df6f4f5ba8e61bc750d6b8bfe58a8f923e
Instruction ID: afd20c476b48ebfccb6036bc3d517db7b97f0d66dcf2ef4ec2fe75fa3e77b7be
Opcode Fuzzy Hash: 76f1630963fdd2bc490f9b2ba2bfb9df6f4f5ba8e61bc750d6b8bfe58a8f923e
Instruction Fuzzy Hash: C7210471900104BEDB14ABB1DC95DFFB778DF05750B105119F836B71E2DB34198A9A30

Function 00E46656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00DC1D73
Part of subcall function 00DC1D35: GetStockObject.GDI32(00000011), ref: 00DC1D87
Part of subcall function 00DC1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00DC1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00E466D0
LoadLibraryW.KERNEL32(?), ref: 00E466D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00E466EC
DestroyWindow.USER32(?), ref: 00E466F4

Strings

SysAnimate32, xrefs: 00E466AB

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: df05d184af9b8e4e2086d9a59999b4938faf36c334e1a9817cd97c8506f4a902
Instruction ID: e0ac8b71bcdade8c87a800d51fbda7c1a7f3d8a80aa5a01c77415da31fcfb031
Opcode Fuzzy Hash: df05d184af9b8e4e2086d9a59999b4938faf36c334e1a9817cd97c8506f4a902
Instruction Fuzzy Hash: 1C21CDB1200206AFEF104F64FC80EBB37ADEB5A768F126629F911B3190C771CC519762

Function 00E2703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00E2705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E27091
GetStdHandle.KERNEL32(0000000C), ref: 00E270A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00E270DD

Strings

nul, xrefs: 00E270D8

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 757d3231e4ffe2c18221c43ba12a6bfe3a4c6a0ec397144eebf5f14b3cab66b9
Instruction ID: 791bf8565f34946719bc08bc6ffe9beea46146567b5e3052288e4b12fad994b5
Opcode Fuzzy Hash: 757d3231e4ffe2c18221c43ba12a6bfe3a4c6a0ec397144eebf5f14b3cab66b9
Instruction Fuzzy Hash: 13218174604229ABDF209F29EC05E9A77E8AF45724F205619FCE1F72D0E7B09848CB50

Function 00E2710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00E2712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E2715D
GetStdHandle.KERNEL32(000000F6), ref: 00E2716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00E271A8

Strings

nul, xrefs: 00E271A3

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 8acf7273aec275c51063e956ddd4ab214fa41baf7d8c498dd51e042a4c4314f3
Instruction ID: cc5331bb5c9fb25a15aa06f521b2fa4950e4180d37cb65df89cb659f409a8806
Opcode Fuzzy Hash: 8acf7273aec275c51063e956ddd4ab214fa41baf7d8c498dd51e042a4c4314f3
Instruction Fuzzy Hash: 8921B3756053259BDF209F69AC04AAAB7E8AF55724F201719FCF1F32D0D7B09861CB50

Function 00E2AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00E2AEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00E2AF13
__swprintf.LIBCMT ref: 00E2AF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,00E4F910), ref: 00E2AF6A

Strings

%lu, xrefs: 00E2AF26

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 07ae0353110ddeb65e3d76f57ecc5acda12db2544f629e7815f36dcf04276567
Instruction ID: 8185d6e25213ef9c6d7722b44d7983ed5f9ec7471d545cc1726d67b6b14397c4
Opcode Fuzzy Hash: 07ae0353110ddeb65e3d76f57ecc5acda12db2544f629e7815f36dcf04276567
Instruction Fuzzy Hash: 0A217434A00209AFDB10EF65D985EAEB7B8EF89704B004069F509EB251DB71EE45CB31

Function 00E1A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC7D2C: _memmove.LIBCMT ref: 00DC7D66

Part of subcall function 00E1A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00E1A399
Part of subcall function 00E1A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E1A3AC
Part of subcall function 00E1A37C: GetCurrentThreadId.KERNEL32 ref: 00E1A3B3
Part of subcall function 00E1A37C: AttachThreadInput.USER32(00000000), ref: 00E1A3BA

GetFocus.USER32 ref: 00E1A554

Part of subcall function 00E1A3C5: GetParent.USER32(?), ref: 00E1A3D3

GetClassNameW.USER32(?,?,00000100), ref: 00E1A59D
EnumChildWindows.USER32(?,00E1A615), ref: 00E1A5C5
__swprintf.LIBCMT ref: 00E1A5DF

Strings

%s%d, xrefs: 00E1A5D9

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: d520db8f64559757496cebc43761fc46bfacab1073bfac669acb2b2c61256266
Instruction ID: cecfcbd295389aa282f38da21e26851c16b517f278dd46e1c43a68c6402c3a8f
Opcode Fuzzy Hash: d520db8f64559757496cebc43761fc46bfacab1073bfac669acb2b2c61256266
Instruction Fuzzy Hash: 2C119071601209ABDF117FA1EC85FFE37A8DF49700F085079F919BA152CA7059858B75

Function 00E22017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00E22048

Strings

EXISTS, xrefs: 00E22070
REMOVE, xrefs: 00E2204E
KEYS, xrefs: 00E2205F
APPEND, xrefs: 00E22081

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 344aad4716da988dbb646030f5f372bfb8b7a060c8a271aabaad9cab933e87d1
Instruction ID: ce430a0a744fa787140fec3bfe9980b9b67cab4b06e055989871227be1c09ac4
Opcode Fuzzy Hash: 344aad4716da988dbb646030f5f372bfb8b7a060c8a271aabaad9cab933e87d1
Instruction Fuzzy Hash: 14116D7090011ADFCF00EFA4E8819EEB7B4FF55304B5094A8D855B7252EB32690ACB60

Function 00E3EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00E3EF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00E3EF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00E3F07E
CloseHandle.KERNEL32(?), ref: 00E3F0FF

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 3ae8a023925cf99c9bb51937aa0c53e838e1c295ce681c79efa4ea2098b4a9b3
Instruction ID: 5a529d1b74a8b5c027182736fc0376934121c86586d2834d467fcb0942e2ec83
Opcode Fuzzy Hash: 3ae8a023925cf99c9bb51937aa0c53e838e1c295ce681c79efa4ea2098b4a9b3
Instruction Fuzzy Hash: 078182B16007019FD720DF29C85AF6ABBE5EF48B10F14881DF599E7292DBB1AC01CB61

Function 00E402C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC7F41: _memmove.LIBCMT ref: 00DC7F82

Part of subcall function 00E410A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E40038,?,?), ref: 00E410BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E40388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E403C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00E4040E
RegCloseKey.ADVAPI32(?,?), ref: 00E4043A
RegCloseKey.ADVAPI32(00000000), ref: 00E40447

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 210e8b615a301de44de013a068ba278e7c2597b0a52fa76eb7718dad8113ff01
Instruction ID: 1e49c45e6e9f189d85c364a2aca53404dcabe5c18767b047be52a573cab6bf93
Opcode Fuzzy Hash: 210e8b615a301de44de013a068ba278e7c2597b0a52fa76eb7718dad8113ff01
Instruction Fuzzy Hash: A6515B31208205AFD704EF65D881F6EB7E8FF84704F04992DF695A7291DB31E905CB62

Function 00E3DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC9997: __itow.LIBCMT ref: 00DC99C2
Part of subcall function 00DC9997: __swprintf.LIBCMT ref: 00DC9A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00E3DC3B
GetProcAddress.KERNEL32(00000000,?), ref: 00E3DCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 00E3DCDA
GetProcAddress.KERNEL32(00000000,?), ref: 00E3DD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00E3DD35

Part of subcall function 00DC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E27B20,?,?,00000000), ref: 00DC5B8C
Part of subcall function 00DC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E27B20,?,?,00000000,?,?), ref: 00DC5BB0

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: e22e502cd11747e90b503c1f65d5505a171ba39c97b22daa1358ec7cf24437c5
Instruction ID: fb79fa4285e7197eda279c7f70cd9e067d59a774fd4746e2884728d25b5a4cfd
Opcode Fuzzy Hash: e22e502cd11747e90b503c1f65d5505a171ba39c97b22daa1358ec7cf24437c5
Instruction Fuzzy Hash: 42511835A042069FCB01EFA8D898DADFBF4EF49314B059169E819AB312DB30AD45CF61

Function 00E2E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00E2E88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00E2E8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00E2E8F2

Part of subcall function 00DC9997: __itow.LIBCMT ref: 00DC99C2
Part of subcall function 00DC9997: __swprintf.LIBCMT ref: 00DC9A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00E2E917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00E2E91F

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 963ed584bc00a06e2b31947cef9a88f977b8966eafd23eb5b564b158ce846355
Instruction ID: 22f44d6c8e06c399765d8f917ebf40ed463c93316bc88260c55a93fb3b140db9
Opcode Fuzzy Hash: 963ed584bc00a06e2b31947cef9a88f977b8966eafd23eb5b564b158ce846355
Instruction Fuzzy Hash: 5E512839A00215DFCF05EF65D995EAEBBF5EF08314B148099E849AB361CB31AD51CB60

Function 00E4A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe89a8435feaddf7c1264ff63fd65351edc7891265e690d206868e1e4777a11
Instruction ID: 006f1f7bc946c5545053e7f06206b3bf8d6ae99f459f63bc76e3d0feec693b0a
Opcode Fuzzy Hash: cfe89a8435feaddf7c1264ff63fd65351edc7891265e690d206868e1e4777a11
Instruction Fuzzy Hash: A941F139940204AFC720DF28EC48FEDBBA5EB09324F195175F829B72E0E770AD41DA91

Function 00DC2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00DC2357
ScreenToClient.USER32(00E867B0,?), ref: 00DC2374
GetAsyncKeyState.USER32(00000001), ref: 00DC2399
GetAsyncKeyState.USER32(00000002), ref: 00DC23A7

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 171cae56858c27cceeaf9f96d80e313f4d7d4e62653d91a95d392e179d9a71c1
Instruction ID: d7aae533d9187577f0c9fdca292dbc042a7f4d635d397a11145e5630d2f3d533
Opcode Fuzzy Hash: 171cae56858c27cceeaf9f96d80e313f4d7d4e62653d91a95d392e179d9a71c1
Instruction Fuzzy Hash: FD418C3550415AFBDB159F68C844EF9BBB4FB45320F20831AE928A3290C735A964DBA1

Function 00E16920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E1695D
TranslateAcceleratorW.USER32(?,?,?), ref: 00E169A9
TranslateMessage.USER32(?), ref: 00E169D2
DispatchMessageW.USER32(?), ref: 00E169DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E169EB

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 9d8451414b1443d46dd6ab7fde4509c1d94e801eb74278ac30048f4a9f900c39
Instruction ID: 51308dba7acc718d0922617454e7ae8089a1120e42a18c0bed42ec6002f83d56
Opcode Fuzzy Hash: 9d8451414b1443d46dd6ab7fde4509c1d94e801eb74278ac30048f4a9f900c39
Instruction Fuzzy Hash: 5531A371900246AFDB20CFB5DC44FF67BA8AB42708F1491A9E429F61A1D73598C9D7A0

Function 00E18F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00E18F12
PostMessageW.USER32(?,00000201,00000001), ref: 00E18FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00E18FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00E18FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00E18FDA

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 8e37dce6603cd90fd3234df3ed014939ad7a4cd31c989586736120690f6bb7e7
Instruction ID: 8d48c32ca2564f5dd87e3ab262dfd4f1944e3bd7cc385fd2c14c4758cb376b03
Opcode Fuzzy Hash: 8e37dce6603cd90fd3234df3ed014939ad7a4cd31c989586736120690f6bb7e7
Instruction Fuzzy Hash: F931EE71A0021DEFDB14CF68DA4CADE7BB6FB09319F104229F925EA2D0C7B09955CB91

Function 00E1B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00E1B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00E1B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00E1B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00E1B742
_wcsstr.LIBCMT ref: 00E1B74C

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 2f6c9ecfb5e4107b4c7be2af5f179f1078584fd25b32de9834b9ee901312218c
Instruction ID: 91a5d7282dc5e94332225f8c40fa0057089df25a5e0c7822ffc0b2a2b148b087
Opcode Fuzzy Hash: 2f6c9ecfb5e4107b4c7be2af5f179f1078584fd25b32de9834b9ee901312218c
Instruction Fuzzy Hash: AC21F935604244BBEB255B3ADC49EBB7BACDF49B50F00417AFC05EA1A1EF61DC8196B0

Function 00E4B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00DC2612: GetWindowLongW.USER32(?,000000EB), ref: 00DC2623

GetWindowLongW.USER32(?,000000F0), ref: 00E4B44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00E4B471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00E4B489
GetSystemMetrics.USER32(00000004), ref: 00E4B4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00E31184,00000000), ref: 00E4B4D0

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 0872c3f19528f890223c8dfc0fb7fe98f80782c239c966504ea378dc977c89b2
Instruction ID: 215968f23ccc84fe5016313f126a79b71d7d3be807fbf8a1ed6a46d45b3ae035
Opcode Fuzzy Hash: 0872c3f19528f890223c8dfc0fb7fe98f80782c239c966504ea378dc977c89b2
Instruction Fuzzy Hash: 3A218D31A10265AFCB249F39AC04A6A3BA4EB05725F115728F93AE21E1E730D811DB90

Function 00E197E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E19802

Part of subcall function 00DC7D2C: _memmove.LIBCMT ref: 00DC7D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00E19834
__itow.LIBCMT ref: 00E1984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00E19874
__itow.LIBCMT ref: 00E19885

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 604dcedf1515af4d225906600332297af85e83d42f5579d02d7f1dd2253b6ae8
Instruction ID: 4ef24dbb410eee183989618031b83f224082348f9236fd90b7c3b6b6e55f09f4
Opcode Fuzzy Hash: 604dcedf1515af4d225906600332297af85e83d42f5579d02d7f1dd2253b6ae8
Instruction Fuzzy Hash: C1210A31B00204BFDB14AA659C8AEEE3BADEF4AB14F041068FD05FB242D6708D8597F1

Function 00DC12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00DC134D
SelectObject.GDI32(?,00000000), ref: 00DC135C
BeginPath.GDI32(?), ref: 00DC1373
SelectObject.GDI32(?,00000000), ref: 00DC139C

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 15f4bc55bff814470839c341b8c0eb7ea8007bc693585563cfa197ce447ecfb6
Instruction ID: bc2d1d183667cd8697606d5e24f9c1704b15200a7305a1a766a0c7561d57d971
Opcode Fuzzy Hash: 15f4bc55bff814470839c341b8c0eb7ea8007bc693585563cfa197ce447ecfb6
Instruction Fuzzy Hash: AD21B874800355DFDB149F56EC09B697BB8F702725F14821AF41CB71A1D3719859CFA0

Function 00E1C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00E1C176
_memcmp.LIBCMT ref: 00E1C194
_memcmp.LIBCMT ref: 00E1C1A7
_memcmp.LIBCMT ref: 00E1C1BF
_memcmp.LIBCMT ref: 00E1C1D7

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 521e28a60e758ed4c4e3c0e2a4a03f8fc681f6c5b77c3f25dba75775f2e24818
Instruction ID: e1e072b9a805a5c1fc3b78521c76401516e120b5017a40c652003e75e1c7a9c8
Opcode Fuzzy Hash: 521e28a60e758ed4c4e3c0e2a4a03f8fc681f6c5b77c3f25dba75775f2e24818
Instruction Fuzzy Hash: 2D01B9727C52057BD204B5255C42FEB73ACDB11398F645419FE04F7243E661DE9582F1

Function 00E24D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00E24D5C
__beginthreadex.LIBCMT ref: 00E24D7A
MessageBoxW.USER32(?,?,?,?), ref: 00E24D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00E24DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00E24DAC

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: e1a1f1f1e1a6d4e4401774cd49da6358b82b876a69ae650e8dc493ce83e8d6f7
Instruction ID: 09445a23a10badaeece45cf308fd6d1c748905c0dc8e7c9f493e340d5e92b395
Opcode Fuzzy Hash: e1a1f1f1e1a6d4e4401774cd49da6358b82b876a69ae650e8dc493ce83e8d6f7
Instruction Fuzzy Hash: 141108B6904258FFC7019FA9EC04ADA7FACEB45724F1442A5F918F73A1D6718D0887B0

Function 00E1874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E18766
GetLastError.KERNEL32(?,00E1822A,?,?,?), ref: 00E18770
GetProcessHeap.KERNEL32(00000008,?,?,00E1822A,?,?,?), ref: 00E1877F
HeapAlloc.KERNEL32(00000000,?,00E1822A,?,?,?), ref: 00E18786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E1879D

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 2d81a0bdd8ec175597e7ef60164597755b87b93354820fda54477e9d1f6ac746
Instruction ID: 4558adfe5d37513ba49547e8f6d3748878cb70f1bcb680ba86be9b091b2f3c22
Opcode Fuzzy Hash: 2d81a0bdd8ec175597e7ef60164597755b87b93354820fda54477e9d1f6ac746
Instruction Fuzzy Hash: F2016D75601204FFDB205FA6DD88DAB7BACFF8A755720047AF949E2260DA318C45CA60

Function 00E254E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E25502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00E25510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E25518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00E25522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E2555E

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: a85b644912ee4b0795b99812cbab434ae36d2e9603efcb5ba2f62e7c88f3eab7
Instruction ID: c64dba1f28fbec7bd371b7c2e01cd7f3afb04d54ba9b79112d181c076372b3f4
Opcode Fuzzy Hash: a85b644912ee4b0795b99812cbab434ae36d2e9603efcb5ba2f62e7c88f3eab7
Instruction Fuzzy Hash: 45015B36C01A29DBCF00EFE9E9885EDBB79FB0A711F040056E911B2240DB305554C7A1

Function 00E17652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E1758C,80070057,?,?,?,00E1799D), ref: 00E1766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E1758C,80070057,?,?), ref: 00E1768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E1758C,80070057,?,?), ref: 00E17698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E1758C,80070057,?), ref: 00E176A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E1758C,80070057,?,?), ref: 00E176B4

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 87d284233bde260df38629ff634b15d1faedceb630adc61a528215672dec956c
Instruction ID: e2be7e6d51a81199d12b49da148e98c6649b25305bdfed2b47c58c71ced407d6
Opcode Fuzzy Hash: 87d284233bde260df38629ff634b15d1faedceb630adc61a528215672dec956c
Instruction Fuzzy Hash: A701B1B6600604AFDB104F59DC04AAA7FBCEB49F51F100028FD44E7211EB31DD8187A0

Function 00E185F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E18608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E18612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E18621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00E18628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E1863E

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b0153c8f16ca5c67163b595e0659267eab3f714befae33bfcbc004d9ec48bcaa
Instruction ID: f38e96547cb7b586194f5de8cea5d2f95ff595712184a926028b3e1fc3253ce3
Opcode Fuzzy Hash: b0153c8f16ca5c67163b595e0659267eab3f714befae33bfcbc004d9ec48bcaa
Instruction Fuzzy Hash: A6F06235201204AFEB200FA6DD8DEAB3BACEF8AB58B001425F945E6151CB71DC86DA60

Function 00E18652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E18669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E18673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E18682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00E18689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E1869F

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: bc12312f27417ec86cddf4598460f3d3305a6d04cb951ba700021ee63f7e8b95
Instruction ID: 1ec98915111cbf4a07c402b88526d0a579dcfe291a5c7ebdde503e4d418d0e77
Opcode Fuzzy Hash: bc12312f27417ec86cddf4598460f3d3305a6d04cb951ba700021ee63f7e8b95
Instruction Fuzzy Hash: 9DF06279201304AFEB211FA6EC88EA73BACEF8AB58B100035F945E6151CB71DD46DA60

Function 00E1C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00E1C6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 00E1C6D1
MessageBeep.USER32(00000000), ref: 00E1C6E9
KillTimer.USER32(?,0000040A), ref: 00E1C705
EndDialog.USER32(?,00000001), ref: 00E1C71F

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 77213f7f82c90833b533fa3928ee9445a810f8d4877b9f56058840d265d231a6
Instruction ID: e34295fedf9008e77a7500628c95d2084633e2ed8ec7812eeaac323f2ecaefcf
Opcode Fuzzy Hash: 77213f7f82c90833b533fa3928ee9445a810f8d4877b9f56058840d265d231a6
Instruction Fuzzy Hash: A5018F34440304ABEB215B21DD4EFE677B8FB05B05F0016AAF542F14E0DBE0A9998E90

Function 00DC13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00DC13BF
StrokeAndFillPath.GDI32(?,?,00DFBAD8,00000000,?), ref: 00DC13DB
SelectObject.GDI32(?,00000000), ref: 00DC13EE
DeleteObject.GDI32 ref: 00DC1401
StrokePath.GDI32(?), ref: 00DC141C

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: bf36f7cc94457193884ac90a891015fa10ea7e36001056d9c63bb90260c2046d
Instruction ID: 4f6a3d17afcb7fbc26bc3ad255137b8498bf32f2cf97d96537b3abc8a58613c3
Opcode Fuzzy Hash: bf36f7cc94457193884ac90a891015fa10ea7e36001056d9c63bb90260c2046d
Instruction Fuzzy Hash: 15F0E134004349DFDB195F57EC0CB543FA4AB42726F18C228E46D690F2C731459ADF60

Function 00E2C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00E2C69D
CoCreateInstance.OLE32(00E52D6C,00000000,00000001,00E52BDC,?), ref: 00E2C6B5

Part of subcall function 00DC7F41: _memmove.LIBCMT ref: 00DC7F82

CoUninitialize.OLE32 ref: 00E2C922

Strings

.lnk, xrefs: 00E2C631, 00E2C659, 00E2C663

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: a3e02014e578a729817db3d893473e2cec415b213bc3b222586808e3db5a0546
Instruction ID: d3a9ac81e561d5f86e76f67315710ac105e7dbc7bc155bad2a2495389bc2f45b
Opcode Fuzzy Hash: a3e02014e578a729817db3d893473e2cec415b213bc3b222586808e3db5a0546
Instruction Fuzzy Hash: 66A12B71108306AFD700EF54C895EABB7E8EF95704F04495CF1969B1A2EB70EA49CB72

Function 00DD2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00DE0FF6: std::exception::exception.LIBCMT ref: 00DE102C
Part of subcall function 00DE0FF6: __CxxThrowException@8.LIBCMT ref: 00DE1041

Part of subcall function 00DC7F41: _memmove.LIBCMT ref: 00DC7F82

Part of subcall function 00DC7BB1: _memmove.LIBCMT ref: 00DC7C0B

__swprintf.LIBCMT ref: 00DD302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00DD2EC6

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 348e490452b057ca73881e3a098137c6229ecd1b92858705360edb024b300949
Instruction ID: 289e34aba6bf42b3ad67bc12c07838d1d4033e0f3082ce50ebb003e7e3598328
Opcode Fuzzy Hash: 348e490452b057ca73881e3a098137c6229ecd1b92858705360edb024b300949
Instruction Fuzzy Hash: 48917E712083429FC728EF24D885E7EB7A4EF85750F04491EF4869B2A1DA70EE44CB72

Function 00E2BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DC48A1,?,?,00DC37C0,?), ref: 00DC48CE

CoInitialize.OLE32(00000000), ref: 00E2BC26
CoCreateInstance.OLE32(00E52D6C,00000000,00000001,00E52BDC,?), ref: 00E2BC3F
CoUninitialize.OLE32 ref: 00E2BC5C

Part of subcall function 00DC9997: __itow.LIBCMT ref: 00DC99C2
Part of subcall function 00DC9997: __swprintf.LIBCMT ref: 00DC9A0C

Strings

.lnk, xrefs: 00E2BC08, 00E2BC16

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 8d15d8746f1798c84c27a4da848869b848be523c0dc16e1c4c18b3fedc6dc555
Instruction ID: 6aeb71bb7ce867ecd7e4b81206fb26e026f8747097257af7af28d40d515724cc
Opcode Fuzzy Hash: 8d15d8746f1798c84c27a4da848869b848be523c0dc16e1c4c18b3fedc6dc555
Instruction Fuzzy Hash: 4EA155752043129FCB04DF24C494E5ABBE5FF88314F05898CF899AB2A1CB31ED45CBA1

Function 00E1B7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00E1B981

Strings

%, xrefs: 00E1BA24
Container, xrefs: 00E1B8FE
AutoIt3GUI, xrefs: 00E1B8F9

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%
API String ID: 3565006973-1286912533
Opcode ID: a1b59bbed9eedb27c28dbbea1bc812560fd4c848051ef27cd5e42341546962d1
Instruction ID: 407a112577d19bafa6cfa5866b394d33db7ca0bf0dad75e77af68049e204e12d
Opcode Fuzzy Hash: a1b59bbed9eedb27c28dbbea1bc812560fd4c848051ef27cd5e42341546962d1
Instruction Fuzzy Hash: 69915D706003019FDB24DF24C885AA6BBF9FF49714F14956DF94AEB291DB70E881CB60

Function 00DE524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00DE52DD

Part of subcall function 00DF0340: __87except.LIBCMT ref: 00DF037B

Strings

pow, xrefs: 00DE52B5, 00DE52D2

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: ab10ad309121ffd38cc61d60ea075e32d255dc051b6bc38e4c58d4542e29f6fb
Instruction ID: 2e21f74156cf92bd68a8a46588a88aadcbd54e19ab982884d54450ca5e0876c0
Opcode Fuzzy Hash: ab10ad309121ffd38cc61d60ea075e32d255dc051b6bc38e4c58d4542e29f6fb
Instruction Fuzzy Hash: 08518A20A0964986CB117726E90037E6FD4EB00384F28CD58E2D5832EFEE74CCD89A76

Function 00DE023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 00DE0280
+, xrefs: 00DE0277

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: decf58421ea873619e242f8d472cfff4185405bc0e8d2ca8b693b61b3cd35fb6
Instruction ID: aa34c345b583f0c15aa2eb44dfe40e0132ddacea66cfc3c420de0491fbace08b
Opcode Fuzzy Hash: decf58421ea873619e242f8d472cfff4185405bc0e8d2ca8b693b61b3cd35fb6
Instruction Fuzzy Hash: 38513676104246CFDF15EF29D488AFA7BA4EF96314F184055E891AB2A0C7749CC2CB71

Function 00DD62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DD63A8
_memmove.LIBCMT ref: 00DD6446
_memset.LIBCMT ref: 00DD646A

Strings

ERCP, xrefs: 00DD6313

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 66f3fe2f4ebbff89c06aaf930dc6acae39da1346442004f89d282d9db14d3f7f
Instruction ID: d7761ff814632c9615c2e6768cdc87ebd8ab039231c0e2e06dd78f79899e1155
Opcode Fuzzy Hash: 66f3fe2f4ebbff89c06aaf930dc6acae39da1346442004f89d282d9db14d3f7f
Instruction Fuzzy Hash: 9D51B171A043099BCB24DF65C8857EABBF4EF04314F24856FE64AD7241E771D684CBA0

Function 00E47BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00E4F910,00000000,?,?,?,?), ref: 00E47C4E
GetWindowLongW.USER32 ref: 00E47C6B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00E47C7B

Strings

SysTreeView32, xrefs: 00E47C20

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 1931a04e0e6721a6f45b0a1d7ad6ca077048daeb6e143113ff08d9af7b077684
Instruction ID: ca6ae4e0b2a3e11eef70f64d0deb54b920b255d30d7ba9ca36e5b264eefe3328
Opcode Fuzzy Hash: 1931a04e0e6721a6f45b0a1d7ad6ca077048daeb6e143113ff08d9af7b077684
Instruction Fuzzy Hash: 5831B231604206AFDB118F34EC45BEA77A9EB49328F205729F8B5B31E0C731E8519BA0

Function 00E47648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00E476D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00E476E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00E47708

Strings

SysMonthCal32, xrefs: 00E4769B

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 4606e9890d282259c4a209a2f89eee1655ee49133ed2e4376f304f48a0e4740b
Instruction ID: c2c156f68a5345f7b09403dd60349fed62189231561c032734c3013e11df91c1
Opcode Fuzzy Hash: 4606e9890d282259c4a209a2f89eee1655ee49133ed2e4376f304f48a0e4740b
Instruction Fuzzy Hash: 3321EF32500218AFDF158EA4DC46FEA3BA9EB48714F111254FE557B1D0DBB1A8508BE0

Function 00E46F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00E46FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00E46FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00E46FDF

Strings

Listbox, xrefs: 00E46F77

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: ed4543ac39c4dd93d112469a2e5b003a90e0cac7612527c1657791ad8307c1ec
Instruction ID: 302e9a1c5a4337f48275ff0c9ded00f33d83ffb58b43f55efeec02374747f01a
Opcode Fuzzy Hash: ed4543ac39c4dd93d112469a2e5b003a90e0cac7612527c1657791ad8307c1ec
Instruction Fuzzy Hash: 3821C232710218BFDF118F54EC85FAB37AAEF8A758F019124F944AB190C671AC56CBA0

Function 00E4797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00E479E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00E479F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00E47A03

Strings

msctls_trackbar32, xrefs: 00E479B8

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 0b01f0a59b7d3380f321010b8f3d8c267971d2246bddd2f687f752c863f3b346
Instruction ID: fe3fd35ba295e59cb9717c6e4802b6182075b98a951e44a4d642656eb4be9a40
Opcode Fuzzy Hash: 0b01f0a59b7d3380f321010b8f3d8c267971d2246bddd2f687f752c863f3b346
Instruction Fuzzy Hash: 8111C132654248BAEF149E61DC05FEB37A9EF89B68F024519FA45B6090D372A811DBA0

Function 00DC4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00DC4C2E), ref: 00DC4CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00DC4CB5

Strings

kernel32.dll, xrefs: 00DC4C9E
GetNativeSystemInfo, xrefs: 00DC4CAF

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 15e280e7e9b7d2fe7d321a95c75fb0ac94d8f5159d058e3417a21d74b74c9f6e
Instruction ID: 5d6e88512d1d59948fbd7cd154bbc23187f31fcaaec2433fbe92e1985a057dba
Opcode Fuzzy Hash: 15e280e7e9b7d2fe7d321a95c75fb0ac94d8f5159d058e3417a21d74b74c9f6e
Instruction Fuzzy Hash: 82D01274511723CFD7205F31DA18A0676D5AF06B91B15883DD885E6660DA70D480C660

Function 00DC4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00DC4CE1,?), ref: 00DC4DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00DC4DB4

Strings

kernel32.dll, xrefs: 00DC4D9D
Wow64RevertWow64FsRedirection, xrefs: 00DC4DAE

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 3c16b2854dc1e3dd20bbf514123456367b36ee230166ec502c2824e9f483d8bc
Instruction ID: 86eb22d21ba7d2169490417b27cbff1d58b8ac5eaa89c2d2576aa3311e3f961d
Opcode Fuzzy Hash: 3c16b2854dc1e3dd20bbf514123456367b36ee230166ec502c2824e9f483d8bc
Instruction Fuzzy Hash: 8ED01775950713CFD720AF32D818B4676E4AF06BA5B15C87ED8C6E6650EB70D880CA60

Function 00DC4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00DC4D2E,?,00DC4F4F,?,00E862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00DC4D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00DC4D81

Strings

kernel32.dll, xrefs: 00DC4D6A
Wow64DisableWow64FsRedirection, xrefs: 00DC4D7B

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 75ee5af55effebd109810dc4f85f0c7cbd318836c25346bd9faa32cc4f029614
Instruction ID: 03f94c8c6778c2144ac334d441da265d3748674446bc52b9dd5a9940db5ec829
Opcode Fuzzy Hash: 75ee5af55effebd109810dc4f85f0c7cbd318836c25346bd9faa32cc4f029614
Instruction Fuzzy Hash: FFD01274510713CFD7205F31D818B1676D8BF16751B19C97DD887E6650D670D480CA60

Function 00E41072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00E412C1), ref: 00E41080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00E41092

Strings

advapi32.dll, xrefs: 00E4107B
RegDeleteKeyExW, xrefs: 00E4108C

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 17aa9ede0be1c2329b70aefe26e128b805cf4ff0f9b0c567ab252c625f1ff939
Instruction ID: 75e96c5497de0df606f18a87a70f09f8901574504fe86489bc267b40d4b04391
Opcode Fuzzy Hash: 17aa9ede0be1c2329b70aefe26e128b805cf4ff0f9b0c567ab252c625f1ff939
Instruction Fuzzy Hash: F4D0C230411352CFC7204F31E818A1672E4AF05751F01DC39E489F6260DB70C4C0C600

Function 00E393F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00E39009,?,00E4F910), ref: 00E39403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00E39415

Strings

kernel32.dll, xrefs: 00E393FE
GetModuleHandleExW, xrefs: 00E3940F

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 09fd69cc65a6a4becc781cca1ff9a5fd50613ea6bb83414ae7f9cc540a9ab17a
Instruction ID: 2f74d6732a006ee5aeab835c70662a516ea5c3762a4b52fda4d3ef526ff2cd33
Opcode Fuzzy Hash: 09fd69cc65a6a4becc781cca1ff9a5fd50613ea6bb83414ae7f9cc540a9ab17a
Instruction Fuzzy Hash: 2ED0C234500313CFC7205F31DA4C50776D4AF02741F10D839D495F2651D7B0C480C610

Function 00E176C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc9868469739cb9d5f008a8258c3d162c3c388a01a0468d50078fe65e55e9510
Instruction ID: 0ab8f6441890e302e9e5ad7914838dd267bf6f6ab90ac3aec8aee787f7fe4583
Opcode Fuzzy Hash: fc9868469739cb9d5f008a8258c3d162c3c388a01a0468d50078fe65e55e9510
Instruction Fuzzy Hash: B1C17E74A04216EFCB14CF94C884EAEB7F5FF88B14B119599E885EB251D730EE81CB90

Function 00E3E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00E3E3D2
CharLowerBuffW.USER32(?,?), ref: 00E3E415

Part of subcall function 00E3DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00E3DAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00E3E615
_memmove.LIBCMT ref: 00E3E628

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 962a84ee29c2e38d44c8ef3f8e92383ee20f4f289fdd5d96138b7cf21575b4da
Instruction ID: 61d79c59099c8574e82e22e78db72a980bddc337322fa5fcda132211350610a0
Opcode Fuzzy Hash: 962a84ee29c2e38d44c8ef3f8e92383ee20f4f289fdd5d96138b7cf21575b4da
Instruction Fuzzy Hash: 8BC15A716083019FC714DF28C484A6ABBE4FF88718F14896DF899AB391D771E946CF92

Function 00E383A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00E383D8
CoUninitialize.OLE32 ref: 00E383E3

Part of subcall function 00E1DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00E1DAC5

VariantInit.OLEAUT32(?), ref: 00E383EE
VariantClear.OLEAUT32(?), ref: 00E386BF

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: f2469e5a7bcd4493b04fe8fb1d0527762538997567a08a0013a84e8a6744ee58
Instruction ID: 176868bef721b92efc71298109e4f39493376c0c24dc69acc42c1d2953eda8d6
Opcode Fuzzy Hash: f2469e5a7bcd4493b04fe8fb1d0527762538997567a08a0013a84e8a6744ee58
Instruction Fuzzy Hash: CCA114752047029FCB10DF25C999B5ABBE4BF88714F15544CF99AAB3A1CB30ED05CB62

Function 00E16DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E16E04
SysAllocString.OLEAUT32(00000000), ref: 00E16EAD
VariantCopy.OLEAUT32 ref: 00E16EDC
VariantClear.OLEAUT32(?), ref: 00E16F03

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 5d0be561a05998fedb24f7d40e7371fcc47b5a94023352079989c333e058f83c
Instruction ID: 02c746ca74fe103407e6ca3e914d8cd22bdce7a2f3f2358c782c4635dd960b75
Opcode Fuzzy Hash: 5d0be561a05998fedb24f7d40e7371fcc47b5a94023352079989c333e058f83c
Instruction Fuzzy Hash: E85196747043029ADB20AF65D495BE9B3F5EF4C710F20A81FE596EB291DE70D8C19B11

Function 00E297E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00DC5045: _fseek.LIBCMT ref: 00DC505D

Part of subcall function 00E299BE: _wcscmp.LIBCMT ref: 00E29AAE
Part of subcall function 00E299BE: _wcscmp.LIBCMT ref: 00E29AC1

_free.LIBCMT ref: 00E2992C
_free.LIBCMT ref: 00E29933
_free.LIBCMT ref: 00E2999E

Part of subcall function 00DE2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00DE9C64), ref: 00DE2FA9
Part of subcall function 00DE2F95: GetLastError.KERNEL32(00000000,?,00DE9C64), ref: 00DE2FBB

_free.LIBCMT ref: 00E299A6

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 524c7517910f68098ecd1505304e53dc2ab353584dbe7d24e86b344c5f7c1620
Instruction ID: fe424a7e9c954a8825a2116f5ee48cfda745a03b5e630ecb59a542e419ca2b8d
Opcode Fuzzy Hash: 524c7517910f68098ecd1505304e53dc2ab353584dbe7d24e86b344c5f7c1620
Instruction Fuzzy Hash: 665151B1904258AFDF249F65DC81A9EBBB9EF48310F14049EB609A7241DB715D80CF69

Function 00E49A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0192E3E0,?), ref: 00E49AD2
ScreenToClient.USER32(00000002,00000002), ref: 00E49B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00E49B72

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: dd64c30067dd3e5b8129e4abad31b604ec2f0146c08a225ddb8a6d6c3c81d509
Instruction ID: 2e49763e1e46a6941c75c1a4fd627761498307bfa7fc07ca7441d2c46ee0dde6
Opcode Fuzzy Hash: dd64c30067dd3e5b8129e4abad31b604ec2f0146c08a225ddb8a6d6c3c81d509
Instruction Fuzzy Hash: B9514D34A00209EFCF14DF68E881AAE7BB5FF45324F108259F819BB2A1D730AD41DB94

Function 00E36CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00E36CE4
WSAGetLastError.WSOCK32(00000000), ref: 00E36CF4

Part of subcall function 00DC9997: __itow.LIBCMT ref: 00DC99C2
Part of subcall function 00DC9997: __swprintf.LIBCMT ref: 00DC9A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00E36D58
WSAGetLastError.WSOCK32(00000000), ref: 00E36D64

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 7e90f517339d4b8aca4f30542dc34bd099d4aba509d5a19c5f4715c86169973f
Instruction ID: f7284c7f2c25d93d44384b139f8251e6b4556b088cb53120fea80530276d23cf
Opcode Fuzzy Hash: 7e90f517339d4b8aca4f30542dc34bd099d4aba509d5a19c5f4715c86169973f
Instruction Fuzzy Hash: D341C274740201AFEB10AF34DC8AF7A7BE9DB04B14F54801CFA19AF2C2DA719C018BA1

Function 00E3672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00E4F910), ref: 00E367BA
_strlen.LIBCMT ref: 00E367EC

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: bd2943b46b30102bc8caa61df572da516686309ec27aea1c3f09e55a11fd2d47
Instruction ID: 884f3197c4b6c84c548f90576080aa09c812f86e6b07b917dcdbfb3a396a3d90
Opcode Fuzzy Hash: bd2943b46b30102bc8caa61df572da516686309ec27aea1c3f09e55a11fd2d47
Instruction Fuzzy Hash: 1F41E331A00105AFCB14EBB4DCD9FAEB7A9EF48314F158169F815AB292DB30AD40C760

Function 00E2BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00E2BB09
GetLastError.KERNEL32(?,00000000), ref: 00E2BB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00E2BB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00E2BB80

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 5b2a4a869b1c6fae25c145a385d19077320528abdeb1dd94a00f78f2087b2c24
Instruction ID: 32adc9c450bd46d7d8f3963380c9b660f66cf9bf3ac68afeed6dcc3e082859e0
Opcode Fuzzy Hash: 5b2a4a869b1c6fae25c145a385d19077320528abdeb1dd94a00f78f2087b2c24
Instruction Fuzzy Hash: 17412B39200A11DFCB11EF25D599E5DBBE1EF49714B099498E84AAB362CB34FD01CFA1

Function 00E48AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E48B4D

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 7c0ae72b91ce4bd33766c1785312beff46dff0c61178f531c2236188cfe26ee3
Instruction ID: 396ed97b5d155c5d57db6d2fd266294d6508a4d18308a76b781b45c2eb070018
Opcode Fuzzy Hash: 7c0ae72b91ce4bd33766c1785312beff46dff0c61178f531c2236188cfe26ee3
Instruction Fuzzy Hash: 1B3104B8640204BFEF249E18EE45FED37A4EB05318F246616FA45F72A0CE30AD409751

Function 00E4ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00E4AE1A
GetWindowRect.USER32(?,?), ref: 00E4AE90
PtInRect.USER32(?,?,00E4C304), ref: 00E4AEA0
MessageBeep.USER32(00000000), ref: 00E4AF11

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: c90b7feb97009939d6e53bede46bbc2872fe47f049655d40dc5141502bf6c230
Instruction ID: 87ba08de20998e844d75fbfd452ed7326105273928456b6b12636c1eb5977dab
Opcode Fuzzy Hash: c90b7feb97009939d6e53bede46bbc2872fe47f049655d40dc5141502bf6c230
Instruction Fuzzy Hash: D041B170640105DFCB15CF59E884B997BF5FF49360F1891B9E428EB261C730A846CF92

Function 00E20FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00E21037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00E21053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00E210B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00E2110B

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d8bb3db5d071faea74c2a2829ae493247e2ee20eb38824d246c6b24ae2606afb
Instruction ID: 13333e17782c81e97b6daee5835b455e5369c0eb18c616021e4946806a416fa0
Opcode Fuzzy Hash: d8bb3db5d071faea74c2a2829ae493247e2ee20eb38824d246c6b24ae2606afb
Instruction Fuzzy Hash: AA319C30E406B8AEFF308B66AC05FFEBBA9AB65314F08529AE580721D1C3744FC58751

Function 00E21121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00E21176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00E21192
PostMessageW.USER32(00000000,00000101,00000000), ref: 00E211F1
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00E21243

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 03430e5f3bc3c96a4fe4d4ca1bee5be7ee8a4080482e99b6c394f2cfb889c377
Instruction ID: 5e561835b3c2dd913837bc2fbdbf135336eb826679e413062241fb51c632360d
Opcode Fuzzy Hash: 03430e5f3bc3c96a4fe4d4ca1bee5be7ee8a4080482e99b6c394f2cfb889c377
Instruction Fuzzy Hash: 97314830A413689EEF208E65AC057FE7BAAAB69314F08639AF590B21E1C3344B659751

Function 00DF6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00DF644B
__isleadbyte_l.LIBCMT ref: 00DF6479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00DF64A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00DF64DD

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 4f597d25519881def4a1b5cb8d3785102eed05d38b64cd07a4502cdf6336631e
Instruction ID: 391ddf883bd8eb331b48ba9abd18436570a5c2464c149af4b99814572c399951
Opcode Fuzzy Hash: 4f597d25519881def4a1b5cb8d3785102eed05d38b64cd07a4502cdf6336631e
Instruction Fuzzy Hash: EB31D23160824EAFDB21AF75C845BBA7BB5FF41710F1A8029E96487591D731D890DBB0

Function 00E45175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00E45189

Part of subcall function 00E2387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E23897
Part of subcall function 00E2387D: GetCurrentThreadId.KERNEL32 ref: 00E2389E
Part of subcall function 00E2387D: AttachThreadInput.USER32(00000000,?,00E252A7), ref: 00E238A5

GetCaretPos.USER32(?), ref: 00E4519A
ClientToScreen.USER32(00000000,?), ref: 00E451D5
GetForegroundWindow.USER32 ref: 00E451DB

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 90251c42081bdf97f188cdbfac533dbf02547743e305cba1afb58bf5eca9d5c5
Instruction ID: 41b4b5c2ed04a6a6b8d6bf7c081c95f652fb5bfd2a824c347bb2c448a89f6c3c
Opcode Fuzzy Hash: 90251c42081bdf97f188cdbfac533dbf02547743e305cba1afb58bf5eca9d5c5
Instruction Fuzzy Hash: EC312C76900109AFDB04EFA5D885EEFF7F9EF98300F10406AE415E7241EA759E45CBA0

Function 00E4C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC2612: GetWindowLongW.USER32(?,000000EB), ref: 00DC2623

GetCursorPos.USER32(?), ref: 00E4C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00DFBBFB,?,?,?,?,?), ref: 00E4C7D7
GetCursorPos.USER32(?), ref: 00E4C824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00DFBBFB,?,?,?), ref: 00E4C85E

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: efdb20515a32fd86f31dd140dee6ec34710a5932b63d9d421dc809dd7ebc2679
Instruction ID: 27ed319fd5e8ad0442e438ac56e86807e74d8d6cf43ac854ad991b94c151c029
Opcode Fuzzy Hash: efdb20515a32fd86f31dd140dee6ec34710a5932b63d9d421dc809dd7ebc2679
Instruction Fuzzy Hash: 3E310F35601018AFCB19CF5AD888EFA7BBAEB0D710F104069F908AB261D331AD50DFA0

Function 00DE0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00DE0BF2

Part of subcall function 00DC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E27B20,?,?,00000000), ref: 00DC5B8C
Part of subcall function 00DC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E27B20,?,?,00000000,?,?), ref: 00DC5BB0

_fprintf.LIBCMT ref: 00DE0C29
OutputDebugStringW.KERNEL32(?), ref: 00E16331

Part of subcall function 00DE4CDA: _flsall.LIBCMT ref: 00DE4CF3

__setmode.LIBCMT ref: 00DE0C5E

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 2c0b05e78b71d1328b5d7b3569c5cd5f4d24071aca1b1877a9189cc68a462f54
Instruction ID: 9f8025033643c16b0b055e0ae670ecc58f3c47c71309fc912c6d84ec1e161da6
Opcode Fuzzy Hash: 2c0b05e78b71d1328b5d7b3569c5cd5f4d24071aca1b1877a9189cc68a462f54
Instruction Fuzzy Hash: 6511E4329042456ECB04B7B6AC46EBEBB69DF85320F24015AF108A71D2DE615DC687B5

Function 00E18B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E18652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E18669
Part of subcall function 00E18652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E18673
Part of subcall function 00E18652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E18682
Part of subcall function 00E18652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00E18689
Part of subcall function 00E18652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E1869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00E18BEB
_memcmp.LIBCMT ref: 00E18C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E18C44
HeapFree.KERNEL32(00000000), ref: 00E18C4B

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 049fe74a08ac2a5be4840aa6da94b8d43a1ea6daf49543b14977586500c440d1
Instruction ID: 3710de35c7b8927119412f1b1a14337b6cbc8c70f4a80afc78eb7dfa489ed529
Opcode Fuzzy Hash: 049fe74a08ac2a5be4840aa6da94b8d43a1ea6daf49543b14977586500c440d1
Instruction Fuzzy Hash: BB216971E02208EFDB10DFA5CA45BEEB7B8EF54358F144059E854B7241DB31AA86CBA1

Function 00E31A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00E31A97

Part of subcall function 00E31B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00E31B40
Part of subcall function 00E31B21: InternetCloseHandle.WININET(00000000), ref: 00E31BDD

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 1687a46ffc20617c1336f39c61bc3074417e5ce602481528099ec300082ed664
Instruction ID: 4a1d1c34bb5e27f6f9fb54e1591d569034811f27b813d8404b0900a9593b6c86
Opcode Fuzzy Hash: 1687a46ffc20617c1336f39c61bc3074417e5ce602481528099ec300082ed664
Instruction Fuzzy Hash: FA219F35200601BFDB119F608C09FBABBA9FF45705F10506EFA51A6650EB75D815DBA0

Function 00E1E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E1F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00E1E1C4,?,?,?,00E1EFB7,00000000,000000EF,00000119,?,?), ref: 00E1F5BC
Part of subcall function 00E1F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 00E1F5E2
Part of subcall function 00E1F5AD: lstrcmpiW.KERNEL32(00000000,?,00E1E1C4,?,?,?,00E1EFB7,00000000,000000EF,00000119,?,?), ref: 00E1F613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00E1EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00E1E1DD
lstrcpyW.KERNEL32(00000000,?), ref: 00E1E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,00E1EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00E1E237

Strings

cdecl, xrefs: 00E1E22E

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 13872fe3bc6ed863be61e57d90a7de679e10633f67c2e312fa9862b31e6159ba
Instruction ID: efbfd722753ccb2b9e6f5b1cd7e0dabb70961fcf5c41b4138d1a9a32e9a74ce2
Opcode Fuzzy Hash: 13872fe3bc6ed863be61e57d90a7de679e10633f67c2e312fa9862b31e6159ba
Instruction Fuzzy Hash: 3911D03A200341EFCB25AF64DC45DBA77A9FF89710B40902AF806DB260EB71D891C7A0

Function 00DF5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00DF5351

Part of subcall function 00DE594C: __FF_MSGBANNER.LIBCMT ref: 00DE5963
Part of subcall function 00DE594C: __NMSG_WRITE.LIBCMT ref: 00DE596A
Part of subcall function 00DE594C: RtlAllocateHeap.NTDLL(01910000,00000000,00000001,00000000,?,?,?,00DE1013,?), ref: 00DE598F

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: c1dc846951d11bf9956e11b8608591e7c841bb7342ddd80e46dc22639f0fcf72
Instruction ID: 4e60eb4cb660dfb7d10d6cd8baed283981d2d593f1d1701d08aa0d6c28714e64
Opcode Fuzzy Hash: c1dc846951d11bf9956e11b8608591e7c841bb7342ddd80e46dc22639f0fcf72
Instruction Fuzzy Hash: CC110432404A1AAECB213F7ABC0467D37D8DF013A0F158429FB49AA195DA7289419770

Function 00DC4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DC4560

Part of subcall function 00DC410D: _memset.LIBCMT ref: 00DC418D
Part of subcall function 00DC410D: _wcscpy.LIBCMT ref: 00DC41E1
Part of subcall function 00DC410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00DC41F1

KillTimer.USER32(?,00000001,?,?), ref: 00DC45B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00DC45C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00DFD6CE

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 47f59e8a8fece02a02dd249d34ae1a947668bb954d15d59f9871d315fc4bb14c
Instruction ID: 1efc194b66ae94b86eb520ff20c822e8d4c2083023b3f1cb731376dc5ae6ff98
Opcode Fuzzy Hash: 47f59e8a8fece02a02dd249d34ae1a947668bb954d15d59f9871d315fc4bb14c
Instruction Fuzzy Hash: 5621D770904788AFEB328B24D859FF7BBED9F01304F04409EE79EA7241C7745A899B61

Function 00E3667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E27B20,?,?,00000000), ref: 00DC5B8C
Part of subcall function 00DC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E27B20,?,?,00000000,?,?), ref: 00DC5BB0

gethostbyname.WSOCK32(?,?,?), ref: 00E366AC
WSAGetLastError.WSOCK32(00000000), ref: 00E366B7
_memmove.LIBCMT ref: 00E366E4
inet_ntoa.WSOCK32(?), ref: 00E366EF

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: d1ed22d670a6857b413a676da3ff991639cdfb6692a69597b03de4aec544d169
Instruction ID: 83dbc3b33363cff685422373fef23db2ee3abe715759e6002eb64457ed83bb19
Opcode Fuzzy Hash: d1ed22d670a6857b413a676da3ff991639cdfb6692a69597b03de4aec544d169
Instruction Fuzzy Hash: 1C115E36500509AFCB04EBA5EE9AEEEB7B9EF08710B144069F506B7161DF30AE44CB71

Function 00E19023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00E19043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E19055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E1906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E19086

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: eedea39c56fad8b70629ff81c8091a487824b2ea41bf0c65707303d80acbd528
Instruction ID: 4f4940ce403f4bac863c074195d5f33f78c36124a2e6283554bf4e6a612487c9
Opcode Fuzzy Hash: eedea39c56fad8b70629ff81c8091a487824b2ea41bf0c65707303d80acbd528
Instruction Fuzzy Hash: BE115A79901218FFEB10DFA5CC84EEDBBB8FB48710F2040A5EA04B7290D6726E50DB90

Function 00DC1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00DC2612: GetWindowLongW.USER32(?,000000EB), ref: 00DC2623

DefDlgProcW.USER32(?,00000020,?), ref: 00DC12D8
GetClientRect.USER32(?,?), ref: 00DFB84B
GetCursorPos.USER32(?), ref: 00DFB855
ScreenToClient.USER32(?,?), ref: 00DFB860

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 9a14361dc91c4ac9f3030411b2feff6424faf88bf733165f3303912243d8c93c
Instruction ID: 4585ab1eb2f9ef53dad6c2466b24fdacada75cc45d03ee2add66ceec1640352b
Opcode Fuzzy Hash: 9a14361dc91c4ac9f3030411b2feff6424faf88bf733165f3303912243d8c93c
Instruction Fuzzy Hash: 6B11EC3D90012AAFDB10DF95D886EBEB7B8FB06301F10445AE951E7151C730AA568BB9

Function 00E21652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00E201FD,?,00E21250,?,00008000), ref: 00E2166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00E201FD,?,00E21250,?,00008000), ref: 00E21694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00E201FD,?,00E21250,?,00008000), ref: 00E2169E
Sleep.KERNEL32(?,?,?,?,?,?,?,00E201FD,?,00E21250,?,00008000), ref: 00E216D1

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 779efe3fa971b471df0734b9cc11aabc7a5bca05d1e4cb2fb6d2d66e2dfd604d
Instruction ID: 97177d725089cc4ec8a481d1048a57edcb9c3206d09aa8cc55ce0e88e55c18bd
Opcode Fuzzy Hash: 779efe3fa971b471df0734b9cc11aabc7a5bca05d1e4cb2fb6d2d66e2dfd604d
Instruction Fuzzy Hash: 98113C31C0152DDBCF00AFA6E948AEEBB78FF19751F054095E944B6240CB3056A4CBE6

Function 00DF7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00DF722B

Part of subcall function 00DF7912: __fltout2.LIBCMT ref: 00DF793B

__cftog_l.LIBCMT ref: 00DF7251
__cftoe_l.LIBCMT ref: 00DF7283

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 4b9cc1de67c057dde2e115ce276a08a19b7724a375e2df6d331ae42ff6e9f10e
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 4A014C3604814EBBCF125E84DC018EE3F62BF69355B5AC615FB5858031D237C9B2ABA5

Function 00E4B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00E4B59E
ScreenToClient.USER32(?,?), ref: 00E4B5B6
ScreenToClient.USER32(?,?), ref: 00E4B5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E4B5F5

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: af7fdd9febb8a440d6e11353566e7b242e09a0b497765d819769826b32f501e1
Instruction ID: 7e556acdbe1fe0224f6641058d7deada6281724e720b127743a03de1423b430c
Opcode Fuzzy Hash: af7fdd9febb8a440d6e11353566e7b242e09a0b497765d819769826b32f501e1
Instruction Fuzzy Hash: A81146B9D00209EFDB41CF99D4449EEFBF5FB09310F104166E915E3220D735AA558F91

Function 00E4B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E4B8FE
_memset.LIBCMT ref: 00E4B90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00E87F20,00E87F64), ref: 00E4B93C
CloseHandle.KERNEL32 ref: 00E4B94E

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: f0e329acbbd3469a6be0c9bf9fc26e8febe9dd095a90ea04c33925ab6cab6cfe
Instruction ID: 564dfe55c2e04f430723b1e25103d9fcdb477301e1d9fc35c899c22399bbf78f
Opcode Fuzzy Hash: f0e329acbbd3469a6be0c9bf9fc26e8febe9dd095a90ea04c33925ab6cab6cfe
Instruction Fuzzy Hash: 25F05EB2658310BFE2103B67AC0AFBB3A9CEB09755F101060FB4CF6192D771990487B8

Function 00E26E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00E26E88

Part of subcall function 00E2794E: _memset.LIBCMT ref: 00E27983

_memmove.LIBCMT ref: 00E26EAB
_memset.LIBCMT ref: 00E26EB8
LeaveCriticalSection.KERNEL32(?), ref: 00E26EC8

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 65e22003aeb8ec38e96b21f5640eda4aaa83e700cc607fdb7534cea245f97c09
Instruction ID: 9dd2fc3835906cf1e12104a596f6aea11ea4b0dd5d9ebf787559c46d8e6e7818
Opcode Fuzzy Hash: 65e22003aeb8ec38e96b21f5640eda4aaa83e700cc607fdb7534cea245f97c09
Instruction Fuzzy Hash: 06F0543A200210ABCF016F55EC85A4ABB69EF85320B048061FE086F227C771E951CBB4

Function 00E4C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00DC12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00DC134D
Part of subcall function 00DC12F3: SelectObject.GDI32(?,00000000), ref: 00DC135C
Part of subcall function 00DC12F3: BeginPath.GDI32(?), ref: 00DC1373
Part of subcall function 00DC12F3: SelectObject.GDI32(?,00000000), ref: 00DC139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00E4C030
LineTo.GDI32(00000000,?,?), ref: 00E4C03D
EndPath.GDI32(00000000), ref: 00E4C04D
StrokePath.GDI32(00000000), ref: 00E4C05B

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 264b9ea22ef54327a06b541668216cfdcbc580b95f4294d8ff663c0f45af5504
Instruction ID: 549282bb92c3c3a57a4ded90aef065c5232b6bdd2bbc91d5d38b72ca80e74050
Opcode Fuzzy Hash: 264b9ea22ef54327a06b541668216cfdcbc580b95f4294d8ff663c0f45af5504
Instruction Fuzzy Hash: 5DF0BE39002269FFDB226F52AC0EFCE3F58AF06710F144000FA15320E287B5055ACBA5

Function 00E1A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00E1A399
GetWindowThreadProcessId.USER32(?,00000000), ref: 00E1A3AC
GetCurrentThreadId.KERNEL32 ref: 00E1A3B3
AttachThreadInput.USER32(00000000), ref: 00E1A3BA

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: bd10ed6bdd4cc193d05ab86e49838fd76230dd0731981846847768d44a94594d
Instruction ID: a003588233c585bf101ca45d9d70715be4a4131570e46b13bf7a65db637011ef
Opcode Fuzzy Hash: bd10ed6bdd4cc193d05ab86e49838fd76230dd0731981846847768d44a94594d
Instruction Fuzzy Hash: ECE01571542228BAEB211FA2DC0CFEB7E5CEF16BA1F048075F909A4060C671C5858BE0

Function 00DC2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00DC2231
SetTextColor.GDI32(?,000000FF), ref: 00DC223B
SetBkMode.GDI32(?,00000001), ref: 00DC2250
GetStockObject.GDI32(00000005), ref: 00DC2258
GetWindowDC.USER32(?,00000000), ref: 00DFC0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 00DFC0E0
GetPixel.GDI32(00000000,?,00000000), ref: 00DFC0F9
GetPixel.GDI32(00000000,00000000,?), ref: 00DFC112
GetPixel.GDI32(00000000,?,?), ref: 00DFC132
ReleaseDC.USER32(?,00000000), ref: 00DFC13D

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: b85f819f7d9dd4bcbe95176fe188454cbd282928d1920402e18cc62e010a337b
Instruction ID: 9daf090d25b3776f5e75c273d9c442bf0c486fbbe80385c52e2d8967dddfa719
Opcode Fuzzy Hash: b85f819f7d9dd4bcbe95176fe188454cbd282928d1920402e18cc62e010a337b
Instruction Fuzzy Hash: C5E06D36500248EEEB215FA5FC0DBE87B10EB06736F048366FB69681E287714996DB21

Function 00E18C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00E18C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,00E1882E), ref: 00E18C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00E1882E), ref: 00E18C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,00E1882E), ref: 00E18C7E

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 3602a8783bbcedc8d9d2bcaf062be4927b63fb680a0be6f04d31c737333a390b
Instruction ID: d1f0a3963183d43cbfc3ab9413ef548732adbc79620a598f5d4fca743d55f41c
Opcode Fuzzy Hash: 3602a8783bbcedc8d9d2bcaf062be4927b63fb680a0be6f04d31c737333a390b
Instruction Fuzzy Hash: 35E0863A642211DFD7205FB66E0CB977BACEF92B96F054828F245E9050DA34848ACB61

Function 00E02187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00E02187
GetDC.USER32(00000000), ref: 00E02191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E021B1
ReleaseDC.USER32(?), ref: 00E021D2

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 536b4827e0faa5031da8ad8396bf09bfe46e9745cea4de797d9e1d7c6417eee7
Instruction ID: a5320aff6b22a91a4025164d4b819912fed84a9aebbb7b031ccd23c18be989d5
Opcode Fuzzy Hash: 536b4827e0faa5031da8ad8396bf09bfe46e9745cea4de797d9e1d7c6417eee7
Instruction Fuzzy Hash: EAE0E579800605EFDB01AF62D808A9E7BF1EB4D750F128469FD5AA7260CB7881469F90

Function 00E0219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00E0219B
GetDC.USER32(00000000), ref: 00E021A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E021B1
ReleaseDC.USER32(?), ref: 00E021D2

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: d73c28352eb8786da720eb67a64513f07b0b94fa61933d3a3741720d6c2a554c
Instruction ID: 53e73cf3d82d6f8f6c9ce4e09a5d74e72e0fbf30860f2c2351d851ab5fcbe4a0
Opcode Fuzzy Hash: d73c28352eb8786da720eb67a64513f07b0b94fa61933d3a3741720d6c2a554c
Instruction Fuzzy Hash: 4FE01A79800205EFCF01AF72C808A9E7BF1EB4D710F128069FD5AE7260CB7891469F90

Function 00DC63A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%, xrefs: 00DC63AE

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2291192146
Opcode ID: 39424081266028a3b422be6ae5a3e2322058d34f705bc4b8aacf7adb07fc33fa
Instruction ID: 1b701d43f6e182cc5d52aae632a16bb4c149bba0f8718c22e89045b899ffc36e
Opcode Fuzzy Hash: 39424081266028a3b422be6ae5a3e2322058d34f705bc4b8aacf7adb07fc33fa
Instruction Fuzzy Hash: 67B16C7590420B9ACF14EF98C481FEEB7B4EF44310F64412EE952A7295DA34DE82CBB1

Function 00E3B1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 00E3B2C3

Strings

xr, xrefs: 00E3B325
xr, xrefs: 00E3B2F9

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: __itow_s
String ID: xr$xr
API String ID: 3653519197-2528877900
Opcode ID: dc34f60ed04ab49dc6f6394a00a7eca244eafe4987a279b183f7958fe81ef859
Instruction ID: 65eaedc81b18ea63362f5ffd3bcc02b169e9788778da81e2fa1e91dcbf5bd4eb
Opcode Fuzzy Hash: dc34f60ed04ab49dc6f6394a00a7eca244eafe4987a279b183f7958fe81ef859
Instruction Fuzzy Hash: 74B19170A00109EFCB14DF54C895EBEBBB9FF58304F149559FA46AB252EB70E941CB60

Function 00E2B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00DDFEC6: _wcscpy.LIBCMT ref: 00DDFEE9

Part of subcall function 00DC9997: __itow.LIBCMT ref: 00DC99C2
Part of subcall function 00DC9997: __swprintf.LIBCMT ref: 00DC9A0C

__wcsnicmp.LIBCMT ref: 00E2B298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00E2B361

Strings

LPT, xrefs: 00E2B292

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 6dbffba1dc8ff2eeccccadaeb5652897c027b5ef1a88991a1211ea361717e404
Instruction ID: 7bab96765ca6ef369cae42d313578b998378b62346d85310f4d8d00be364c01c
Opcode Fuzzy Hash: 6dbffba1dc8ff2eeccccadaeb5652897c027b5ef1a88991a1211ea361717e404
Instruction Fuzzy Hash: 24616176A00225EFCB14EF94D895EEEB7B4EF08710F15506AF546BB291DB70AE40CB60

Function 00DD2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00DD2AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00DD2AE1

Strings

@, xrefs: 00DD2AD5

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 749870e8af16ddcd6163cc982756af3b300c9f2dd3202e63d25e7510eff3a494
Instruction ID: 744ad8972d6f371a7591aefd810498e6ca8409991fd3fd2f78c5b20384c55c6f
Opcode Fuzzy Hash: 749870e8af16ddcd6163cc982756af3b300c9f2dd3202e63d25e7510eff3a494
Instruction Fuzzy Hash: 655148724187459BD320AF11D89AFABBBE8FF84310F42485DF1D9921A5DB708529CB26

Function 00E299BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00DC506B: __fread_nolock.LIBCMT ref: 00DC5089

_wcscmp.LIBCMT ref: 00E29AAE
_wcscmp.LIBCMT ref: 00E29AC1

Strings

FILE, xrefs: 00E299FA

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: aeee313f08806482ea77db88e1b60d9a456707f27ae4fd86de4bf35e807e62b2
Instruction ID: 2a4d51184a0253d3bb611aca795facfa88d4932846041e47414b33eb53c8b30f
Opcode Fuzzy Hash: aeee313f08806482ea77db88e1b60d9a456707f27ae4fd86de4bf35e807e62b2
Instruction Fuzzy Hash: 8E41D671A0061ABADF20AAA0EC46FEFB7BDEF45714F000079F904F7185DA75AA4487B1

Function 00E0099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00E009A9

Strings

Dt, xrefs: 00DCA2B1
Dt, xrefs: 00DCA477

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ClearVariant
String ID: Dt$Dt
API String ID: 1473721057-4168040075
Opcode ID: 1b675e9ac5457976d640082825e54159107713c7775dfbc22d8a45a38fed18fb
Instruction ID: 60fe9d11b537cf2674c7b3452b29a8a953584ec56dc2213ad62f1d88ade7cbc4
Opcode Fuzzy Hash: 1b675e9ac5457976d640082825e54159107713c7775dfbc22d8a45a38fed18fb
Instruction Fuzzy Hash: 095103786083468FC754CF19C080B1ABBF1BB99358F64985DE9859B361D731EC85CFA2

Function 00E32882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E32892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00E328C8

Strings

|, xrefs: 00E32899

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: f2a89882e8e2daf20c4e26981abe01d7052f89ce977fa431c9849cb5be9b7747
Instruction ID: 162657d1b814cd63df26fe53fbb1730a4c6a4536a56a9259654d385e2709628d
Opcode Fuzzy Hash: f2a89882e8e2daf20c4e26981abe01d7052f89ce977fa431c9849cb5be9b7747
Instruction Fuzzy Hash: 6D310771C0011AAFCF01AFA5DC89EEEBFB9FF08310F104069F915A6166DA315A56DBB0

Function 00E46CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00E46D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00E46DC2

Strings

static, xrefs: 00E46D22

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: f47ed4133e877b18630141599a2432ed27f7984816e089ffca24717f7b13efe3
Instruction ID: e017eea4c87c2005f1f573aed374910b6218f744504e3701742c58756f7d35ca
Opcode Fuzzy Hash: f47ed4133e877b18630141599a2432ed27f7984816e089ffca24717f7b13efe3
Instruction Fuzzy Hash: 19319E71610604AEEB109F64DC80FFB73B8FF89724F109619F9A9A7190CA31AC95CB61

Function 00E22D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E22E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E22E3B

Strings

0, xrefs: 00E22DF9

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: a97b15bbba9c4e60903bc7b22b476f4621905d30d5eaf5e4cd6c505ca93d74f4
Instruction ID: c7a9322a2f811f93ebfd33c8367597bdc14ef0fc723d119dc3f62d110af4f77a
Opcode Fuzzy Hash: a97b15bbba9c4e60903bc7b22b476f4621905d30d5eaf5e4cd6c505ca93d74f4
Instruction Fuzzy Hash: 37310931600329BBEB269F59E8457EEBBB5FF05304F15106DEA85B71A0D7709944EB20

Function 00E46943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00E469D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E469DB

Strings

Combobox, xrefs: 00E4699D

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 4a8d905bf42eabb5f205bb20128ce63407a896875bafa8cb7102290011f744fb
Instruction ID: 981b05cd54f19d83c846b3b48e6dfc3f38b4bcdb169b1d3aa6bc7f26cf436eac
Opcode Fuzzy Hash: 4a8d905bf42eabb5f205bb20128ce63407a896875bafa8cb7102290011f744fb
Instruction Fuzzy Hash: 8011B271600209AFEF159E14DC80EFB376AEBDA3A8F115125FA58AB290D6B1DC5187A0

Function 00E46E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00DC1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00DC1D73
Part of subcall function 00DC1D35: GetStockObject.GDI32(00000011), ref: 00DC1D87
Part of subcall function 00DC1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00DC1D91

GetWindowRect.USER32(00000000,?), ref: 00E46EE0
GetSysColor.USER32(00000012), ref: 00E46EFA

Strings

static, xrefs: 00E46EBD

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: a95dc01f7b23df53ce2eaddd4be9a92fb0e239bdab2448248182b81a6794f013
Instruction ID: 77e963f5b68762caf0454d08cac1446a6a2b0eabf9edbfd75c930251afb7a9d4
Opcode Fuzzy Hash: a95dc01f7b23df53ce2eaddd4be9a92fb0e239bdab2448248182b81a6794f013
Instruction Fuzzy Hash: AF21447662020AAFDB04DFA8DC45AEA7BB8EB09314F005629F955E3250E634E8619B60

Function 00E46B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00E46C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00E46C20

Strings

edit, xrefs: 00E46BF5

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 1d7c49a5c1f7d48d9d4f331f954484d450e2ad0b780c4ec106257d72aa70e5c9
Instruction ID: 59be4850200fa43af441f74ce9772555cd958ada2503d44385c7bbc4ca8bcfa6
Opcode Fuzzy Hash: 1d7c49a5c1f7d48d9d4f331f954484d450e2ad0b780c4ec106257d72aa70e5c9
Instruction Fuzzy Hash: 2011BC71500208AFEB108E64EC81AFB37A9EB06378F205724F965E71E0C775DC919B61

Function 00E22E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E22F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00E22F30

Strings

0, xrefs: 00E22F07

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 7dbdfd2a2ef20efa78275e9d33df1e12c11676bf4031c265db4f13e40c256df1
Instruction ID: 2410366860fd2cf58fd7208b78f7cdb0c09c94f03f379ba7a0210e042a38b4e6
Opcode Fuzzy Hash: 7dbdfd2a2ef20efa78275e9d33df1e12c11676bf4031c265db4f13e40c256df1
Instruction Fuzzy Hash: 2B11E231E01134BBEB35DB58ED04BA973B9EB01318F0510A9EB48B72A0DBB0AE04D791

Function 00E324CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00E32520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00E32549

Strings

<local>, xrefs: 00E32511

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: e6b9529ebcf861f85637bc407641a67076c673ed7e7148aad7f23a9ed9c084cc
Instruction ID: 0de954326b7fb06a1b2844b0084f14e9f732065460a4052dddb060c9dce4cd14
Opcode Fuzzy Hash: e6b9529ebcf861f85637bc407641a67076c673ed7e7148aad7f23a9ed9c084cc
Instruction Fuzzy Hash: 7111A070501225BEDB248F618C9DEFBFF68FF06755F10912EFA85A6040D2706A45DAE2

Function 00E380A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00E3830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00E380C8,?,00000000,?,?), ref: 00E38322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00E380CB
htons.WSOCK32(00000000,?,00000000), ref: 00E38108

Strings

255.255.255.255, xrefs: 00E380E3

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: cde72c37cbfeecde7c7da8697782e90df4cd5328dc5ccca80df9721ae7b38edf
Instruction ID: 0c01ce4c9dc0069cf339a3741502ff7e2fea17ffeaa6e7e9f0b4f7b26c476047
Opcode Fuzzy Hash: cde72c37cbfeecde7c7da8697782e90df4cd5328dc5ccca80df9721ae7b38edf
Instruction Fuzzy Hash: CF11CE34200305ABDB20AF64DD8AFEEB764EF44324F10952AF911A7291DA72A855C6A1

Function 00DD0A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00DC3C26,00E862F8,?,?,?), ref: 00DD0ACE

Part of subcall function 00DC7D2C: _memmove.LIBCMT ref: 00DC7D66

_wcscat.LIBCMT ref: 00E050E1

Strings

c, xrefs: 00DD0B0E

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: c
API String ID: 257928180-921687731
Opcode ID: bd2fe89cb59a26f221b3ee5d77b9ffac1a9d95ed845e95cb1150e4cb21bb3aa7
Instruction ID: bb6a16c4486dc889dcccb054c50a2c5f826db637942d8bac832e8eb856582d8e
Opcode Fuzzy Hash: bd2fe89cb59a26f221b3ee5d77b9ffac1a9d95ed845e95cb1150e4cb21bb3aa7
Instruction Fuzzy Hash: 421165359042099B8B11FB74DC02F9D77B8EF88354F0140A7B99DE7251EA70DA888B31

Function 00E192E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC7F41: _memmove.LIBCMT ref: 00DC7F82

Part of subcall function 00E1B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E1B0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00E19355

Strings

ListBox, xrefs: 00E1931F
ComboBox, xrefs: 00E192F4

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: c16df6272bfcaea258246bd3809fcadaf97c86b3698a6f97465a3b84a1f48c74
Instruction ID: c61d2152baa60f13996ad7b34e45fc7528230c4149d28ade207f607a98154282
Opcode Fuzzy Hash: c16df6272bfcaea258246bd3809fcadaf97c86b3698a6f97465a3b84a1f48c74
Instruction Fuzzy Hash: 5101DE71A01215AB8B04EBA0CCA1DFE73A9FF06320B101659F832A72D2DB3169488670

Function 00E191DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC7F41: _memmove.LIBCMT ref: 00DC7F82

Part of subcall function 00E1B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E1B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 00E1924D

Strings

ListBox, xrefs: 00E19217
ComboBox, xrefs: 00E191EC

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 33232afe91ba6bed16acd8487e2a0be7ef5f451a516e57b4150f61c9289be95d
Instruction ID: f47ae7c8be24602e7335ab1184ab0e29e631a503c564cfdc0d2e6a7df99ae038
Opcode Fuzzy Hash: 33232afe91ba6bed16acd8487e2a0be7ef5f451a516e57b4150f61c9289be95d
Instruction Fuzzy Hash: B9018471A41205BBCB04EBA0D9A2EFF73A8DF05340F141159B91677292EA216E4CD6B1

Function 00E19264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC7F41: _memmove.LIBCMT ref: 00DC7F82

Part of subcall function 00E1B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E1B0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 00E192D0

Strings

ListBox, xrefs: 00E1929C
ComboBox, xrefs: 00E19271

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: d3a682f47d27cbd00fe09edca30c4dec6d82e0ad3c07f4ba68192a192675592e
Instruction ID: fe3c491961f4def0a38f3ca11842aa4ba3714f0a11821dbd35bb20ce4550c59e
Opcode Fuzzy Hash: d3a682f47d27cbd00fe09edca30c4dec6d82e0ad3c07f4ba68192a192675592e
Instruction Fuzzy Hash: 3E01F271A41209BBCB00EAA0D892EFF73ECDF05340F241019B802B3292DA216E4C9671

Function 00DE6DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00DE6DD0
__calloc_crt.LIBCMT ref: 00DE6DE9

Strings

@R, xrefs: 00DE6E00

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: __calloc_crt
String ID: @R
API String ID: 3494438863-2347139750
Opcode ID: 270890880677afee44adefaad2bfb70601f769cdcdf864402de0183b3b98b341
Instruction ID: 6f191b7bd9a9f243929d4286b45cc11a88ae690e0390a530f818098d62083d28
Opcode Fuzzy Hash: 270890880677afee44adefaad2bfb70601f769cdcdf864402de0183b3b98b341
Instruction Fuzzy Hash: BCF04F71308656DFE724EB6BBE016612795EB60770F544466E108EA2E0EB30C88597B0

Function 00E251CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00E251E8
_wcscmp.LIBCMT ref: 00E251FA

Strings

#32770, xrefs: 00E251F4

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 081f9f1ce70df5ab27c088b6d0f33b00d80d396992b4f33f94f9b112fc692382
Instruction ID: f6bdb19fdcd5eae2fc62302172254e3f92bae0ff02e07460ad9cbf3ef756e43e
Opcode Fuzzy Hash: 081f9f1ce70df5ab27c088b6d0f33b00d80d396992b4f33f94f9b112fc692382
Instruction Fuzzy Hash: 53E02B335003285BD710A696AC09AA7F7ACEB41721F000067F914E3050E560990587E0

Function 00E181BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00E181CA

Part of subcall function 00DE3598: _doexit.LIBCMT ref: 00DE35A2

Strings

Error allocating memory., xrefs: 00E181C3
AutoIt, xrefs: 00E181BE

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 6b7bb500108f5e06b273c7077468964f1352335a8467d24dd38a31ba875f8a22
Instruction ID: da8e00a4552e6bbf777557fc4ce9b456eb1dd3400f215b26d93e32e922072272
Opcode Fuzzy Hash: 6b7bb500108f5e06b273c7077468964f1352335a8467d24dd38a31ba875f8a22
Instruction Fuzzy Hash: 8BD02B323C135832D21433A52C0BFC576488F05F12F004415FB0C765C38DD288C242F8

Function 00DFB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00DFB564: _memset.LIBCMT ref: 00DFB571

Part of subcall function 00DE0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00DFB540,?,?,?,00DC100A), ref: 00DE0B89

IsDebuggerPresent.KERNEL32(?,?,?,00DC100A), ref: 00DFB544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00DC100A), ref: 00DFB553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00DFB54E

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: ea1aca5282a6ebaa76f6afcf47d87293629786cc8c0e1a866a6c1fceb51cb254
Instruction ID: 91acb339aa7a14a59259b06db80d2338a4f8aa77f4cecc2f7532ca0a877590cd
Opcode Fuzzy Hash: ea1aca5282a6ebaa76f6afcf47d87293629786cc8c0e1a866a6c1fceb51cb254
Instruction Fuzzy Hash: F2E06D742007158FD721DF2AE4087527BE0EB00B68F05C92EE546D7360DBB9D448CB71

Function 00E45BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E45BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00E45C08

Part of subcall function 00E254E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E2555E

Strings

Shell_TrayWnd, xrefs: 00E45BEE

Memory Dump Source

Source File: 00000000.00000002.1993487865.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1993466127.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993969527.0000000000E7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993997686.0000000000E88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_Shipping Documents inv.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 07373ab2a0553efb5607f401fc0c5c65eb04595ebb3dbedd72c53125a1a9789b
Instruction ID: a5e3d49ebacfa9590af024cd71dd0160ad0af3a70c5d915550d742a975b151ee
Opcode Fuzzy Hash: 07373ab2a0553efb5607f401fc0c5c65eb04595ebb3dbedd72c53125a1a9789b
Instruction Fuzzy Hash: D3D0A936388310BAE334BB30AC0BF976A10AB01B00F010834B20ABA0D0C8E45801C240

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Shipping Documents inv. 523435300XX.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jBpFfg.exe.log

C:\Users\user\AppData\Local\Temp\Mazatl

C:\Users\user\AppData\Local\Temp\Wauseon

C:\Users\user\AppData\Local\Temp\autAB36.tmp

C:\Users\user\AppData\Local\Temp\autAB85.tmp

C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
Shipping Documents inv. 523435300XX.exe

Function 00DC3B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 00DC4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00DC4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00E293DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00DC3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00DC3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00DC71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00DC3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 00DC3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00DC3778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 00DCF8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre