Edit tour

Windows Analysis Report
Shipping Documents_pdf.exe

Overview

General Information

Sample name:	Shipping Documents_pdf.exe
Analysis ID:	1479840
MD5:	50e6e94907fc16f102299c659ba822d3
SHA1:	b96807ab5a591c38f0d1405f553a4da030b8643e
SHA256:	95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7
Tags:	exeRedLineStealer
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Found API chain indicative of sandbox detection

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses FTP

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Shipping Documents_pdf.exe (PID: 1360 cmdline: "C:\Users\user\Desktop\Shipping Documents_pdf.exe" MD5: 50E6E94907FC16F102299C659BA822D3)

RegSvcs.exe (PID: 3200 cmdline: "C:\Users\user\Desktop\Shipping Documents_pdf.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.wapination.net", "Username": "pop@wapination.net", "Password": "sync@#1235"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.2504867330.00000000032D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2504867330.00000000032D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.2504867330.00000000032D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000006.00000002.2504867330.00000000032D0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fec7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3ff39:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3ffc3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40055:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x400bf:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40131:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x401c7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40257:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000006.00000002.2504867330.00000000032D0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3a114:$s2: GetPrivateProfileString 0x3d2a9:$s3: get_OSFullName 0x3a715:$s5: remove_Key 0x3a735:$s5: remove_Key 0x3d71e:$s6: FtpWebRequest 0x3fea9:$s7: logins 0x4041b:$s7: logins 0x4312c:$s7: logins 0x431de:$s7: logins 0x461a6:$s7: logins 0x43d82:$s9: 1.85 (Hash, version 2, native byte-order)
00000006.00000002.2507141801.0000000005B00000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2507141801.0000000005B00000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.2507141801.0000000005B00000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000006.00000002.2507141801.0000000005B00000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3efdf:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f051:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f0db:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f16d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f1d7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f249:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f2df:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f36f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000006.00000002.2507141801.0000000005B00000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3922c:$s2: GetPrivateProfileString 0x3c3c1:$s3: get_OSFullName 0x3982d:$s5: remove_Key 0x3984d:$s5: remove_Key 0x3c836:$s6: FtpWebRequest 0x3efc1:$s7: logins 0x3f533:$s7: logins 0x42244:$s7: logins 0x422f6:$s7: logins 0x452be:$s7: logins 0x42e9a:$s9: 1.85 (Hash, version 2, native byte-order)
00000006.00000002.2502956541.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 CA 88 44 24 2B 88 44 24 2F B0 5F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000006.00000002.2505956699.0000000004341000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2505956699.0000000004341000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.2505956699.0000000004341000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000006.00000002.2504952800.000000000338F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1287280845.0000000003860000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 CA 88 44 24 2B 88 44 24 2F B0 5F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000006.00000002.2504952800.0000000003341000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2504952800.0000000003341000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.2504247714.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2504247714.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.2504247714.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 3200	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 3200	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 CA 88 44 24 2B 88 44 24 2F B0 5F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
6.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 CA 88 44 24 2B 88 44 24 2F B0 5F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
6.2.RegSvcs.exe.2ecfbd6.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.RegSvcs.exe.2ecfbd6.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.RegSvcs.exe.2ecfbd6.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.RegSvcs.exe.2ecfbd6.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3efdf:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f051:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f0db:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f16d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f1d7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f249:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f2df:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f36f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.RegSvcs.exe.2ecfbd6.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3922c:$s2: GetPrivateProfileString 0x3c3c1:$s3: get_OSFullName 0x3982d:$s5: remove_Key 0x3984d:$s5: remove_Key 0x3c836:$s6: FtpWebRequest 0x3efc1:$s7: logins 0x3f533:$s7: logins 0x42244:$s7: logins 0x422f6:$s7: logins 0x452be:$s7: logins 0x42e9a:$s9: 1.85 (Hash, version 2, native byte-order)
6.2.RegSvcs.exe.4392b90.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.RegSvcs.exe.4392b90.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.RegSvcs.exe.4392b90.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.RegSvcs.exe.4392b90.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3efdf:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f051:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f0db:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f16d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f1d7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f249:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f2df:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f36f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.RegSvcs.exe.4392b90.5.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3922c:$s2: GetPrivateProfileString 0x3c3c1:$s3: get_OSFullName 0x3982d:$s5: remove_Key 0x3984d:$s5: remove_Key 0x3c836:$s6: FtpWebRequest 0x3efc1:$s7: logins 0x3f533:$s7: logins 0x42244:$s7: logins 0x422f6:$s7: logins 0x452be:$s7: logins 0x42e9a:$s9: 1.85 (Hash, version 2, native byte-order)
6.2.RegSvcs.exe.4346458.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.RegSvcs.exe.4346458.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.RegSvcs.exe.4346458.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.RegSvcs.exe.4346458.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d1df:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d251:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d2db:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d36d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3d3d7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3d449:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3d4df:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3d56f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.RegSvcs.exe.4346458.6.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3742c:$s2: GetPrivateProfileString 0x3a5c1:$s3: get_OSFullName 0x37a2d:$s5: remove_Key 0x37a4d:$s5: remove_Key 0x3aa36:$s6: FtpWebRequest 0x3d1c1:$s7: logins 0x3d733:$s7: logins 0x40444:$s7: logins 0x404f6:$s7: logins 0x434be:$s7: logins 0x4109a:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Shipping Documents_pdf.exe.3860000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 CA 88 44 24 2B 88 44 24 2F B0 5F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
6.2.RegSvcs.exe.4345570.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.RegSvcs.exe.4345570.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.RegSvcs.exe.4345570.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.RegSvcs.exe.4345570.7.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e0c7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e139:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e1c3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3e255:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3e2bf:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3e331:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3e3c7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3e457:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.RegSvcs.exe.4345570.7.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x38314:$s2: GetPrivateProfileString 0x3b4a9:$s3: get_OSFullName 0x38915:$s5: remove_Key 0x38935:$s5: remove_Key 0x3b91e:$s6: FtpWebRequest 0x3e0a9:$s7: logins 0x3e61b:$s7: logins 0x4132c:$s7: logins 0x413de:$s7: logins 0x443a6:$s7: logins 0x41f82:$s9: 1.85 (Hash, version 2, native byte-order)
6.2.RegSvcs.exe.4345570.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.RegSvcs.exe.4345570.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.RegSvcs.exe.4345570.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.RegSvcs.exe.4345570.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fec7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x8c5ff:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3ff39:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x8c671:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3ffc3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x8c6fb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40055:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x8c78d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x400bf:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x8c7f7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40131:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x8c869:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x401c7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x8c8ff:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40257:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x8c98f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.RegSvcs.exe.4345570.7.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3a114:$s2: GetPrivateProfileString 0x8684c:$s2: GetPrivateProfileString 0x3d2a9:$s3: get_OSFullName 0x899e1:$s3: get_OSFullName 0x3a715:$s5: remove_Key 0x3a735:$s5: remove_Key 0x86e4d:$s5: remove_Key 0x86e6d:$s5: remove_Key 0x3d71e:$s6: FtpWebRequest 0x89e56:$s6: FtpWebRequest 0x3fea9:$s7: logins 0x4041b:$s7: logins 0x4312c:$s7: logins 0x431de:$s7: logins 0x461a6:$s7: logins 0x8c5e1:$s7: logins 0x8cb53:$s7: logins 0x8f864:$s7: logins 0x8f916:$s7: logins 0x928de:$s7: logins 0x43d82:$s9: 1.85 (Hash, version 2, native byte-order)
6.2.RegSvcs.exe.32d0000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.RegSvcs.exe.32d0000.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.RegSvcs.exe.32d0000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.RegSvcs.exe.32d0000.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fec7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3ff39:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3ffc3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40055:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x400bf:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40131:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x401c7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40257:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.RegSvcs.exe.32d0000.3.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3a114:$s2: GetPrivateProfileString 0x3d2a9:$s3: get_OSFullName 0x3a715:$s5: remove_Key 0x3a735:$s5: remove_Key 0x3d71e:$s6: FtpWebRequest 0x3fea9:$s7: logins 0x4041b:$s7: logins 0x4312c:$s7: logins 0x431de:$s7: logins 0x461a6:$s7: logins 0x43d82:$s9: 1.85 (Hash, version 2, native byte-order)
6.2.RegSvcs.exe.2ececee.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.RegSvcs.exe.2ececee.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.RegSvcs.exe.2ececee.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.RegSvcs.exe.2ececee.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e0c7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e139:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e1c3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3e255:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3e2bf:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3e331:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3e3c7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3e457:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.RegSvcs.exe.2ececee.2.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x38314:$s2: GetPrivateProfileString 0x3b4a9:$s3: get_OSFullName 0x38915:$s5: remove_Key 0x38935:$s5: remove_Key 0x3b91e:$s6: FtpWebRequest 0x3e0a9:$s7: logins 0x3e61b:$s7: logins 0x4132c:$s7: logins 0x413de:$s7: logins 0x443a6:$s7: logins 0x41f82:$s9: 1.85 (Hash, version 2, native byte-order)
6.2.RegSvcs.exe.4392b90.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.RegSvcs.exe.4392b90.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.RegSvcs.exe.4392b90.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.RegSvcs.exe.4392b90.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d1df:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d251:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d2db:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d36d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3d3d7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3d449:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3d4df:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3d56f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.RegSvcs.exe.4392b90.5.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3742c:$s2: GetPrivateProfileString 0x3a5c1:$s3: get_OSFullName 0x37a2d:$s5: remove_Key 0x37a4d:$s5: remove_Key 0x3aa36:$s6: FtpWebRequest 0x3d1c1:$s7: logins 0x3d733:$s7: logins 0x40444:$s7: logins 0x404f6:$s7: logins 0x434be:$s7: logins 0x4109a:$s9: 1.85 (Hash, version 2, native byte-order)
6.2.RegSvcs.exe.32d0000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.RegSvcs.exe.32d0000.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.RegSvcs.exe.32d0000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.RegSvcs.exe.32d0000.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e0c7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e139:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e1c3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3e255:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3e2bf:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3e331:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3e3c7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3e457:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.RegSvcs.exe.32d0000.3.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x38314:$s2: GetPrivateProfileString 0x3b4a9:$s3: get_OSFullName 0x38915:$s5: remove_Key 0x38935:$s5: remove_Key 0x3b91e:$s6: FtpWebRequest 0x3e0a9:$s7: logins 0x3e61b:$s7: logins 0x4132c:$s7: logins 0x413de:$s7: logins 0x443a6:$s7: logins 0x41f82:$s9: 1.85 (Hash, version 2, native byte-order)
6.2.RegSvcs.exe.4346458.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.RegSvcs.exe.4346458.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.RegSvcs.exe.4346458.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.RegSvcs.exe.4346458.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3efdf:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x8b717:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f051:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x8b789:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f0db:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x8b813:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f16d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x8b8a5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f1d7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x8b90f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f249:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x8b981:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f2df:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x8ba17:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f36f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x8baa7:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.RegSvcs.exe.4346458.6.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3922c:$s2: GetPrivateProfileString 0x85964:$s2: GetPrivateProfileString 0x3c3c1:$s3: get_OSFullName 0x88af9:$s3: get_OSFullName 0x3982d:$s5: remove_Key 0x3984d:$s5: remove_Key 0x85f65:$s5: remove_Key 0x85f85:$s5: remove_Key 0x3c836:$s6: FtpWebRequest 0x88f6e:$s6: FtpWebRequest 0x3efc1:$s7: logins 0x3f533:$s7: logins 0x42244:$s7: logins 0x422f6:$s7: logins 0x452be:$s7: logins 0x8b6f9:$s7: logins 0x8bc6b:$s7: logins 0x8e97c:$s7: logins 0x8ea2e:$s7: logins 0x919f6:$s7: logins 0x42e9a:$s9: 1.85 (Hash, version 2, native byte-order)
6.2.RegSvcs.exe.32d0ee8.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.RegSvcs.exe.32d0ee8.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.RegSvcs.exe.32d0ee8.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.RegSvcs.exe.32d0ee8.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3efdf:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f051:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f0db:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f16d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f1d7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f249:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f2df:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f36f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.RegSvcs.exe.32d0ee8.4.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3922c:$s2: GetPrivateProfileString 0x3c3c1:$s3: get_OSFullName 0x3982d:$s5: remove_Key 0x3984d:$s5: remove_Key 0x3c836:$s6: FtpWebRequest 0x3efc1:$s7: logins 0x3f533:$s7: logins 0x42244:$s7: logins 0x422f6:$s7: logins 0x452be:$s7: logins 0x42e9a:$s9: 1.85 (Hash, version 2, native byte-order)
6.2.RegSvcs.exe.32d0ee8.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.RegSvcs.exe.32d0ee8.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.RegSvcs.exe.32d0ee8.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.RegSvcs.exe.32d0ee8.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d1df:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d251:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d2db:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d36d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3d3d7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3d449:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3d4df:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3d56f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.RegSvcs.exe.32d0ee8.4.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3742c:$s2: GetPrivateProfileString 0x3a5c1:$s3: get_OSFullName 0x37a2d:$s5: remove_Key 0x37a4d:$s5: remove_Key 0x3aa36:$s6: FtpWebRequest 0x3d1c1:$s7: logins 0x3d733:$s7: logins 0x40444:$s7: logins 0x404f6:$s7: logins 0x434be:$s7: logins 0x4109a:$s9: 1.85 (Hash, version 2, native byte-order)
6.2.RegSvcs.exe.5b00000.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.RegSvcs.exe.5b00000.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.RegSvcs.exe.5b00000.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.RegSvcs.exe.5b00000.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3efdf:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f051:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f0db:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f16d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f1d7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f249:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f2df:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f36f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.RegSvcs.exe.5b00000.8.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3922c:$s2: GetPrivateProfileString 0x3c3c1:$s3: get_OSFullName 0x3982d:$s5: remove_Key 0x3984d:$s5: remove_Key 0x3c836:$s6: FtpWebRequest 0x3efc1:$s7: logins 0x3f533:$s7: logins 0x42244:$s7: logins 0x422f6:$s7: logins 0x452be:$s7: logins 0x42e9a:$s9: 1.85 (Hash, version 2, native byte-order)
6.2.RegSvcs.exe.2ececee.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.RegSvcs.exe.2ececee.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.RegSvcs.exe.2ececee.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.RegSvcs.exe.2ececee.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fec7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3ff39:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3ffc3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40055:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x400bf:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40131:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x401c7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40257:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.RegSvcs.exe.2ececee.2.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3a114:$s2: GetPrivateProfileString 0x3d2a9:$s3: get_OSFullName 0x3a715:$s5: remove_Key 0x3a735:$s5: remove_Key 0x3d71e:$s6: FtpWebRequest 0x3fea9:$s7: logins 0x4041b:$s7: logins 0x4312c:$s7: logins 0x431de:$s7: logins 0x461a6:$s7: logins 0x43d82:$s9: 1.85 (Hash, version 2, native byte-order)
6.2.RegSvcs.exe.5b00000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.RegSvcs.exe.5b00000.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.RegSvcs.exe.5b00000.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.RegSvcs.exe.5b00000.8.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d1df:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d251:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d2db:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d36d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3d3d7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3d449:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3d4df:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3d56f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.RegSvcs.exe.5b00000.8.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3742c:$s2: GetPrivateProfileString 0x3a5c1:$s3: get_OSFullName 0x37a2d:$s5: remove_Key 0x37a4d:$s5: remove_Key 0x3aa36:$s6: FtpWebRequest 0x3d1c1:$s7: logins 0x3d733:$s7: logins 0x40444:$s7: logins 0x404f6:$s7: logins 0x434be:$s7: logins 0x4109a:$s9: 1.85 (Hash, version 2, native byte-order)
6.2.RegSvcs.exe.2ecfbd6.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.RegSvcs.exe.2ecfbd6.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.RegSvcs.exe.2ecfbd6.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.RegSvcs.exe.2ecfbd6.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d1df:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d251:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d2db:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d36d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3d3d7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3d449:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3d4df:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3d56f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.RegSvcs.exe.2ecfbd6.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3742c:$s2: GetPrivateProfileString 0x3a5c1:$s3: get_OSFullName 0x37a2d:$s5: remove_Key 0x37a4d:$s5: remove_Key 0x3aa36:$s6: FtpWebRequest 0x3d1c1:$s7: logins 0x3d733:$s7: logins 0x40444:$s7: logins 0x404f6:$s7: logins 0x434be:$s7: logins 0x4109a:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 78 entries

Suricata Signatures

ETPRO MALWARE Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.11 - Destination IP: 108.179.234.136

Timestamp:	2024-07-24T08:52:09.872221+0200
SID:	2855542
Source Port:	49709
Destination Port:	39179
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.11 - Destination IP: 108.179.234.136

Timestamp:	2024-07-24T08:52:09.878469+0200
SID:	2855542
Source Port:	49709
Destination Port:	39179
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE AgentTesla Exfil via FTP - Source IP: 192.168.2.11 - Destination IP: 108.179.234.136

Timestamp:	2024-07-24T08:52:09.465059+0200
SID:	2029927
Source Port:	49708
Destination Port:	21
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 6.2.RegSvcs.exe.4392b90.5.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.wapination.net", "Username": "pop@wapination.net", "Password": "sync@#1235"}

Multi AV Scanner detection for submitted file

Source: Shipping Documents_pdf.exe	ReversingLabs: Detection: 47%
Source: Shipping Documents_pdf.exe	Virustotal: Detection: 29%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Shipping Documents_pdf.exe

Joe Sandbox ML: detected

Source: Shipping Documents_pdf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000006.00000002.2505956699.0000000004341000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2504867330.00000000032D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2504247714.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Shipping Documents_pdf.exe, 00000000.00000003.1285204897.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, Shipping Documents_pdf.exe, 00000000.00000003.1275996053.00000000038B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Shipping Documents_pdf.exe, 00000000.00000003.1285204897.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, Shipping Documents_pdf.exe, 00000000.00000003.1275996053.00000000038B0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00CDDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00CDDBBE
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00CAC2A2 FindFirstFileExW,	0_2_00CAC2A2
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00CE68EE FindFirstFileW,FindClose,	0_2_00CE68EE
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00CE698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00CE698F
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00CDD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00CDD076
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00CDD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00CDD3A9
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00CE9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00CE9642
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00CE979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00CE979D
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00CE9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00CE9B2B
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00CE5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00CE5C97

Source: global traffic

TCP traffic: 192.168.2.11:49709 -> 108.179.234.136:39179

Source: Joe Sandbox View

IP Address: 108.179.234.136 108.179.234.136

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: unknown

FTP traffic detected: 108.179.234.136:21 -> 192.168.2.11:49708 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 01:52. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 01:52. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 01:52. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

Code function: 0_2_00CECE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_00CECE44

Source: global traffic	DNS traffic detected: DNS query: ftp.wapination.net
Source: global traffic	DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa

Source: RegSvcs.exe, 00000006.00000002.2504952800.000000000339D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2504952800.000000000338F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.wapination.net
Source: RegSvcs.exe, 00000006.00000002.2504952800.000000000338F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000006.00000002.2504952800.000000000339D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://wapination.net
Source: RegSvcs.exe, 00000006.00000002.2505956699.0000000004341000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2507141801.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2504867330.00000000032D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2504247714.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 6.2.RegSvcs.exe.5b00000.8.raw.unpack, SKTzxzsJw.cs

.Net Code: Fe9wfWKc5

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

Code function: 0_2_00CEEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00CEEAFF

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

Code function: 0_2_00CEED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00CEED6A

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

0_2_00CEEAFF

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

Code function: 0_2_00CDAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00CDAA57

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

Code function: 0_2_00D09576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00D09576

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 6.2.RegSvcs.exe.2ecfbd6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.RegSvcs.exe.2ecfbd6.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 6.2.RegSvcs.exe.4392b90.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.RegSvcs.exe.4392b90.5.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 6.2.RegSvcs.exe.4346458.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.RegSvcs.exe.4346458.6.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Shipping Documents_pdf.exe.3860000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 6.2.RegSvcs.exe.4345570.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.RegSvcs.exe.4345570.7.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 6.2.RegSvcs.exe.4345570.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.RegSvcs.exe.4345570.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 6.2.RegSvcs.exe.32d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.RegSvcs.exe.32d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 6.2.RegSvcs.exe.2ececee.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.RegSvcs.exe.2ececee.2.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 6.2.RegSvcs.exe.4392b90.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.RegSvcs.exe.4392b90.5.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 6.2.RegSvcs.exe.32d0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.RegSvcs.exe.32d0000.3.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 6.2.RegSvcs.exe.4346458.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.RegSvcs.exe.4346458.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 6.2.RegSvcs.exe.32d0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.RegSvcs.exe.32d0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 6.2.RegSvcs.exe.32d0ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.RegSvcs.exe.32d0ee8.4.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 6.2.RegSvcs.exe.5b00000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.RegSvcs.exe.5b00000.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 6.2.RegSvcs.exe.2ececee.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.RegSvcs.exe.2ececee.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 6.2.RegSvcs.exe.5b00000.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.RegSvcs.exe.5b00000.8.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 6.2.RegSvcs.exe.2ecfbd6.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.RegSvcs.exe.2ecfbd6.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000006.00000002.2504867330.00000000032D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000006.00000002.2504867330.00000000032D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000006.00000002.2507141801.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000006.00000002.2507141801.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000006.00000002.2502956541.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.1287280845.0000000003860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: Shipping Documents_pdf.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Shipping Documents_pdf.exe, 00000000.00000000.1265832689.0000000000D32000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a5060b0b-b
Source: Shipping Documents_pdf.exe, 00000000.00000000.1265832689.0000000000D32000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_9df77bb2-3
Source: Shipping Documents_pdf.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_917273ee-5
Source: Shipping Documents_pdf.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e2e0be4f-a

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Shipping Documents_pdf.exe

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

Code function: 0_2_00CDD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00CDD5EB

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

Code function: 0_2_00CD1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00CD1201

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

Code function: 0_2_00CDE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00CDE8F6

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00CE2046	0_2_00CE2046
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00C78060	0_2_00C78060
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00CD8298	0_2_00CD8298
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00CAE4FF	0_2_00CAE4FF
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00CA676B	0_2_00CA676B
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00D04873	0_2_00D04873
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00C7CAF0	0_2_00C7CAF0
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00C9CAA0	0_2_00C9CAA0
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00C8CC39	0_2_00C8CC39
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00CA6DD9	0_2_00CA6DD9
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00C791C0	0_2_00C791C0
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00C8B119	0_2_00C8B119
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00C91394	0_2_00C91394
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00C91706	0_2_00C91706
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00C9781B	0_2_00C9781B
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00C919B0	0_2_00C919B0
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00C8997D	0_2_00C8997D
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00C77920	0_2_00C77920
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00C97A4A	0_2_00C97A4A
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00C97CA7	0_2_00C97CA7
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00C91C77	0_2_00C91C77
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00CA9EEE	0_2_00CA9EEE
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00CFBE44	0_2_00CFBE44
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00C91F32	0_2_00C91F32
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_01D53610	0_2_01D53610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00408C60	6_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0040DC11	6_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00407C3F	6_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00418CCC	6_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00406CA0	6_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_004028B0	6_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041A4BE	6_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00418244	6_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00401650	6_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00402F20	6_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_004193C4	6_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00418788	6_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00402F89	6_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00402B90	6_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_004073A0	6_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0317CD08	6_2_0317CD08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0317D920	6_2_0317D920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_03170FD0	6_2_03170FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_03171298	6_2_03171298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_03171030	6_2_03171030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0317D050	6_2_0317D050

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: String function: 00C8F9F2 appears 40 times
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: String function: 00C90A30 appears 46 times
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: String function: 00C79CB3 appears 31 times

Source: Shipping Documents_pdf.exe, 00000000.00000003.1283268323.0000000003BCD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Shipping Documents_pdf.exe
Source: Shipping Documents_pdf.exe, 00000000.00000003.1277807363.00000000039D3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Shipping Documents_pdf.exe
Source: Shipping Documents_pdf.exe, 00000000.00000002.1287280845.0000000003860000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename5e940590-bd07-4e56-ae86-61e052f8ff28.exe4 vs Shipping Documents_pdf.exe

Source: Shipping Documents_pdf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 6.2.RegSvcs.exe.2ecfbd6.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.RegSvcs.exe.2ecfbd6.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 6.2.RegSvcs.exe.4392b90.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.RegSvcs.exe.4392b90.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 6.2.RegSvcs.exe.4346458.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.RegSvcs.exe.4346458.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Shipping Documents_pdf.exe.3860000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 6.2.RegSvcs.exe.4345570.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.RegSvcs.exe.4345570.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 6.2.RegSvcs.exe.4345570.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.RegSvcs.exe.4345570.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 6.2.RegSvcs.exe.32d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.RegSvcs.exe.32d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 6.2.RegSvcs.exe.2ececee.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.RegSvcs.exe.2ececee.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 6.2.RegSvcs.exe.4392b90.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.RegSvcs.exe.4392b90.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 6.2.RegSvcs.exe.32d0000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.RegSvcs.exe.32d0000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 6.2.RegSvcs.exe.4346458.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.RegSvcs.exe.4346458.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 6.2.RegSvcs.exe.32d0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.RegSvcs.exe.32d0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 6.2.RegSvcs.exe.32d0ee8.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.RegSvcs.exe.32d0ee8.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 6.2.RegSvcs.exe.5b00000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.RegSvcs.exe.5b00000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 6.2.RegSvcs.exe.2ececee.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.RegSvcs.exe.2ececee.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 6.2.RegSvcs.exe.5b00000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.RegSvcs.exe.5b00000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 6.2.RegSvcs.exe.2ecfbd6.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.RegSvcs.exe.2ecfbd6.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000006.00000002.2504867330.00000000032D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000006.00000002.2504867330.00000000032D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000006.00000002.2507141801.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000006.00000002.2507141801.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000006.00000002.2502956541.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.1287280845.0000000003860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: 6.2.RegSvcs.exe.4392b90.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.RegSvcs.exe.4392b90.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.RegSvcs.exe.32d0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.RegSvcs.exe.32d0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.RegSvcs.exe.2ecfbd6.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.RegSvcs.exe.2ecfbd6.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.RegSvcs.exe.4346458.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.RegSvcs.exe.4346458.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.RegSvcs.exe.5b00000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.RegSvcs.exe.5b00000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.RegSvcs.exe.5b00000.8.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.RegSvcs.exe.5b00000.8.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@2/1

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

Code function: 0_2_00CE37B5 GetLastError,FormatMessageW,

0_2_00CE37B5

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00CD10BF AdjustTokenPrivileges,CloseHandle,		0_2_00CD10BF
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00CD16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00CD16C3

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

Code function: 0_2_00CE51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00CE51CD

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

Code function: 0_2_00CFA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00CFA67C

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

Code function: 0_2_00CE648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00CE648E

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

Code function: 0_2_00C742A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00C742A2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

File created: C:\Users\user\AppData\Local\Temp\aut320.tmp

Jump to behavior

Source: Shipping Documents_pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Shipping Documents_pdf.exe	ReversingLabs: Detection: 47%
Source: Shipping Documents_pdf.exe	Virustotal: Detection: 29%

Source: unknown	Process created: C:\Users\user\Desktop\Shipping Documents_pdf.exe "C:\Users\user\Desktop\Shipping Documents_pdf.exe"
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Shipping Documents_pdf.exe"
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Shipping Documents_pdf.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Shipping Documents_pdf.exe

Static file information: File size 1203200 > 1048576

Source: Shipping Documents_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Shipping Documents_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Shipping Documents_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Shipping Documents_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Shipping Documents_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Shipping Documents_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Shipping Documents_pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000006.00000002.2505956699.0000000004341000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2504867330.00000000032D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2504247714.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Shipping Documents_pdf.exe, 00000000.00000003.1285204897.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, Shipping Documents_pdf.exe, 00000000.00000003.1275996053.00000000038B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Shipping Documents_pdf.exe, 00000000.00000003.1285204897.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, Shipping Documents_pdf.exe, 00000000.00000003.1275996053.00000000038B0000.00000004.00001000.00020000.00000000.sdmp

Source: Shipping Documents_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Shipping Documents_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Shipping Documents_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Shipping Documents_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Shipping Documents_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 6.2.RegSvcs.exe.4392b90.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 6.2.RegSvcs.exe.32d0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 6.2.RegSvcs.exe.2ecfbd6.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 6.2.RegSvcs.exe.4346458.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 6.2.RegSvcs.exe.5b00000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

Code function: 0_2_00C742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C742DE

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00C90A76 push ecx; ret	0_2_00C90A89
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00C75C92 push 00000043h; retf	0_2_00C75C94
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041C40C push cs; iretd	6_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00423149 push eax; ret	6_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041C50E push cs; iretd	6_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_004231C8 push eax; ret	6_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0040E21D push ecx; ret	6_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041C6BE push ebx; ret	6_2_0041C6BF

Source: 6.2.RegSvcs.exe.4392b90.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'w58Mn4hlKZnUX', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 6.2.RegSvcs.exe.32d0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'w58Mn4hlKZnUX', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 6.2.RegSvcs.exe.2ecfbd6.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'w58Mn4hlKZnUX', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 6.2.RegSvcs.exe.4346458.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'w58Mn4hlKZnUX', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 6.2.RegSvcs.exe.5b00000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'w58Mn4hlKZnUX', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00C8F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00C8F98E
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00D01C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00D01C41

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97698

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

API/Special instruction interceptor: Address: 1D53234

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

6_2_004019F0

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

API coverage: 4.0 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00CDDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00CDDBBE
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00CAC2A2 FindFirstFileExW,	0_2_00CAC2A2
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00CE68EE FindFirstFileW,FindClose,	0_2_00CE68EE
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00CE698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00CE698F
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00CDD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00CDD076
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00CDD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00CDD3A9
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00CE9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00CE9642
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00CE979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00CE979D
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00CE9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00CE9B2B
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00CE5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00CE5C97

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

Code function: 0_2_00C742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C742DE

Source: RegSvcs.exe, 00000006.00000002.2506668062.0000000005A23000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

Code function: 0_2_00CEEAA2 BlockInput,

0_2_00CEEAA2

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

Code function: 0_2_00CA2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00CA2622

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

6_2_004019F0

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

Code function: 0_2_00C742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C742DE

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00C94CE8 mov eax, dword ptr fs:[00000030h]	0_2_00C94CE8
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_01D53500 mov eax, dword ptr fs:[00000030h]	0_2_01D53500
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_01D534A0 mov eax, dword ptr fs:[00000030h]	0_2_01D534A0
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_01D51E70 mov eax, dword ptr fs:[00000030h]	0_2_01D51E70

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

Code function: 0_2_00CD0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00CD0B62

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00CA2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00CA2622
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00C9083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C9083F
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00C909D5 SetUnhandledExceptionFilter,	0_2_00C909D5
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00C90C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00C90C21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_004123F1 SetUnhandledExceptionFilter,	6_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 11FF008

Jump to behavior

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

0_2_00CD1201

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

Code function: 0_2_00CB2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00CB2BA5

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

Code function: 0_2_00CDB226 SendInput,keybd_event,

0_2_00CDB226

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

Code function: 0_2_00CF22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00CF22DA

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Shipping Documents_pdf.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

0_2_00CD0B62

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

Code function: 0_2_00CD1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00CD1663

Source: Shipping Documents_pdf.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Shipping Documents_pdf.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

Code function: 0_2_00C90698 cpuid

0_2_00C90698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

6_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

Code function: 0_2_00CE8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00CE8195

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

Code function: 0_2_00CCD27A GetUserNameW,

0_2_00CCD27A

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

Code function: 0_2_00CAB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00CAB952

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe

Code function: 0_2_00C742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C742DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 6.2.RegSvcs.exe.2ecfbd6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4392b90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4346458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4345570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4345570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.32d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.2ececee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4392b90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.32d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4346458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.32d0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.32d0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.5b00000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.2ececee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.5b00000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.2ecfbd6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2504867330.00000000032D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2507141801.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2505956699.0000000004341000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2504952800.000000000338F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2504952800.0000000003341000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2504247714.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3200, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 6.2.RegSvcs.exe.2ecfbd6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4392b90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4346458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4345570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4345570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.32d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.2ececee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4392b90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.32d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4346458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.32d0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.32d0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.5b00000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.2ececee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.5b00000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.2ecfbd6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2504867330.00000000032D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2507141801.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2505956699.0000000004341000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2504247714.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Shipping Documents_pdf.exe	Binary or memory string: WIN_81
Source: Shipping Documents_pdf.exe	Binary or memory string: WIN_XP
Source: Shipping Documents_pdf.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Shipping Documents_pdf.exe	Binary or memory string: WIN_XPe
Source: Shipping Documents_pdf.exe	Binary or memory string: WIN_VISTA
Source: Shipping Documents_pdf.exe	Binary or memory string: WIN_7
Source: Shipping Documents_pdf.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 6.2.RegSvcs.exe.2ecfbd6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4392b90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4346458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4345570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4345570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.32d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.2ececee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4392b90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.32d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4346458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.32d0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.32d0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.5b00000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.2ececee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.5b00000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.2ecfbd6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2504867330.00000000032D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2507141801.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2505956699.0000000004341000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2504952800.0000000003341000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2504247714.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3200, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 6.2.RegSvcs.exe.2ecfbd6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4392b90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4346458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4345570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4345570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.32d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.2ececee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4392b90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.32d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4346458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.32d0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.32d0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.5b00000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.2ececee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.5b00000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.2ecfbd6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2504867330.00000000032D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2507141801.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2505956699.0000000004341000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2504952800.000000000338F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2504952800.0000000003341000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2504247714.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3200, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 6.2.RegSvcs.exe.2ecfbd6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4392b90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4346458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4345570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4345570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.32d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.2ececee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4392b90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.32d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4346458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.32d0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.32d0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.5b00000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.2ececee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.5b00000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.2ecfbd6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2504867330.00000000032D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2507141801.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2505956699.0000000004341000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2504247714.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00CF1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00CF1204
Source: C:\Users\user\Desktop\Shipping Documents_pdf.exe	Code function: 0_2_00CF1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00CF1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	1 Exfiltration Over Alternative Protocol	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 Software Packing	NTDS	148 System Information Discovery	Distributed Component Object Model	121 Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	341 Security Software Discovery	SSH	3 Clipboard Data	11 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Shipping Documents_pdf.exe	47%	ReversingLabs	Win32.Spyware.Redline
Shipping Documents_pdf.exe	30%	Virustotal		Browse
Shipping Documents_pdf.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
wapination.net	0%	Virustotal	Browse
18.31.95.13.in-addr.arpa	0%	Virustotal	Browse
ftp.wapination.net	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://account.dyn.com/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://ftp.wapination.net	1%	Virustotal		Browse
http://wapination.net	0%	Virustotal		Browse
http://wapination.net	0%	Avira URL Cloud	safe
http://ftp.wapination.net	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
wapination.net	108.179.234.136	true	true	0%, Virustotal, Browse	unknown
18.31.95.13.in-addr.arpa	unknown	unknown	false	0%, Virustotal, Browse	unknown
ftp.wapination.net	unknown	unknown	true	1%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ftp.wapination.net	RegSvcs.exe, 00000006.00000002.2504952800.000000000339D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2504952800.000000000338F000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://account.dyn.com/	RegSvcs.exe, 00000006.00000002.2505956699.0000000004341000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2507141801.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2504867330.00000000032D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2504247714.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000006.00000002.2504952800.000000000338F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://wapination.net	RegSvcs.exe, 00000006.00000002.2504952800.000000000339D000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
108.179.234.136	wapination.net	United States		46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1479840
Start date and time:	2024-07-24 08:51:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Shipping Documents_pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 53 Number of non-executed functions: 290
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
108.179.234.136	SecuriteInfo.com.Win32.PWSX-gen.20769.7015.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe	Get hash	malicious	AgentTesla	Browse
	Shipping Documents_pdf.scr.exe	Get hash	malicious	AgentTesla	Browse
	Quotation_#432768#_pdf.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Payment Advice Copy-EUR 5500,00 20240419165413-docx.pif.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Payment_Advice-pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNIFIEDLAYER-AS-1US	Collexus Knowledge Base Access.docx	Get hash	malicious	Unknown	Browse	192.254.232.202
	https://www.turkiyecumhuriyetiziraatbankasi.com/en/product-and-service-fees.html	Get hash	malicious	Unknown	Browse	162.240.37.219
	http://nia.sga.mybluehost.me/	Get hash	malicious	Unknown	Browse	162.241.226.133
	http://www.agrimarkeurope.com	Get hash	malicious	Unknown	Browse	173.254.30.100
	http://erikagascon.com/	Get hash	malicious	HTMLPhisher	Browse	162.241.61.204
	Caller_Left (VM) (Ofsoptics) c8d121e7a1b51baf9fc10b2def5961d2 (14.9 KB).msg	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	69.49.245.172
	http://links-sg.dispatch.me/ls/click?upn=u001.ocQe0-2BgliqpF-2FIgZypM8KOaLflKjBlvqTxtPZw5yZIbZDE9vmulRwrCjHKmWRDNHlPAKzJz-2Bkyw6vooZJVzMD9D0PTTv40Qaf3A-2B8jdax3zSQd6j97iwPQ5LL29XZH-2Bb3ZkTE33n6oy8gEQcco0n7vS-2FGTmcMagm61nZGx-2BsbOmIrrFduUTLIj3aNiNh7GKndYRqJIKnx4-2BMq-2Fp3sc3WW23AJCzdlcXL4wplUU4mfYI-3DEZrM_2oPqK8tuNAHN64IciOmeZPyRuqNs2X0exJLQc9A9fZvUMaycL-2Fz7whcRnxrz-2B4IB7izKsVyREANEupGz7H72JUx0AUI1w-2F-2BoQqBNLoZiC-2FK-2BFnOYEVpG01K9eVop9ITdC7fLxEN-2F3GKzXPK8ZIvVGqqB1Qi-2F618LDRDdHJqCef2Ko2ktowJEA7wmfbk9zS9J2KvV7yd4oTdMV5y9A9xZdg-3D-3D	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	108.179.241.225
	Frutas Nuevo Orden.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	173.254.29.76
	AED 47,000.exe	Get hash	malicious	FormBook	Browse	162.240.81.18
	Cotizaci#U00f3n.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	173.254.29.76

Process:	C:\Users\user\Desktop\Shipping Documents_pdf.exe
File Type:	ASCII text, with very long lines (28674), with no line terminators
Category:	dropped
Size (bytes):	28674
Entropy (8bit):	3.579653991188109
Encrypted:	false
SSDEEP:	768:Jx6TBScFCo3T3iCev73GntQUA+n++nmkE/wVs62HzimL5sCWC:yTBScFCo3T3iPv73GntQUA+n++nmkE/1
MD5:	94A69232267CC7F39145D58A6D06BFFC
SHA1:	EB81E25268D97971BF73934A4525D62F838D3A07
SHA-256:	B43071663685252B53AB6DDC907B3396572C0BEF2A373A456B416C43AAA6F33F
SHA-512:	9D98FD25783567CCD17300FD334EBFCFB7D055EC07850C1CE30797C65ABB21C5C2C1E34F3C4909C05D4887C7C821D93CEA11782F21A6FAE54A4105E2BEC11197
Malicious:	false
Reputation:	low
Preview:	3{88;ehf;4hfff353333898:e;9e33333399;<78;7e<9833333399;<7g;9ed:533333399;<88;;e;9h33333399;<78;de<9833333399;<7g;fed9f33333399;<88;he;6633333399;<78<3e<6533333399;<7g<5ed5h33333399;<88<7e;9733333399;<78<9e<9f33333399;<7g<;ed9f33333399;<88<d66f399;<78<fe<9h33333399;<;g77iiiiiied:733333399;<<879iiiiiie;9733333399;<;87;iiiiiie<9f33333399;<;g7diiiiiied9f33333399;<<87fiiiiiie;5h33333399;<;87hiiiiiie<9733333399;<;g83iiiiiied9f33333399;<<885iiiiiie;9f33333399;<;887iiiiii66f<99;<;g89iiiiiied:833333399;<88g3e;:633333399;<78g5e<9833333399;<7gg7ed:533333399;<88g9e;6633333399;<78g;e<6533333399;<7ggded5h33333399;<88gfe;9733333399;<78ghe<9f33333399;<7gh3ed9f33333399;<88h566f399;<78h7e<9433333399;<;g9;iiiiiied9733333399;<<89diiiiiie;:933333399;<;89fiiiiiie<9433333399;<;g9hiiiiiied:333333399;<<8:3iiiiiie;9<33333399;<;8:5iiiiiie<6633333399;<;g:7iiiiiied6533333399;<<8:9iiiiiie;5h33333399;<;8:;iiiiiie<9733333399;<;g:diiiiiied9f33333399;<<8:fiiiiiie;9f33333399;<;8:hiiiiii66f<99;<7g;3ed:633333399;<88d3e;9;

C:\Users\user\AppData\Local\Temp\aut320.tmp

Download File

Process:	C:\Users\user\Desktop\Shipping Documents_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	264414
Entropy (8bit):	7.9824638974854105
Encrypted:	false
SSDEEP:	6144:NSSaT47DDs/iuzBMg/tPkXmm/kuClgDmHoGmgoP1wZDKjl3U+:57Dw/icfpURdClgD3zyYV5
MD5:	06848BFD576947A2183F7CABB2090AAA
SHA1:	F935E70EEE97833623DDDAF80B17B875B8D89408
SHA-256:	9319248294577CE7614160B00106A4467061FAD25010A2ADC2A75306E729EC12
SHA-512:	E2F36448D22E65241B864A7585982CDE98E931202C483A23D1B0CA1277BDD3993238C578B41AB195519A5072F4C773CE49AE8AFE88FC80FD063C0A667ACA1EF8
Malicious:	false
Reputation:	low
Preview:	EA06.....Ey4:eV.P.Vh....O..........&..}d.;4P..^..Q(..=3.@.^?t..&....'V.,.A>...I..o+.N"..U.c:..'2K......$..5..I.[...1.......Oi.i.vY..{}.N..YF.oG.v&7)..Wh..d....l..jrMt..z.M..M...`.J. ..^A/... ...B?....1.Uf...P....2.9.%B.X.R(.ZO^.C..h......8T....,.8.Mi5....D.S..3\....5...4=...P.Vh..d..q..j.E..1b....mZ.U...T..{X.P.1?.......{..j.(.s......I...l..8...U$.p..)..8.W.o..&.I\.Q8..T..........G.......[$..o..E.......X......pv.<.E).. .p..GM..4......Q.....%...;..?.A.u.Mz.^...MS3)....j}:.I.W...5Z...0.\N........g....(?.l....mZ..B.T..i{X...j......y...x8w....D..Y...(.P<xJ.2....6..DF.O.n....C..i..6.D.L...%3...Fi..%.......H..:.Gi5...u........V.]v.nD.e..V@..'O.].h...G7G..@.....u^...T.p....a...#.......i.[.v...l....Q..Dk.J.:.U.S.B...b.{....?_E..@.]>....U<.cO..My3j.'...k..h<...d..-E.P.g.6...aJ.p0.X.WO%...x<...a.6;....T.P8.[=_'..Vk4......[.$..J..)\.m...w..J.....T.........(.....}..;2`..5...X....U...F!.... ..z..l:.{]......e2...b.W.OB3m.N..k...U........r.T+4>\|.....t.*.6

C:\Users\user\AppData\Local\Temp\aut38E.tmp

Download File

Process:	C:\Users\user\Desktop\Shipping Documents_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	9754
Entropy (8bit):	7.636594014745369
Encrypted:	false
SSDEEP:	192:ZueSuy+g4uD+XOz0IkN35UQ6yU8ZI7K+5SMiOoWrmrAX29V5hmQY2b:Zwb1+XhH351RU32q7d96ru8oU
MD5:	481BDD864E0AFF316C4DB0EC4A373AD3
SHA1:	0E3B95246044BC7103F5EBD29C8DFFAE168746FD
SHA-256:	93551AA4C6011D6200AB430DF8CC5C06271CFA3E22923326C261B47C9039121D
SHA-512:	5755A2BDC664B28852D53FC04416004A0379E681E1225C5A33366DFA2B500BC0504C20A80A4AC001A56333ACF118EBCA921958120ED9E57A52E11383468D3981
Malicious:	false
Reputation:	low
Preview:	EA06..p........f..-.k5.g5.......ue..l....g9...y..oe.Ng..]....I...K........\|.@.o..e.Nl......;.M...<..g.`........5.Z..q<..6.p.o.r..Y......g.<.M..`..Y....N...y.........<.M. ...r.'s....c ....Ad.H.....0.F.3<..Z..6...<.f....&....x..p....Bx.....Y'@0.N,.;,.t...Y.5_..n..... 5_..v.U...5_....U....5_..f.U..&.5\..>3@..N@^.d.Z..q9.z..u9......@.........G.@/Z..g......jx....t.u....$.../.u;...g@G_T.......>_.......zq8..........P..................`.M..`... ...f...@..@.'.7..@{>K,..c..,.p..Yg ._..v....A.>K(#G.e..3\|vi..G.7...8_..qf..i\|vi....f.h.,.@......5..:..-3{M....6`;..;..'.`.L..6...f..+0.ff.Y...9.......f.`.E...Y....3.y............vy.....`.....2p....<d....,vh...$......!+0.'&.....,fu5.Y..Y......r.5.X...c3.<.ki.Y.!...Gf.....,f.<.N. . .#:.....c.`........v.h.s.....,vl...,..t......40.....f.........4..@.6.-..p..S.E..5...S`.N...;8.`..<.......q;.....c....Z&..wx.....vr........E......y6....p.c3.=..7..b.!....F ...B5f...........vt......fvk=.x...B3......;;.X...d....8........g`...Mg..D..f...

C:\Users\user\AppData\Local\Temp\obtenebrate

Download File

Process:	C:\Users\user\Desktop\Shipping Documents_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	267264
Entropy (8bit):	7.8742222906810575
Encrypted:	false
SSDEEP:	6144:QCpAmu3rXYS/GFyw1PGWrG0qbuSdeyywHjPk+TaWAurAcjmunVVU:Q8YrQFj+wyAB0g4aWzdVVU
MD5:	BD49EF6083A14443708B8D3F2FF45DBB
SHA1:	4B60AFD4A76D020DADA7E7DD729C9B9C5BCAF651
SHA-256:	9C4C630E5C177A39E9E98D7BF3B16B8BDF2AC1164611CEB6ACB902AA7D483FCE
SHA-512:	CBC125023FF93611EF102C83FACE96031BAE95A48612C2540073F184477A6F4FAEC847BDDE42CC5CBB74D272519C0BB1F4C157360550535115E9F2E1999A0372
Malicious:	false
Reputation:	low
Preview:	...CLUDPNYEI..IO.COUDPJY.IL5IOYCOUDPJYEIL5IOYCOUDPJYEIL5IOYC.UDPDF.GL.@.x.N..q.1,:lE; >1.8d3+7+&8.+*y1:;d9$y....$ =&aXIZnYEIL5IO1S.xh!.'i8.Ke>.=}v;.u(.7G..1r2.+h!.'.8.K{l7=S$..xz,7.D.1k`4+i!.'. /]e>.=OUDPJYEIL5IOYCOUP..?EIL5..YC.T@P>.E.L5IOYCOU.PiXNHE5I.XCO-FPJYEIc.IOYSOUD.KYEI.5I_YCOWDPOYEIL5IO\COUDPJYE)H5IKYC.nFPHYE.L5YOYSOUDPZYEYL5IOYC_UDPJYEIL5IO.VMU.PJYE)N5..XCOUDPJYEIL5IOYCOUDPJYEIL5..XCSUDPJYEIL5IOYCOUDPJYEIL5IOYC.XFP.YEIL5IOYCOUD.KY.HL5IOYCOUDPJYEIL5IOYCOUDPJYk=)M=OYCW.EPJIEIL.HOYGOUDPJYEIL5IOYCoUD0d+!(8TIO..OUD.KYE'L5I.XCOUDPJYEIL5IO.CO.j4+-$IL5..YCOuFPJOEIL?KOYCOUDPJYEIL5.OY.a'7")YEI..HOY#MUD.KYEiN5IOYCOUDPJYEI.5I.YCOUDPJYEIL5IOYCOUDPJYEIL5IOYCOUDPJYEIL5IOYCOUDPJYEIL5IOYCOUDPJYEIL5IOYCOUDPJYEIL5IOYCOUDPJYEIL5IOYCOUDPJYEIL5IOYCOUDPJYEIL5IOYCOUDPJYEIL5IOYCOUDPJYEIL5IOYCOUDPJYEIL5IOYCOUDPJYEIL5IOYCOUDPJYEIL5IOYCOUDPJYEIL5IOYCOUDPJYEIL5IOYCOUDPJYEIL5IOYCOUDPJYEIL5IOYCOUDPJYEIL5IOYCOUDPJYEIL5IOYCOUDPJYEIL5IOYCOUDPJYEIL5IOYCOUDPJYEIL5IOYCOUDPJYEIL5IOYCOUDPJYEIL5IOYCOUDPJYEIL5IOYCOU

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.081658629774075
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Shipping Documents_pdf.exe
File size:	1'203'200 bytes
MD5:	50e6e94907fc16f102299c659ba822d3
SHA1:	b96807ab5a591c38f0d1405f553a4da030b8643e
SHA256:	95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7
SHA512:	c102b607778140baa6252f883183bf6572f76ba7b0b9b5a07c6549a86fe951be229520a59c8a1b4f2686b98c1dbd03815affa6a1f9166e650c30acbf7b3a3c4e
SSDEEP:	24576:4qDEvCTbMWu7rQYlBQcBiT6rprG8aS7JtgbvXVGwaD0YcD:4TvC/MTQYxsWR7aS7Jtg7dTN
TLSH:	5145BF027391C022FF9B96334F9AF6115BBC69260123E62F13981DB9BE705B1563E763
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A0345E [Tue Jul 23 22:53:18 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F5EB5059553h
jmp 00007F5EB5058E5Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F5EB505903Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F5EB505900Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F5EB505BBFDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F5EB505BC48h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F5EB505BC31h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x4f06c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x124000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x4f06c	0x4f200	4f7d7bbf8c55ebba5c798b42c9ccc4ad	False	0.9163920566745656	data	7.869317053339196	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x124000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x46332	data			1.0003338689147174
RT_GROUP_ICON	0x122aec	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x122b64	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x122b78	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x122b8c	0x14	data	English	Great Britain	1.25
RT_VERSION	0x122ba0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x122c7c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-24T08:52:09.872221+0200	TCP	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	49709	39179	192.168.2.11	108.179.234.136
2024-07-24T08:52:09.878469+0200	TCP	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	49709	39179	192.168.2.11	108.179.234.136
2024-07-24T08:52:09.465059+0200	TCP	2029927	ET MALWARE AgentTesla Exfil via FTP	49708	21	192.168.2.11	108.179.234.136

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 24, 2024 08:52:07.995595932 CEST	49708	21	192.168.2.11	108.179.234.136
Jul 24, 2024 08:52:08.000478983 CEST	21	49708	108.179.234.136	192.168.2.11
Jul 24, 2024 08:52:08.000581026 CEST	49708	21	192.168.2.11	108.179.234.136
Jul 24, 2024 08:52:08.518560886 CEST	21	49708	108.179.234.136	192.168.2.11
Jul 24, 2024 08:52:08.527544975 CEST	49708	21	192.168.2.11	108.179.234.136
Jul 24, 2024 08:52:08.532596111 CEST	21	49708	108.179.234.136	192.168.2.11
Jul 24, 2024 08:52:08.641375065 CEST	21	49708	108.179.234.136	192.168.2.11
Jul 24, 2024 08:52:08.641531944 CEST	49708	21	192.168.2.11	108.179.234.136
Jul 24, 2024 08:52:08.646425009 CEST	21	49708	108.179.234.136	192.168.2.11
Jul 24, 2024 08:52:08.855071068 CEST	21	49708	108.179.234.136	192.168.2.11
Jul 24, 2024 08:52:08.855216980 CEST	49708	21	192.168.2.11	108.179.234.136
Jul 24, 2024 08:52:08.860078096 CEST	21	49708	108.179.234.136	192.168.2.11
Jul 24, 2024 08:52:09.116424084 CEST	21	49708	108.179.234.136	192.168.2.11
Jul 24, 2024 08:52:09.116584063 CEST	49708	21	192.168.2.11	108.179.234.136
Jul 24, 2024 08:52:09.121588945 CEST	21	49708	108.179.234.136	192.168.2.11
Jul 24, 2024 08:52:09.230184078 CEST	21	49708	108.179.234.136	192.168.2.11
Jul 24, 2024 08:52:09.230321884 CEST	49708	21	192.168.2.11	108.179.234.136
Jul 24, 2024 08:52:09.235363007 CEST	21	49708	108.179.234.136	192.168.2.11
Jul 24, 2024 08:52:09.344413042 CEST	21	49708	108.179.234.136	192.168.2.11
Jul 24, 2024 08:52:09.344547987 CEST	49708	21	192.168.2.11	108.179.234.136
Jul 24, 2024 08:52:09.350141048 CEST	21	49708	108.179.234.136	192.168.2.11
Jul 24, 2024 08:52:09.458338976 CEST	21	49708	108.179.234.136	192.168.2.11
Jul 24, 2024 08:52:09.458942890 CEST	49709	39179	192.168.2.11	108.179.234.136
Jul 24, 2024 08:52:09.464878082 CEST	39179	49709	108.179.234.136	192.168.2.11
Jul 24, 2024 08:52:09.464941978 CEST	49709	39179	192.168.2.11	108.179.234.136
Jul 24, 2024 08:52:09.465059042 CEST	49708	21	192.168.2.11	108.179.234.136
Jul 24, 2024 08:52:09.470159054 CEST	21	49708	108.179.234.136	192.168.2.11
Jul 24, 2024 08:52:09.871932983 CEST	21	49708	108.179.234.136	192.168.2.11
Jul 24, 2024 08:52:09.872220993 CEST	49709	39179	192.168.2.11	108.179.234.136
Jul 24, 2024 08:52:09.872220993 CEST	49709	39179	192.168.2.11	108.179.234.136
Jul 24, 2024 08:52:09.877296925 CEST	39179	49709	108.179.234.136	192.168.2.11
Jul 24, 2024 08:52:09.878307104 CEST	39179	49709	108.179.234.136	192.168.2.11
Jul 24, 2024 08:52:09.878468990 CEST	49709	39179	192.168.2.11	108.179.234.136
Jul 24, 2024 08:52:09.919869900 CEST	49708	21	192.168.2.11	108.179.234.136
Jul 24, 2024 08:52:10.003081083 CEST	21	49708	108.179.234.136	192.168.2.11
Jul 24, 2024 08:52:10.044312954 CEST	49708	21	192.168.2.11	108.179.234.136

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 24, 2024 08:52:07.636054039 CEST	61229	53	192.168.2.11	1.1.1.1
Jul 24, 2024 08:52:07.990297079 CEST	53	61229	1.1.1.1	192.168.2.11
Jul 24, 2024 08:52:38.520412922 CEST	53	64559	162.159.36.2	192.168.2.11
Jul 24, 2024 08:52:39.014751911 CEST	60461	53	192.168.2.11	1.1.1.1
Jul 24, 2024 08:52:39.022835016 CEST	53	60461	1.1.1.1	192.168.2.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 24, 2024 08:52:07.636054039 CEST	192.168.2.11	1.1.1.1	0xc4ff	Standard query (0)	ftp.wapination.net	A (IP address)	IN (0x0001)	false
Jul 24, 2024 08:52:39.014751911 CEST	192.168.2.11	1.1.1.1	0x3056	Standard query (0)	18.31.95.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 24, 2024 08:52:07.990297079 CEST	1.1.1.1	192.168.2.11	0xc4ff	No error (0)	ftp.wapination.net	wapination.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 08:52:07.990297079 CEST	1.1.1.1	192.168.2.11	0xc4ff	No error (0)	wapination.net		108.179.234.136	A (IP address)	IN (0x0001)	false
Jul 24, 2024 08:52:39.022835016 CEST	1.1.1.1	192.168.2.11	0x3056	Name error (3)	18.31.95.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 24, 2024 08:52:08.518560886 CEST	21	49708	108.179.234.136	192.168.2.11	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 01:52. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 01:52. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 01:52. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Jul 24, 2024 08:52:08.527544975 CEST	49708	21	192.168.2.11	108.179.234.136	USER pop@wapination.net
Jul 24, 2024 08:52:08.641375065 CEST	21	49708	108.179.234.136	192.168.2.11	331 User pop@wapination.net OK. Password required
Jul 24, 2024 08:52:08.641531944 CEST	49708	21	192.168.2.11	108.179.234.136	PASS sync@#1235
Jul 24, 2024 08:52:08.855071068 CEST	21	49708	108.179.234.136	192.168.2.11	230 OK. Current restricted directory is /
Jul 24, 2024 08:52:09.116424084 CEST	21	49708	108.179.234.136	192.168.2.11	504 Unknown command
Jul 24, 2024 08:52:09.116584063 CEST	49708	21	192.168.2.11	108.179.234.136	PWD
Jul 24, 2024 08:52:09.230184078 CEST	21	49708	108.179.234.136	192.168.2.11	257 "/" is your current location
Jul 24, 2024 08:52:09.230321884 CEST	49708	21	192.168.2.11	108.179.234.136	TYPE I
Jul 24, 2024 08:52:09.344413042 CEST	21	49708	108.179.234.136	192.168.2.11	200 TYPE is now 8-bit binary
Jul 24, 2024 08:52:09.344547987 CEST	49708	21	192.168.2.11	108.179.234.136	PASV
Jul 24, 2024 08:52:09.458338976 CEST	21	49708	108.179.234.136	192.168.2.11	227 Entering Passive Mode (108,179,234,136,153,11)
Jul 24, 2024 08:52:09.465059042 CEST	49708	21	192.168.2.11	108.179.234.136	STOR PW_user-473627_2024_07_24_02_52_06.html
Jul 24, 2024 08:52:09.871932983 CEST	21	49708	108.179.234.136	192.168.2.11	150 Accepted data connection
Jul 24, 2024 08:52:10.003081083 CEST	21	49708	108.179.234.136	192.168.2.11	226-File successfully transferred 226-File successfully transferred226 0.115 seconds (measured here), 2.71 Kbytes per second

Target ID:	0
Start time:	02:52:03
Start date:	24/07/2024
Path:	C:\Users\user\Desktop\Shipping Documents_pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Shipping Documents_pdf.exe"
Imagebase:	0xc70000
File size:	1'203'200 bytes
MD5 hash:	50E6E94907FC16F102299C659BA822D3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.1287280845.0000000003860000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:52:04
Start date:	24/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Shipping Documents_pdf.exe"
Imagebase:	0xe10000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2504867330.00000000032D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2504867330.00000000032D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.2504867330.00000000032D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000006.00000002.2504867330.00000000032D0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000006.00000002.2504867330.00000000032D0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2507141801.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2507141801.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.2507141801.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000006.00000002.2507141801.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000006.00000002.2507141801.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000006.00000002.2502956541.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2505956699.0000000004341000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2505956699.0000000004341000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.2505956699.0000000004341000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2504952800.000000000338F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2504952800.0000000003341000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2504952800.0000000003341000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2504247714.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2504247714.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.2504247714.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	2.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	54

Executed Functions

Function 00C742DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00C7430D

Part of subcall function 00C76B57: _wcslen.LIBCMT ref: 00C76B6A

GetCurrentProcess.KERNEL32(?,00D0CB64,00000000,?,?), ref: 00C74422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00C74429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00C74454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C74466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00C74474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00C7447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00C744A0

Strings

|O, xrefs: 00CB36F8
GetNativeSystemInfo, xrefs: 00C74460
kernel32.dll, xrefs: 00C7444F

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 4df0d509ddd696c565b81faeb01db660edeed417565cb90b4b239eaee02f3f4b
Instruction ID: 5b614e3f5bad85ee5e51c8ddaf537fa69577f2e13483201ecef15c7cdd0e3357
Opcode Fuzzy Hash: 4df0d509ddd696c565b81faeb01db660edeed417565cb90b4b239eaee02f3f4b
Instruction Fuzzy Hash: 4CA1A27E91A3C0DFC715CF69BC482E57FA46B27740F089899E055D3B62E6214A88DF32

Function 00C742A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00C750AA,?,?,00000000,00000000), ref: 00C742B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00C750AA,?,?,00000000,00000000), ref: 00C742C9
LoadResource.KERNEL32(?,00000000,?,?,00C750AA,?,?,00000000,00000000,?,?,?,?,?,?,00C74F20), ref: 00CB35BE
SizeofResource.KERNEL32(?,00000000,?,?,00C750AA,?,?,00000000,00000000,?,?,?,?,?,?,00C74F20), ref: 00CB35D3
LockResource.KERNEL32(00C750AA,?,?,00C750AA,?,?,00000000,00000000,?,?,?,?,?,?,00C74F20,?), ref: 00CB35E6

Strings

SCRIPT, xrefs: 00C742BF

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 08c766dabf310ed45c7763dd6e3887f5de8abe9084d6f01fe78961c0da45f208
Instruction ID: 909b6eab030be95a6aea6ea2eae577ad105fc1d96e565a47c778dc628e043bbf
Opcode Fuzzy Hash: 08c766dabf310ed45c7763dd6e3887f5de8abe9084d6f01fe78961c0da45f208
Instruction Fuzzy Hash: 3C117C70200700BFD7258BA5DC49F677BB9EBC5B51F208269B41ADA690DB71D9108A30

Function 00CB2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00C72B6B

Part of subcall function 00C73A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D41418,?,00C72E7F,?,?,?,00000000), ref: 00C73A78

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00D32224), ref: 00CB2C10
ShellExecuteW.SHELL32(00000000,?,?,00D32224), ref: 00CB2C17

Strings

runas, xrefs: 00CB2C0B

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: f880c106fd791d232c69e619defca41ae371e94f88442bcf392e9637f4d54eec
Instruction ID: 241f44540e7dd2d4e7e7c8b161af346cca4f9d933d07541aa86774251052c4db
Opcode Fuzzy Hash: f880c106fd791d232c69e619defca41ae371e94f88442bcf392e9637f4d54eec
Instruction Fuzzy Hash: AF11B1312083456BC714FF60D852EBE7BA4ABA1350F44942DF09E521A2DF308A4AB722

Function 00CDDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00CB5222), ref: 00CDDBCE
GetFileAttributesW.KERNELBASE(?), ref: 00CDDBDD
FindFirstFileW.KERNELBASE(?,?), ref: 00CDDBEE
FindClose.KERNEL32(00000000), ref: 00CDDBFA

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 34e7a1e6080e90926c637cfee087c73d69f12149e622e440712f6ba4c29478d4
Instruction ID: 3fe54bee4f2712fa78e3a238b5a7497feddb19fd188cc4319c65476925c6d004
Opcode Fuzzy Hash: 34e7a1e6080e90926c637cfee087c73d69f12149e622e440712f6ba4c29478d4
Instruction Fuzzy Hash: 72F0A73083061057C2206B789C0D67E376C9E41334F104703F53AC12E1EBB0595485A9

Function 00C7D730 Relevance: 21.6, APIs: 14, Instructions: 623windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00C7D807
timeGetTime.WINMM ref: 00C7DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C7DB28
TranslateMessage.USER32(?), ref: 00C7DB7B
DispatchMessageW.USER32(?), ref: 00C7DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C7DB9F
Sleep.KERNEL32(0000000A), ref: 00C7DBB1

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 75656c925ffb81f7f4a93c8d9a5d83df0e835feff2437abf72edfd005ef79dc9
Instruction ID: edf02da61dbcca2e1acc786761e556780a2acd5e94973e0ecda878113c1d81da
Opcode Fuzzy Hash: 75656c925ffb81f7f4a93c8d9a5d83df0e835feff2437abf72edfd005ef79dc9
Instruction Fuzzy Hash: EA42EF30608341EFD729DF25C884F6AB7F0BF86314F18865DE56A87291DB70E984DB92

Function 00C72CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C72D07
RegisterClassExW.USER32(00000030), ref: 00C72D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C72D42
InitCommonControlsEx.COMCTL32(?), ref: 00C72D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C72D6F
LoadIconW.USER32(000000A9), ref: 00C72D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C72D94

Strings

+, xrefs: 00C72CF0
TaskbarCreated, xrefs: 00C72D37
AutoIt v3 GUI, xrefs: 00C72D23
0, xrefs: 00C72CE9

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: cfbdb905a2dbd7c1cfa23b8a45de5b36110827622cce87ff661d2cc93e9ccb2f
Instruction ID: e52f4bd8b6f5cd5ae41e2dcdb7f5edf751e8d9d9eedef6f4b4556537faa951a3
Opcode Fuzzy Hash: cfbdb905a2dbd7c1cfa23b8a45de5b36110827622cce87ff661d2cc93e9ccb2f
Instruction Fuzzy Hash: 3E21E3B9921308AFDB00DFA4E849BDDBBB4FB09700F10921AF515E63A0D7B10584CFA0

Function 00CB065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CB039A: CreateFileW.KERNELBASE(00000000,00000000,?,00CB0704,?,?,00000000,?,00CB0704,00000000,0000000C), ref: 00CB03B7

GetLastError.KERNEL32 ref: 00CB076F
__dosmaperr.LIBCMT ref: 00CB0776
GetFileType.KERNELBASE(00000000), ref: 00CB0782
GetLastError.KERNEL32 ref: 00CB078C
__dosmaperr.LIBCMT ref: 00CB0795
CloseHandle.KERNEL32(00000000), ref: 00CB07B5
CloseHandle.KERNEL32(?), ref: 00CB08FF
GetLastError.KERNEL32 ref: 00CB0931
__dosmaperr.LIBCMT ref: 00CB0938

Strings

H, xrefs: 00CB08BD

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: b1545c61b534f9b718969ed31bbadd7b7c12fbdebb885c931e4956bf2b08f9ff
Instruction ID: 35d252043187d5f0fee43aebee6e09db6ebe08fc01dd0b1ebaf1914eae2b3321
Opcode Fuzzy Hash: b1545c61b534f9b718969ed31bbadd7b7c12fbdebb885c931e4956bf2b08f9ff
Instruction Fuzzy Hash: E5A12432A146048FDF19EF68D855BEE7BA0AB06320F24015DF815EB3E1CB319D16DBA1

Function 00C7344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C73A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D41418,?,00C72E7F,?,?,?,00000000), ref: 00C73A78

Part of subcall function 00C73357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C73379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00C7356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00CB318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00CB31CE
RegCloseKey.ADVAPI32(?), ref: 00CB3210
_wcslen.LIBCMT ref: 00CB3277
_wcslen.LIBCMT ref: 00CB3286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00C73560
\Include\, xrefs: 00C73527
\, xrefs: 00CB328C
Include, xrefs: 00CB3184, 00CB31C5

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 28acbe3a9c3b69c3786151e0cf60048fd85eeb5e162adbf5596e0954d51f01d7
Instruction ID: d64daf1729ccf115bcccbb9920660a5a4ea43a2c2fd13cc94900c88df064401e
Opcode Fuzzy Hash: 28acbe3a9c3b69c3786151e0cf60048fd85eeb5e162adbf5596e0954d51f01d7
Instruction Fuzzy Hash: 5A715A714143009FC314EF65DC8A9AABBF8FF96740F80452EF559C32A1DB309A49DB62

Function 00C72B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C72B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00C72B9D
LoadIconW.USER32(00000063), ref: 00C72BB3
LoadIconW.USER32(000000A4), ref: 00C72BC5
LoadIconW.USER32(000000A2), ref: 00C72BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C72BEF
RegisterClassExW.USER32(?), ref: 00C72C40

Part of subcall function 00C72CD4: GetSysColorBrush.USER32(0000000F), ref: 00C72D07
Part of subcall function 00C72CD4: RegisterClassExW.USER32(00000030), ref: 00C72D31
Part of subcall function 00C72CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C72D42
Part of subcall function 00C72CD4: InitCommonControlsEx.COMCTL32(?), ref: 00C72D5F
Part of subcall function 00C72CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C72D6F
Part of subcall function 00C72CD4: LoadIconW.USER32(000000A9), ref: 00C72D85
Part of subcall function 00C72CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C72D94

Strings

AutoIt v3, xrefs: 00C72C2F
0, xrefs: 00C72C0F
#, xrefs: 00C72C16

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: ab7e4a198aa71f5480c4491f4807090de2376afd32b82873a4b06ad6d37593e0
Instruction ID: 844275dc04c423bf3230eb99f8657e5f3f3b444c05c4c9bb9f2fd7297e42781c
Opcode Fuzzy Hash: ab7e4a198aa71f5480c4491f4807090de2376afd32b82873a4b06ad6d37593e0
Instruction Fuzzy Hash: 6221387CE50318ABDB109FA5EC89BA97FB4FB49B50F10411AE504E67A0D3B11580CFA0

Function 00C73170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00C7316A,?,?), ref: 00C731D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00C7316A,?,?), ref: 00C73204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C73227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00C7316A,?,?), ref: 00C73232
CreatePopupMenu.USER32 ref: 00C73246
PostQuitMessage.USER32(00000000), ref: 00C73267

Strings

TaskbarCreated, xrefs: 00C7322D

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 057448b61d619231feb5b4c93c9536c9cd35e5679e23f86b7b8057ca3be48ff7
Instruction ID: 81a3a88e33f84c36a3b47ecab113b86fed2f2d16802695d4839a26ae68f13bb9
Opcode Fuzzy Hash: 057448b61d619231feb5b4c93c9536c9cd35e5679e23f86b7b8057ca3be48ff7
Instruction Fuzzy Hash: E741F539260384A7DB155F789D0EBBD3B59E746340F148225F92EC63A3C7619B80BB72

Function 00CA8D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567a0f3356ab53474bf336bf4b6406fd7d16a0546a724d3a062c7827e7b07095
Instruction ID: 189d843095a1825097361e2a8887ea4ff90be74c6c174a1b4de301f804119e47
Opcode Fuzzy Hash: 567a0f3356ab53474bf336bf4b6406fd7d16a0546a724d3a062c7827e7b07095
Instruction Fuzzy Hash: 25C1D17890434AAFCF11DFA8C845BADBFB0AF0E318F144199E925E7392C7349A45DB61

Function 01D525F0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01D526C1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01D528E7

Memory Dump Source

Source File: 00000000.00000002.1287230632.0000000001D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 01D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d50000_Shipping Documents_pdf.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction ID: c89b59eb17d1e03ab8890890e3b371c9c0f3042b26bda8579e7b7410420c7522
Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction Fuzzy Hash: FDA10674E00209EBDF54CFE4C894BAEBBB5BF48304F208559E911BB281D7799A45CFA4

Function 00C72C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C72C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C72CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00C71CAD,?), ref: 00C72CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00C71CAD,?), ref: 00C72CCF

Strings

edit, xrefs: 00C72CAC
AutoIt v3, xrefs: 00C72C89, 00C72C8E, 00C72C8F

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 3518bade093dfa68d05583fabedc3fcb64da1e607569765a8bc4308837415415
Instruction ID: 8626de876f8b386aeefeb6af99192ee8a136d6a0905fe376f23467f90f3140c4
Opcode Fuzzy Hash: 3518bade093dfa68d05583fabedc3fcb64da1e607569765a8bc4308837415415
Instruction Fuzzy Hash: 2EF0B27D6903907BEB211F67AC4CFB72EBDD7CBF60B00105AF904E26A0C6611894DAB0

Function 01D523B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01D522A0: Sleep.KERNELBASE(000001F4), ref: 01D522B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01D524DB

Strings

IOYCOUDPJYEIL5, xrefs: 01D5253E, 01D52541

Memory Dump Source

Source File: 00000000.00000002.1287230632.0000000001D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 01D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d50000_Shipping Documents_pdf.jbxd

Similarity

API ID: CreateFileSleep
String ID: IOYCOUDPJYEIL5
API String ID: 2694422964-3516467701
Opcode ID: 3edcc02c06a9dfacd75b9c83f4ce44be3e70512c69fbc558adbb5c2b9e42fe2f
Instruction ID: cd879a77033d9017ff562e10acd717192892f6dec19422f0cc6f39dde2281b1c
Opcode Fuzzy Hash: 3edcc02c06a9dfacd75b9c83f4ce44be3e70512c69fbc558adbb5c2b9e42fe2f
Instruction Fuzzy Hash: 42518C71D04249EBEF11DBE4C855BEEBB79AF18300F004199E609BB2C1D7B95B48CB66

Function 00CE2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CE2C05
DeleteFileW.KERNEL32(?), ref: 00CE2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00CE2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CE2CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CE2CC0

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 31fa8b358d7120afcd9cf88d90495dd214a2461fd859b5ec3ad0b83975006f2e
Instruction ID: 6dd4f75559cac244ca920c8eabb0b69d1685c5d61eddd3e760d5f0d4993ae2f5
Opcode Fuzzy Hash: 31fa8b358d7120afcd9cf88d90495dd214a2461fd859b5ec3ad0b83975006f2e
Instruction Fuzzy Hash: 60B14C72A00219ABDF21EBA5CC85EDEB7BDEF48350F1040A6F609E7141EA719A449F61

Function 00C73B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00C73B0F,SwapMouseButtons,00000004,?), ref: 00C73B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00C73B0F,SwapMouseButtons,00000004,?), ref: 00C73B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00C73B0F,SwapMouseButtons,00000004,?), ref: 00C73B83

Strings

Control Panel\Mouse, xrefs: 00C73B3E

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 375af6c398cd4b25cfd755b985d5e7ec8946e8756041823cb935ac6f8f20305a
Instruction ID: 7b6f1ca9a80fa313a4a619fffb16d62d42a03eb2cf5b9088e4fe22b57adab286
Opcode Fuzzy Hash: 375af6c398cd4b25cfd755b985d5e7ec8946e8756041823cb935ac6f8f20305a
Instruction Fuzzy Hash: A9112AB5520248FFDB208FA5DC44AEEBBBCEF04744B10855AA809D7210D2319F40A7A0

Function 01D512A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01D51ACD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01D51AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01D51B13

Memory Dump Source

Source File: 00000000.00000002.1287230632.0000000001D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 01D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d50000_Shipping Documents_pdf.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction ID: f681dceafbf6a42989fb0496629730276bc2d77f6194b17c137e0fcbfb8d5cd2
Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction Fuzzy Hash: 9B621C30A14258DBEB64DFA4C850BDEB772EF58300F1091A9D60DEB390E7799E81CB59

Function 00C7DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00CC32B7

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 0889ff4486c31876f0d18abe4aabfcf01fa574a7fb651125e6dc7270dbf74ae3
Instruction ID: 419bc06e8e68d03bd3628ab77279c68c26eff43440d0c86f4c4a612aba9369d4
Opcode Fuzzy Hash: 0889ff4486c31876f0d18abe4aabfcf01fa574a7fb651125e6dc7270dbf74ae3
Instruction Fuzzy Hash: EEC29E76A00204CFCB24DF58C885BADB7B1BF09314F24C5A9E969AB3A1D371EE41DB51

Function 00C73923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00CB33A2

Part of subcall function 00C76B57: _wcslen.LIBCMT ref: 00C76B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C73A04

Strings

Line: , xrefs: 00CB33EB

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 6c40b8d54945860f9f525831018605dd99f540a1d4cea6ef69b3a6676a724b96
Instruction ID: 575bc3bf0b3595a0872e4a7caa647b0889481a7b7ed44f51084166d73e13551d
Opcode Fuzzy Hash: 6c40b8d54945860f9f525831018605dd99f540a1d4cea6ef69b3a6676a724b96
Instruction Fuzzy Hash: 4F31C371448340ABC721EF20DC49BEFB7E8AB81710F00852AF59D831A1EB709789E7D2

Function 00C8FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00C90668

Part of subcall function 00C932A4: RaiseException.KERNEL32(?,?,?,00C9068A,?,00D41444,?,?,?,?,?,?,00C9068A,00C71129,00D38738,00C71129), ref: 00C93304

__CxxThrowException@8.LIBVCRUNTIME ref: 00C90685

Strings

Unknown exception, xrefs: 00C90692

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 4f7c0bfdcab5206bb7349b07940e6f48d0e302d79ddaed6ec61680f28b93bd39
Instruction ID: efe71597118d783bce630cc7c172adb737dd2fbc2e4f197e01792fa700a5babe
Opcode Fuzzy Hash: 4f7c0bfdcab5206bb7349b07940e6f48d0e302d79ddaed6ec61680f28b93bd39
Instruction Fuzzy Hash: D0F0AF34900709AB8F00BA64D84EC9E7B6C5F00314B704136B924D65D2EF71EB6AE694

Function 00CE3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00CE302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00CE3044

Strings

aut, xrefs: 00CE3038

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: cf0357931f13dcc216d3a3bc1aeb8f5137df2746a625bbfcd9378c7b2f20eae6
Instruction ID: 6f9f616a2bca86e08e8eef8b8c787e828268cac7c2caf0a9c189b77847ee303a
Opcode Fuzzy Hash: cf0357931f13dcc216d3a3bc1aeb8f5137df2746a625bbfcd9378c7b2f20eae6
Instruction Fuzzy Hash: 7CD05E725003287BDA20A7A4AC0EFCB3A6CDB06750F0002A1B659E21D1DAB0D984CAE4

Function 00CF7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00CF82F5
TerminateProcess.KERNEL32(00000000), ref: 00CF82FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 00CF84DD

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 99d1bfb0e2194acdef9a4441d94ef0b358717cd7571a458ba2a877c0f6da4061
Instruction ID: d6a1ff19e2f4ee9a5c9e31e925841cfa9308d6ad54eab06e33abed0b14029155
Opcode Fuzzy Hash: 99d1bfb0e2194acdef9a4441d94ef0b358717cd7571a458ba2a877c0f6da4061
Instruction Fuzzy Hash: 16128B71A083059FC754DF28C484B2ABBE1FF85318F04895DE9998B392CB31E949CF92

Function 00CA5AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c35c2c1eaedb0342f116c9bbae0537e6120849c5aa6f6e03f27ebef09848efd0
Instruction ID: 721841b4f2f7053e06190ee46213609cd0d1149f11e2f545b616b973edfd3754
Opcode Fuzzy Hash: c35c2c1eaedb0342f116c9bbae0537e6120849c5aa6f6e03f27ebef09848efd0
Instruction Fuzzy Hash: 9151D075D00A0A9FCF109FA5D849FEE7BB8AF0A32CF148059F515E7291D6358A01DB71

Function 00C710F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C71BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C71BF4
Part of subcall function 00C71BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00C71BFC
Part of subcall function 00C71BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C71C07
Part of subcall function 00C71BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C71C12
Part of subcall function 00C71BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00C71C1A
Part of subcall function 00C71BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00C71C22

Part of subcall function 00C71B4A: RegisterWindowMessageW.USER32(00000004,?,00C712C4), ref: 00C71BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C7136A
OleInitialize.OLE32 ref: 00C71388
CloseHandle.KERNEL32(00000000,00000000), ref: 00CB24AB

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: aea96eea3fc1034cd69ed9a16aa2f469cd98a09ec96e11d4d90e4de75089c0f6
Instruction ID: cd5f7bb4d01ca6ee67b56c4c782ebf4381e53cf534cfe08e4bd0c12eaf5431e5
Opcode Fuzzy Hash: aea96eea3fc1034cd69ed9a16aa2f469cd98a09ec96e11d4d90e4de75089c0f6
Instruction Fuzzy Hash: 937197BC9113459FC784EF7AE8456993AF0BB8A384758822AD51EC73A1EB3084C4DF74

Function 00C754C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 00C7556D
SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 00C7557D

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: f644cbf82c7b6de296e6204b12603864840fb21edc60c1d46a8445ed635f2e7a
Instruction ID: e9c3a01bb30ae6e879a3e3ff751c3e49797502263f62fd7210849b10d9ea56bb
Opcode Fuzzy Hash: f644cbf82c7b6de296e6204b12603864840fb21edc60c1d46a8445ed635f2e7a
Instruction Fuzzy Hash: 9C313E71A00609FFDB14CF68C880B99B7B6FB48714F15C629E92997240D7B1FE94DB90

Function 00CA86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00CA85CC,?,00D38CC8,0000000C), ref: 00CA8704
GetLastError.KERNEL32(?,00CA85CC,?,00D38CC8,0000000C), ref: 00CA870E
__dosmaperr.LIBCMT ref: 00CA8739

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 76c6908b3001fbc98ec2dcb8f171fa0d7b1952b76a328000c1b2c16a17432ad7
Instruction ID: 55ec31ae2238b373ef51fb4fa8f821b2b53c40be5abbf5c642c74e7d016d337e
Opcode Fuzzy Hash: 76c6908b3001fbc98ec2dcb8f171fa0d7b1952b76a328000c1b2c16a17432ad7
Instruction Fuzzy Hash: 7E014E3261562227EA6467346845B7E6B494BC377CF39421DF928CB1E2DEB0CD89D1A0

Function 00CE2FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00CE2CD4,?,?,?,00000004,00000001), ref: 00CE2FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00CE2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00CE3006
CloseHandle.KERNEL32(00000000,?,00CE2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00CE300D

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 911d0d3dd4936592bb2ff4a360e41906c37dded8e16b0d9dd4a25cc6af108c72
Instruction ID: deb7169dff2694250abe4bc3b097573578921c4560ed679cf2c21016155ce86f
Opcode Fuzzy Hash: 911d0d3dd4936592bb2ff4a360e41906c37dded8e16b0d9dd4a25cc6af108c72
Instruction Fuzzy Hash: DFE0863269031477D2301756BC0DF8B3A1CD786B71F104314F72DB61D046A0260142B9

Function 00C81310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00C817F6

Strings

CALL, xrefs: 00C817C6

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 9438536e97245cf398c50b53b19031897e025c401cd1ff84ecca6273b16d416b
Instruction ID: 3a3a6d74384129656167f63d84c13f79d83f547d0b53bef6b887df4c79baede4
Opcode Fuzzy Hash: 9438536e97245cf398c50b53b19031897e025c401cd1ff84ecca6273b16d416b
Instruction Fuzzy Hash: 75229B706082419FC714EF15C480F2ABBF5BF85318F28896DF89A8B3A1D731E946DB56

Function 00CE6EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CE6F6B

Part of subcall function 00C74ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00D41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C74EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00CE6F5A, 00CE6F63

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 8987c284c2d44d7fbf0800d21bfadf9171b6aabf6c8774c7ac7ddc804d7c8a3a
Instruction ID: 9dbc9ce0a7724def7df8f2167a70a1d8e176c53e4e53f905a147a4a40b80162b
Opcode Fuzzy Hash: 8987c284c2d44d7fbf0800d21bfadf9171b6aabf6c8774c7ac7ddc804d7c8a3a
Instruction Fuzzy Hash: E7B1AF31108341DFCB14EF25C89196EB7E5BF94300F14896DF59A972A2EB30EE49DB92

Function 00C72DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00CB2C8C

Part of subcall function 00C73AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C73A97,?,?,00C72E7F,?,?,?,00000000), ref: 00C73AC2

Part of subcall function 00C72DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C72DC4

Strings

X, xrefs: 00CB2C5A

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: e62cb7e16793e7c5556c30f11987bcd64fcaa4072adeb15f1a60bb706d1c993f
Instruction ID: d45cd8391d8efa146946f432a043c9b39e52694baba338f68bded4960e2dbc7a
Opcode Fuzzy Hash: e62cb7e16793e7c5556c30f11987bcd64fcaa4072adeb15f1a60bb706d1c993f
Instruction Fuzzy Hash: 0A219371A00298ABDB01DF94C845BEE7BF8AF49314F008059E409B7341DBB49A89DB61

Function 00CE2557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00CE2587

Strings

EA06, xrefs: 00CE25B9

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 0dff01b1117ae3c11e684e9676cd8b67b6473b1a327abe20c1e9ff2da89f0982
Instruction ID: dbfbef42db0fee4644fc6aa40dbb995f116613a0c400d24e1d14566b7f2653fd
Opcode Fuzzy Hash: 0dff01b1117ae3c11e684e9676cd8b67b6473b1a327abe20c1e9ff2da89f0982
Instruction Fuzzy Hash: A801B5729042587EDF18C7A9C85AFEEBBF8DB15301F00459AE192D21C1E5B4E7089B60

Function 00C73837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C73908

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 323a16931c77334802157170b42caf44fe2f6d039e829661d8bf7213b9c33987
Instruction ID: 023477fd1b50c0715abf371e70f1184359d7bec72229f65dfc1d9aec2ec73d8f
Opcode Fuzzy Hash: 323a16931c77334802157170b42caf44fe2f6d039e829661d8bf7213b9c33987
Instruction Fuzzy Hash: 6B315E749047419FD720DF64D889797BBE8FB49708F00092EF6A9C7390E771AA44DB62

Function 00C75745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00C7949C,?,00008000), ref: 00C75773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00C7949C,?,00008000), ref: 00CB4052

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d8aacf7a2064a06b7c5b698b7bd3e56bb5d625488b103607dec6dde92aaa28a0
Instruction ID: 785804568ff541864852b6ac93f3b987afe585811a7d3a57720d87bf15ef73c4
Opcode Fuzzy Hash: d8aacf7a2064a06b7c5b698b7bd3e56bb5d625488b103607dec6dde92aaa28a0
Instruction Fuzzy Hash: 2C015231645325BAE3345A2ADC0EF977F98EF067B0F14C310BAAC5A1E1D7B45954CB90

Function 00C76E14 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000002,?,?,?,?,00C79879,?,?,?), ref: 00C76E33
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,00C79879,?,?,?), ref: 00C76E69

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 18028939ccabc85b4dcd3378af1756bdffdc290119d9dfd66e11c51b5f336c3d
Instruction ID: 796d1c5b676f55e9ff1186d1e916ebd8e2e926470bb4238b1ae191516f1fa2d7
Opcode Fuzzy Hash: 18028939ccabc85b4dcd3378af1756bdffdc290119d9dfd66e11c51b5f336c3d
Instruction Fuzzy Hash: D901F7713002017FEB18677ADC0BF7F7AADDB85300F14413DB10ADA2E1E960AC005635

Function 00C7B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00C7BB4E

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 1f216f13ce43f4db725570a516497f46a40da9fde3d1a2c152926040dd64df7e
Instruction ID: 0cc45c8fa1f884196e76d24c48feb5469ddfffeae76f16d2f4db0a15428068af
Opcode Fuzzy Hash: 1f216f13ce43f4db725570a516497f46a40da9fde3d1a2c152926040dd64df7e
Instruction Fuzzy Hash: 1232AE34A00209DFDB14CF55C898FBEB7B9EF44314F288059E929AB3A1C774AE41CB61

Function 01D5129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01D51ACD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01D51AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01D51B13

Memory Dump Source

Source File: 00000000.00000002.1287230632.0000000001D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 01D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d50000_Shipping Documents_pdf.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction ID: 987d7ce785a106f14c47e048423b55fd8529ca4b0d200c17ea7e3041dec9fe68
Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction Fuzzy Hash: C212CD24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F85CF5A

Function 00C74ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C74E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C74EDD,?,00D41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C74E9C
Part of subcall function 00C74E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C74EAE
Part of subcall function 00C74E90: FreeLibrary.KERNEL32(00000000,?,?,00C74EDD,?,00D41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C74EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00D41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C74EFD

Part of subcall function 00C74E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00CB3CDE,?,00D41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C74E62
Part of subcall function 00C74E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C74E74
Part of subcall function 00C74E59: FreeLibrary.KERNEL32(00000000,?,?,00CB3CDE,?,00D41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C74E87

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 64e64dfaf8b1d7f870772d0fc7b55d472a9f8b18b1d3cb1804380c3d83f51758
Instruction ID: 52bdce2d163d28811bb8465d9aeb4b95be72dd27f460b7f4236e72391b79481d
Opcode Fuzzy Hash: 64e64dfaf8b1d7f870772d0fc7b55d472a9f8b18b1d3cb1804380c3d83f51758
Instruction Fuzzy Hash: D811E332610205ABDF28FBA5DC06FADB7A5AF40710F20C42DF55AA61C1EFB09A05A750

Function 00CA8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00CA8440

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 70c1436894a9b3a8050033fd71745a54ee14a0171c88fe3a4c96e5fd0cbdbe36
Instruction ID: 1f9e9b45f009cbbe77c41435ce826134b1b1197f424eb2e555355efe0676386b
Opcode Fuzzy Hash: 70c1436894a9b3a8050033fd71745a54ee14a0171c88fe3a4c96e5fd0cbdbe36
Instruction Fuzzy Hash: 4111487590420AAFCF05DF58E94099E7BF8EF49304F104059F808AB312DA30DA15CBA4

Function 00C79A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,00C7543F,?,00010000,00000000,00000000,00000000,00000000), ref: 00C79A9C

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 36bf634b548704d42f0a995bba1aef65dca3d1c52545a86b1def3515819e294f
Instruction ID: 30f61b9a066c3e999194e0769dab36c239edc5bec1cbabad7649fd00841f1e02
Opcode Fuzzy Hash: 36bf634b548704d42f0a995bba1aef65dca3d1c52545a86b1def3515819e294f
Instruction Fuzzy Hash: 381148312057059FDB20CF1AC880B66B7F9EF44764F10C42EE9AF8AA51C770A945EB60

Function 00CA5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CA4C7D: RtlAllocateHeap.NTDLL(00000008,00C71129,00000000,?,00CA2E29,00000001,00000364,?,?,?,00C9F2DE,00CA3863,00D41444,?,00C8FDF5,?), ref: 00CA4CBE

_free.LIBCMT ref: 00CA506C

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
Instruction ID: 8e322c329d0ec22bd7b4c1fb421180734c2e090c8a266c83c97bebf95501a275
Opcode Fuzzy Hash: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
Instruction Fuzzy Hash: 550149722047066BE3318F69DC81A9AFBECFB8A374F25051DE194832C0EB70A905C7B4

Function 00C9E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
Instruction ID: 8cea720a34531d60a8e479a89c97c913c24bf2301ff471473830bde38c161e19
Opcode Fuzzy Hash: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
Instruction Fuzzy Hash: 52F0F932510E18D7DE317A6ACC0DB5633989FB3334F100715F421961D1DF70D50596A5

Function 00CA4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00C71129,00000000,?,00CA2E29,00000001,00000364,?,?,?,00C9F2DE,00CA3863,00D41444,?,00C8FDF5,?), ref: 00CA4CBE

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 997692c2f24e0bbee248975d9a10fb4a5f07c4831c682eca5c4ac39f18b54dbb
Instruction ID: dafd3bd139248d38e4955f35f05f8280cf0507482384891564dd8a27b82a306f
Opcode Fuzzy Hash: 997692c2f24e0bbee248975d9a10fb4a5f07c4831c682eca5c4ac39f18b54dbb
Instruction Fuzzy Hash: 92F0E93160623667DF295F669C09F5A3788BFC37BCB144225B82DE7281CAF0D90256E0

Function 00CA3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00D41444,?,00C8FDF5,?,?,00C7A976,00000010,00D41440,00C713FC,?,00C713C6,?,00C71129), ref: 00CA3852

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a56ddee952476b605913dcab62e6620b9b36af40e478262577dbd86a22d3b5dd
Instruction ID: 866d3a52609bfb8c7da8ee4b990394588600250c268e796df1e09dfb5538416c
Opcode Fuzzy Hash: a56ddee952476b605913dcab62e6620b9b36af40e478262577dbd86a22d3b5dd
Instruction Fuzzy Hash: BFE0E5312012A757DB212B679C18F9A3748AF437BCF050122BC24D65C0DB18DF0292F1

Function 00CA4D7A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CA4D9C

Part of subcall function 00CA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CAD7D1,00000000,00000000,00000000,00000000,?,00CAD7F8,00000000,00000007,00000000,?,00CADBF5,00000000), ref: 00CA29DE
Part of subcall function 00CA29C8: GetLastError.KERNEL32(00000000,?,00CAD7D1,00000000,00000000,00000000,00000000,?,00CAD7F8,00000000,00000007,00000000,?,00CADBF5,00000000,00000000), ref: 00CA29F0

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction ID: da764eba38c961349524b79a93e078d94f1f70b27d9072dd47febcac7219ebed
Opcode Fuzzy Hash: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction Fuzzy Hash: EFE092361003069F8724CF6CD400A82BBF4EF853247208529E89DD3310D331E812CB80

Function 00C74F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00D41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C74F6D

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 2b3a4c224df5e07ebb816358542c0d96427efebe350f7ebeb27d9d8f00da90f3
Instruction ID: 2deb2f6d974957dd6fab724ea96e0b492073497508c285b89f6e726a7f2f42e0
Opcode Fuzzy Hash: 2b3a4c224df5e07ebb816358542c0d96427efebe350f7ebeb27d9d8f00da90f3
Instruction Fuzzy Hash: D3F01571105752CFDB389FA5D494822BBE4AF15329320CA6EE1EE82621C7329844DB10

Function 00C72DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C72DC4

Part of subcall function 00C76B57: _wcslen.LIBCMT ref: 00C76B6A

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: b5672a3ae78a9d4a982b2a3e011f024237c69c40749bee4d0398f842655397fd
Instruction ID: 04f10ee6fa2a4217f20b68c26c359413b6a359ab8b31f806f1095471f6c580f4
Opcode Fuzzy Hash: b5672a3ae78a9d4a982b2a3e011f024237c69c40749bee4d0398f842655397fd
Instruction Fuzzy Hash: A8E0C272A002245BCB20E7A89C06FEA77EDDFC8790F0441B1FD0DE7249DA60AD80D6A0

Function 00CE2693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00CE26B5

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: d9c53401d1c37ae4ddee9775f0d39d59c03e66c3027505bb8eec43b0557a4100
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: F7E04FB0609B005FDF399A28A8517B677EC9F49300F00096EF6AB82252E57268458A4D

Function 00C72B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00C73837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C73908

Part of subcall function 00C7D730: GetInputState.USER32 ref: 00C7D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00C72B6B

Part of subcall function 00C730F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00C7314E

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 8f1e0dc25f568ccdbb6e92ed17f8489be56d86204374722b9b70d06f2ab5d408
Instruction ID: 068e3ba32594bed3797aaba6bd06e07ee2f0f8a68dac4b58912f203eea0bbee1
Opcode Fuzzy Hash: 8f1e0dc25f568ccdbb6e92ed17f8489be56d86204374722b9b70d06f2ab5d408
Instruction Fuzzy Hash: 02E0862531428907C608BB75985256DA7599BE2351F40953EF14F872A3CF2446856262

Function 00CB039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00CB0704,?,?,00000000,?,00CB0704,00000000,0000000C), ref: 00CB03B7

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 15c3081a495c1870df468a51251f45774e8646cacff4452e9c353cc42b2a8bd2
Instruction ID: 23d1881f4526ff69b369550f005a504cc1f99d80e3daae29c1efc41bec482728
Opcode Fuzzy Hash: 15c3081a495c1870df468a51251f45774e8646cacff4452e9c353cc42b2a8bd2
Instruction Fuzzy Hash: 39D06C3205020DBBDF028F84DD06EDA3BAAFB48714F014100BE1896120C732E821AB91

Function 00C71CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00C71CBC

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 6d80b83f00e0eb521ce72bed26f5a06296b2c97d8f68b5c2e88e528690c4d2e5
Instruction ID: ca03f083ddd8170613e165edba02b14773cb1a39e48944a523c67aed772ff7b8
Opcode Fuzzy Hash: 6d80b83f00e0eb521ce72bed26f5a06296b2c97d8f68b5c2e88e528690c4d2e5
Instruction Fuzzy Hash: 65C0923E280304AFF2148F80BC4EF2077A4A349F00F448001F60DE9BE3C3A22860EA70

Function 00CE744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00C75745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00C7949C,?,00008000), ref: 00C75773

GetLastError.KERNEL32(00000002,00000000), ref: 00CE76DE

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 12427c4bae5563030694f9de263496d2d962d1dc07347902cc1bf52080382207
Instruction ID: 35a3c29d0facc99994313fd33d083e3c1a9de3c9ed2576d1e6c15d3d0926858a
Opcode Fuzzy Hash: 12427c4bae5563030694f9de263496d2d962d1dc07347902cc1bf52080382207
Instruction Fuzzy Hash: 7381AF302087419FCB14EF29C491A6DB7E5BF89314F04861DF99A5B3A2DB30EE45DB92

Function 00C8FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00C8FD1F

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 787eba787b0a9009cb08546827224d42c9454ec85bb48932497c0041fc1d5144
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 9C310675A00109DBC728EF59D480969F7A2FF49308B2486AAE919CF655D731EEC2CBC4

Function 01D522A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01D522B1

Memory Dump Source

Source File: 00000000.00000002.1287230632.0000000001D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 01D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d50000_Shipping Documents_pdf.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: c00ef0f63c417cdc7e4b9190756f1bc829fc428980f7ea9f7824e727580f2e2a
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 48E0E67594010EEFDB00EFB4D54969E7FF4EF04301F100161FD05E2281D6309D508A72

Non-executed Functions

Function 00D09576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00C89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C89BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00D0961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D0965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00D0969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D096C9
SendMessageW.USER32 ref: 00D096F2
GetKeyState.USER32(00000011), ref: 00D0978B
GetKeyState.USER32(00000009), ref: 00D09798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D097AE
GetKeyState.USER32(00000010), ref: 00D097B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D097E9
SendMessageW.USER32 ref: 00D09810
SendMessageW.USER32(?,00001030,?,00D07E95), ref: 00D09918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00D0992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00D09941
SetCapture.USER32(?), ref: 00D0994A
ClientToScreen.USER32(?,?), ref: 00D099AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00D099BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00D099D6
ReleaseCapture.USER32 ref: 00D099E1
GetCursorPos.USER32(?), ref: 00D09A19
ScreenToClient.USER32(?,?), ref: 00D09A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00D09A80
SendMessageW.USER32 ref: 00D09AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00D09AEB
SendMessageW.USER32 ref: 00D09B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00D09B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00D09B4A
GetCursorPos.USER32(?), ref: 00D09B68
ScreenToClient.USER32(?,?), ref: 00D09B75
GetParent.USER32(?), ref: 00D09B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00D09BFA
SendMessageW.USER32 ref: 00D09C2B
ClientToScreen.USER32(?,?), ref: 00D09C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00D09CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00D09CDE
SendMessageW.USER32 ref: 00D09D01
ClientToScreen.USER32(?,?), ref: 00D09D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00D09D82

Part of subcall function 00C89944: GetWindowLongW.USER32(?,000000EB), ref: 00C89952

GetWindowLongW.USER32(?,000000F0), ref: 00D09E05

Strings

@GUI_DRAGID, xrefs: 00D0997D
F, xrefs: 00D09D07

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 2926d00cdd158aa4c536a358d6bf456f3c56b64d4c18de45892d6ab1067ed920
Instruction ID: 2dc51838cdf4a726cb4496b751f5b5a01cd26fa77a3ed4adb4d07516ab6a34f2
Opcode Fuzzy Hash: 2926d00cdd158aa4c536a358d6bf456f3c56b64d4c18de45892d6ab1067ed920
Instruction Fuzzy Hash: DA426A35608301AFD724CF24CC64BAABBE5EF89310F584619F699872E2D772E851CB61

Function 00D04873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00D048F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00D04908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00D04927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00D0494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00D0495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00D0497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00D049AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00D049D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00D04A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00D04A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00D04A7E
IsMenu.USER32(?), ref: 00D04A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D04AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D04B20
GetWindowLongW.USER32(?,000000F0), ref: 00D04B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00D04BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00D04C82
wsprintfW.USER32 ref: 00D04CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D04CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00D04CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00D04D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D04D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00D04D5A

Strings

%d/%02d/%02d, xrefs: 00D04CA8

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 01b45f3d8fff4b6f50615a07f4ffb0e25ddcf5fca5bb70d522ceb8e9b7072cf4
Instruction ID: 786b45e15b7bb4fc423d3167a96318fb0fbb935b4993ec506f85912913cadeb4
Opcode Fuzzy Hash: 01b45f3d8fff4b6f50615a07f4ffb0e25ddcf5fca5bb70d522ceb8e9b7072cf4
Instruction Fuzzy Hash: 1A12CFB1600215ABEB249F24CC49FAE7BF8EF85714F148229F619DB2E1DB74D941CB60

Function 00C8F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00C8F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CCF474
IsIconic.USER32(00000000), ref: 00CCF47D
ShowWindow.USER32(00000000,00000009), ref: 00CCF48A
SetForegroundWindow.USER32(00000000), ref: 00CCF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00CCF4AA
GetCurrentThreadId.KERNEL32 ref: 00CCF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00CCF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00CCF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00CCF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00CCF4DE
SetForegroundWindow.USER32(00000000), ref: 00CCF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CCF4F6
keybd_event.USER32(00000012,00000000), ref: 00CCF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CCF50B
keybd_event.USER32(00000012,00000000), ref: 00CCF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CCF519
keybd_event.USER32(00000012,00000000), ref: 00CCF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CCF528
keybd_event.USER32(00000012,00000000), ref: 00CCF52D
SetForegroundWindow.USER32(00000000), ref: 00CCF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00CCF557

Strings

Shell_TrayWnd, xrefs: 00CCF46F

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 86d0054a7e40a5c9e838174365f3f79e5ee921630b07c2b09e0cecc82b82321f
Instruction ID: 804d30406219f618e777305ce8a387a67c39ae157552a1474afcf30e8351cbec
Opcode Fuzzy Hash: 86d0054a7e40a5c9e838174365f3f79e5ee921630b07c2b09e0cecc82b82321f
Instruction Fuzzy Hash: 29317471A50318BFEB206BB59C4AFBF7E6DEB44B50F101129F604E62D1C6B19D01AA70

Function 00CD1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00CD16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CD170D
Part of subcall function 00CD16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CD173A
Part of subcall function 00CD16C3: GetLastError.KERNEL32 ref: 00CD174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00CD1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00CD12A8
CloseHandle.KERNEL32(?), ref: 00CD12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00CD12D1
GetProcessWindowStation.USER32 ref: 00CD12EA
SetProcessWindowStation.USER32(00000000), ref: 00CD12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00CD1310

Part of subcall function 00CD10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00CD11FC), ref: 00CD10D4
Part of subcall function 00CD10BF: CloseHandle.KERNEL32(?,?,00CD11FC), ref: 00CD10E9

Strings

, xrefs: 00CD125A
default, xrefs: 00CD130B
winsta0, xrefs: 00CD12CC

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: e299eb546692abd4ecf09cb56dd07deb591fb4a7d281b3fb4912fa6c096785f0
Instruction ID: d8c2b10908464ddb995675c5bd187a21a1b27ac77342172d32a9f2177694f4d2
Opcode Fuzzy Hash: e299eb546692abd4ecf09cb56dd07deb591fb4a7d281b3fb4912fa6c096785f0
Instruction Fuzzy Hash: 69818C71900309BFDF219FA5DC49BEE7BB9EF04704F18412AFA24E62A0C7719A45CB61

Function 00CD0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00CD1114
Part of subcall function 00CD10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00CD0B9B,?,?,?), ref: 00CD1120
Part of subcall function 00CD10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00CD0B9B,?,?,?), ref: 00CD112F
Part of subcall function 00CD10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00CD0B9B,?,?,?), ref: 00CD1136
Part of subcall function 00CD10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00CD114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00CD0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00CD0C00
GetLengthSid.ADVAPI32(?), ref: 00CD0C17
GetAce.ADVAPI32(?,00000000,?), ref: 00CD0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00CD0C6D
GetLengthSid.ADVAPI32(?), ref: 00CD0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00CD0C8C
HeapAlloc.KERNEL32(00000000), ref: 00CD0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00CD0CB4
CopySid.ADVAPI32(00000000), ref: 00CD0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00CD0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00CD0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00CD0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CD0D45
HeapFree.KERNEL32(00000000), ref: 00CD0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CD0D55
HeapFree.KERNEL32(00000000), ref: 00CD0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CD0D65
HeapFree.KERNEL32(00000000), ref: 00CD0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00CD0D78
HeapFree.KERNEL32(00000000), ref: 00CD0D7F

Part of subcall function 00CD1193: GetProcessHeap.KERNEL32(00000008,00CD0BB1,?,00000000,?,00CD0BB1,?), ref: 00CD11A1
Part of subcall function 00CD1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00CD0BB1,?), ref: 00CD11A8
Part of subcall function 00CD1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00CD0BB1,?), ref: 00CD11B7

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: fabfddb38af91a1aed96537b75d7339efcf13e9d1e9a29627e9bb32e960f8edc
Instruction ID: 5eb266cd0ecf7e8eb4c723902dd198cbaed006ca80f3b15016284c7fc7d77e65
Opcode Fuzzy Hash: fabfddb38af91a1aed96537b75d7339efcf13e9d1e9a29627e9bb32e960f8edc
Instruction Fuzzy Hash: 44714E7190020AAFDF10DFA8DC44FAEBBB9BF05310F14461AEA19E7291D771AA05CB71

Function 00CEEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00D0CC08), ref: 00CEEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00CEEB37
GetClipboardData.USER32(0000000D), ref: 00CEEB43
CloseClipboard.USER32 ref: 00CEEB4F
GlobalLock.KERNEL32(00000000), ref: 00CEEB87
CloseClipboard.USER32 ref: 00CEEB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00CEEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00CEEBC9
GetClipboardData.USER32(00000001), ref: 00CEEBD1
GlobalLock.KERNEL32(00000000), ref: 00CEEBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 00CEEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00CEEC38
GetClipboardData.USER32(0000000F), ref: 00CEEC44
GlobalLock.KERNEL32(00000000), ref: 00CEEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00CEEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00CEEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00CEECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 00CEECF3
CountClipboardFormats.USER32 ref: 00CEED14
CloseClipboard.USER32 ref: 00CEED59

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: f293ce92c115273389bcba6b00cef70f556cf5d22e2a88a761e4793858536487
Instruction ID: 50073c05e46188a19af8fb38dd9e02eb09c265e24dbd4f5f504f4163c773b3ae
Opcode Fuzzy Hash: f293ce92c115273389bcba6b00cef70f556cf5d22e2a88a761e4793858536487
Instruction Fuzzy Hash: 6961DF34204381AFD310EF25D885F6A77A4EF84744F149619F46AD72A2DB31EE09DB62

Function 00CE698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00CE69BE
FindClose.KERNEL32(00000000), ref: 00CE6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CE6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CE6A75

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00CE6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00CE6ADF

Strings

%02d, xrefs: 00CE6C00, 00CE6C0A, 00CE6C5A, 00CE6CAA, 00CE6CFA, 00CE6D4A
%4d, xrefs: 00CE6BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00CE6B32
%4d%02d%02d%02d%02d%02d, xrefs: 00CE6B6A
%03d, xrefs: 00CE6DA2

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: fc271c404f87953cf1e686e554bdf57e78875192cf0c2faeafc17658de60faea
Instruction ID: 3dd6beef4d3afe23c26202dae1cdb767865b9d4c8bd68620df486098e100f6a5
Opcode Fuzzy Hash: fc271c404f87953cf1e686e554bdf57e78875192cf0c2faeafc17658de60faea
Instruction Fuzzy Hash: D6D14F72508340AFC710EBA5C882EAFB7ECAF99704F04491DF599C7291EB74DA44DB62

Function 00CE9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 00CE9663
GetFileAttributesW.KERNEL32(?), ref: 00CE96A1
SetFileAttributesW.KERNEL32(?,?), ref: 00CE96BB
FindNextFileW.KERNEL32(00000000,?), ref: 00CE96D3
FindClose.KERNEL32(00000000), ref: 00CE96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00CE96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00CE974A
SetCurrentDirectoryW.KERNEL32(00D36B7C), ref: 00CE9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00CE9772
FindClose.KERNEL32(00000000), ref: 00CE977F
FindClose.KERNEL32(00000000), ref: 00CE978F

Strings

*.*, xrefs: 00CE96F5

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: f58d9924d2d39fd990a31d2441ccceffe4cd0b1a45adf092ab324b2a2d132bea
Instruction ID: e11590552f02f2f83008eed45afedc5e88b66c8ba2f7f8ebadb964ac025a10e5
Opcode Fuzzy Hash: f58d9924d2d39fd990a31d2441ccceffe4cd0b1a45adf092ab324b2a2d132bea
Instruction Fuzzy Hash: 4D31F3325106597EDF24AFB6DC09BDE77ACEF09320F104166F818E21A1DB30DE488E24

Function 00CE979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 00CE97BE
FindNextFileW.KERNEL32(00000000,?), ref: 00CE9819
FindClose.KERNEL32(00000000), ref: 00CE9824
FindFirstFileW.KERNEL32(*.*,?), ref: 00CE9840
SetCurrentDirectoryW.KERNEL32(?), ref: 00CE9890
SetCurrentDirectoryW.KERNEL32(00D36B7C), ref: 00CE98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00CE98B8
FindClose.KERNEL32(00000000), ref: 00CE98C5
FindClose.KERNEL32(00000000), ref: 00CE98D5

Part of subcall function 00CDDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00CDDB00

Strings

*.*, xrefs: 00CE983B

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: c8ca9aacbb697887df8574e2a1b93b28b68aab664552211ba2269582bad0f143
Instruction ID: 81962bb19a41f9f4c24a66abbd1e5a9bb9f4b9c423049f3c52f95df04fb3cc54
Opcode Fuzzy Hash: c8ca9aacbb697887df8574e2a1b93b28b68aab664552211ba2269582bad0f143
Instruction Fuzzy Hash: 1831B2325006596EDF24EFB6EC48ADE77ACDF06320F148155E928E21E1DB30DE89CB64

Function 00CE8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00CE8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00CE8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00CE8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CE8310
SetCurrentDirectoryW.KERNEL32(?), ref: 00CE8324
SetCurrentDirectoryW.KERNEL32(?), ref: 00CE8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00CE838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00CE8395

Strings

*.*, xrefs: 00CE839B

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 9e37df39ebc2d7995701cf081b037221f2684146a4c8e3f5e38bf12822c8815e
Instruction ID: a192b0225cc9334e802cab4e61d50f2309340ef564805ce939a1ed2d6608b9bc
Opcode Fuzzy Hash: 9e37df39ebc2d7995701cf081b037221f2684146a4c8e3f5e38bf12822c8815e
Instruction Fuzzy Hash: B76188725043459FCB10EF65C881AAEB3E8FF89314F04891EF99D97251DB31EA49CB92

Function 00CDD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C73AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C73A97,?,?,00C72E7F,?,?,?,00000000), ref: 00C73AC2

Part of subcall function 00CDE199: GetFileAttributesW.KERNEL32(?,00CDCF95), ref: 00CDE19A

FindFirstFileW.KERNEL32(?,?), ref: 00CDD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00CDD1DD
MoveFileW.KERNEL32(?,?), ref: 00CDD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00CDD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00CDD237

Part of subcall function 00CDD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00CDD21C,?,?), ref: 00CDD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00CDD253
FindClose.KERNEL32(00000000), ref: 00CDD264

Strings

\*.*, xrefs: 00CDD0CD, 00CDD0D6, 00CDD0EB

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 80e44c38ba02fcc480198a0dfd8640b4d3480677da2ecbcc9fdf5486b35b1961
Instruction ID: 2ba0cb924ba8cb1ab3a7e1ef75b8f427a817950920e86c352c2bcd9193655004
Opcode Fuzzy Hash: 80e44c38ba02fcc480198a0dfd8640b4d3480677da2ecbcc9fdf5486b35b1961
Instruction Fuzzy Hash: 3C614E31C0114DAACF05EBE0D992DEDB7B5AF55300F248166E516772A2EB306F09EB61

Function 00CEED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00CEED91
EmptyClipboard.USER32 ref: 00CEED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00CEEDAC
CloseClipboard.USER32 ref: 00CEEEA3

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 61c46c6f285b8b8977a6e275d6678408bc7dc7a53e52ed6dfb654dc0d285c1f4
Instruction ID: b611a1f0723e28e7896bd7798383d7b9472840282e2b5c3f189821a441051d1a
Opcode Fuzzy Hash: 61c46c6f285b8b8977a6e275d6678408bc7dc7a53e52ed6dfb654dc0d285c1f4
Instruction Fuzzy Hash: F941CD35604651AFE320DF26D888B19BBE1FF44358F14C199E429CB7A2C736EE41CBA0

Function 00CDE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CD170D
Part of subcall function 00CD16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CD173A
Part of subcall function 00CD16C3: GetLastError.KERNEL32 ref: 00CD174A

ExitWindowsEx.USER32(?,00000000), ref: 00CDE932

Strings

@, xrefs: 00CDE925
SeShutdownPrivilege, xrefs: 00CDE902
, xrefs: 00CDE95C
, xrefs: 00CDE920

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 0ed2480e97bca9c557d5332122974a0481b63ebebc46af3c9aff17d08202fd09
Instruction ID: 15c6a2261f438ae6b4df7a22ceaecdcb644abc2692ed65eeaf2068796b07d992
Opcode Fuzzy Hash: 0ed2480e97bca9c557d5332122974a0481b63ebebc46af3c9aff17d08202fd09
Instruction Fuzzy Hash: 7E012672621311BBEB2433B59C9ABFF725C9704750F180923FE12E63D1D5A05D4481A0

Function 00CF1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00CF1276
WSAGetLastError.WSOCK32 ref: 00CF1283
bind.WSOCK32(00000000,?,00000010), ref: 00CF12BA
WSAGetLastError.WSOCK32 ref: 00CF12C5
closesocket.WSOCK32(00000000), ref: 00CF12F4
listen.WSOCK32(00000000,00000005), ref: 00CF1303
WSAGetLastError.WSOCK32 ref: 00CF130D
closesocket.WSOCK32(00000000), ref: 00CF133C

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: ea0eb021e866b4783e644f576c4d583d30f8ae733aad55e33b4a5cf93519883f
Instruction ID: 4960358807edae1f77e8c0451e1af2325cd673861052c217e52761de93810d40
Opcode Fuzzy Hash: ea0eb021e866b4783e644f576c4d583d30f8ae733aad55e33b4a5cf93519883f
Instruction Fuzzy Hash: 4F417F31600245DFD750DF68C488B29BBE5AF46318F18C198E96A9F3A2C771ED85CBA1

Function 00CAB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CAB9D4
_free.LIBCMT ref: 00CAB9F8
_free.LIBCMT ref: 00CABB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00D13700), ref: 00CABB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00D4121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00CABC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00D41270,000000FF,?,0000003F,00000000,?), ref: 00CABC36
_free.LIBCMT ref: 00CABD4B

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: d578f3bfb8e7b3fdd8ab5658984bf342041a7df863d9fc43d7402c9911676df9
Instruction ID: 1ab514e249158c7038b963870302a3c348f2fbfca1332a2dd25c0e58956b175c
Opcode Fuzzy Hash: d578f3bfb8e7b3fdd8ab5658984bf342041a7df863d9fc43d7402c9911676df9
Instruction Fuzzy Hash: 0AC11775904247AFCB209F799C41BAABBB8EF43318F14419AE4A5D7253EB309F41D760

Function 00CDD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C73AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C73A97,?,?,00C72E7F,?,?,?,00000000), ref: 00C73AC2

Part of subcall function 00CDE199: GetFileAttributesW.KERNEL32(?,00CDCF95), ref: 00CDE19A

FindFirstFileW.KERNEL32(?,?), ref: 00CDD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00CDD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00CDD481
FindClose.KERNEL32(00000000), ref: 00CDD498
FindClose.KERNEL32(00000000), ref: 00CDD4A1

Strings

\*.*, xrefs: 00CDD3F2

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 2290501dbbbc4ff31c071c7fe0a24c82a9cbadb559558aeb53d12eb495ba7dee
Instruction ID: 4bf194489c6f49fbbe51736788dec485f6bc6fce60f913a31931ae7b25cbe38f
Opcode Fuzzy Hash: 2290501dbbbc4ff31c071c7fe0a24c82a9cbadb559558aeb53d12eb495ba7dee
Instruction Fuzzy Hash: DF3184314183459FC300EF64C8919AF77A8BE91314F449E1EF5DA932A1EB30AA09D763

Function 00CAE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00CAE645

Strings

1#SNAN, xrefs: 00CAF844
1#INF, xrefs: 00CAF852
1#QNAN, xrefs: 00CAF84B
1#IND, xrefs: 00CAF83D

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 7cffa3a26d057b7b4822eaaa8ad0a1ef95f9a7b7fbc843875f6dd95863eaeba6
Instruction ID: 8ca79032775263f25b9fd4853118f3d2c4bbe2e0ff690951c1668eee8503a701
Opcode Fuzzy Hash: 7cffa3a26d057b7b4822eaaa8ad0a1ef95f9a7b7fbc843875f6dd95863eaeba6
Instruction Fuzzy Hash: 05C25D71E0462A8FDF25CE68DD447EAB7B5EB46308F1441EAD45DE7240E774AE828F80

Function 00CE648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CE64DC
CoInitialize.OLE32(00000000), ref: 00CE6639
CoCreateInstance.OLE32(00D0FCF8,00000000,00000001,00D0FB68,?), ref: 00CE6650
CoUninitialize.OLE32 ref: 00CE68D4

Strings

.lnk, xrefs: 00CE64BA, 00CE6524, 00CE65E0

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: bd4e945b558dc76b5d6719f0b44860647dbabd49dd064d1ba21a3122356de5ba
Instruction ID: 3eec1850809da67867602550423ec1cd8f5dd356c1f72b9bd0cef5b61346c67b
Opcode Fuzzy Hash: bd4e945b558dc76b5d6719f0b44860647dbabd49dd064d1ba21a3122356de5ba
Instruction Fuzzy Hash: E2D15B716183419FC314DF25C881E6BB7E8FF95344F10896DF5998B2A1DB30E909CBA2

Function 00CF22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00CF22E8

Part of subcall function 00CEE4EC: GetWindowRect.USER32(?,?), ref: 00CEE504

GetDesktopWindow.USER32 ref: 00CF2312
GetWindowRect.USER32(00000000), ref: 00CF2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00CF2355
GetCursorPos.USER32(?), ref: 00CF2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00CF23DF

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 15c84b4731af0b17541ac19e68e32bc96949a5c2cd2586cdc7abd7cb4c3eef8e
Instruction ID: ea0c24878697a616cc33b5a7cb561186e5054668359d99345bd5de7086197eea
Opcode Fuzzy Hash: 15c84b4731af0b17541ac19e68e32bc96949a5c2cd2586cdc7abd7cb4c3eef8e
Instruction Fuzzy Hash: 5231B0B25053199BC720DF55D849FABBBA9FB84314F000A19F699D7291D734EA08CB92

Function 00CE9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00CE9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00CE9C8B

Part of subcall function 00CE3874: GetInputState.USER32 ref: 00CE38CB
Part of subcall function 00CE3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CE3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00CE9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00CE9C75

Strings

*.*, xrefs: 00CE9B5D

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 50e4f4303bc0ebaa0519e87dc0d5f409086a1b52ddd893285786c8bdba98327b
Instruction ID: f3dc9848b6c0a03beb3d15349c809b343251050f52e7e00779211dc98d272554
Opcode Fuzzy Hash: 50e4f4303bc0ebaa0519e87dc0d5f409086a1b52ddd893285786c8bdba98327b
Instruction Fuzzy Hash: 8A41837190024AAFCF24EF65C849AEEBBB8EF05310F248155E419A3191EB309F84DF61

Function 00C8997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00C89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C89BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00C89A4E
GetSysColor.USER32(0000000F), ref: 00C89B23
SetBkColor.GDI32(?,00000000), ref: 00C89B36

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: a395b68411d19f0129c2beee1ea81a3197542b04253ae6808cea9318014d4098
Instruction ID: ae69229c5ed83241ed21edce1f788c64407cec6e94fd6c106501cccdaa8956ea
Opcode Fuzzy Hash: a395b68411d19f0129c2beee1ea81a3197542b04253ae6808cea9318014d4098
Instruction Fuzzy Hash: 61A10B70208504BFE72DBA2DCC59FBB269DEB42348B18031DF522D6AD1CA359E41E779

Function 00CF1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00CF307A
Part of subcall function 00CF304E: _wcslen.LIBCMT ref: 00CF309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00CF185D
WSAGetLastError.WSOCK32 ref: 00CF1884
bind.WSOCK32(00000000,?,00000010), ref: 00CF18DB
WSAGetLastError.WSOCK32 ref: 00CF18E6
closesocket.WSOCK32(00000000), ref: 00CF1915

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 9d8bc87e9929b034905a2e74bef6c44a310e9370c4c4e38a3e05ae1c864e20f9
Instruction ID: ac117bf90ccec2dae2e65db116cd253d368444954e05cf35ed38022f142e248e
Opcode Fuzzy Hash: 9d8bc87e9929b034905a2e74bef6c44a310e9370c4c4e38a3e05ae1c864e20f9
Instruction Fuzzy Hash: 6951B271A00204AFDB50AF24C886F3A77E5AB44718F18C15CFA1A9F3D3D771AD419BA1

Function 00D01C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00D01CC0
IsWindowEnabled.USER32 ref: 00D01CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00D01CDB
IsIconic.USER32 ref: 00D01CE9
IsZoomed.USER32 ref: 00D01CF7

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 85e1804356ff59c5f4d094045042b59be7707748641feafcd0cf0f9a13956546
Instruction ID: dcedbc033c76a83874dbca9e2f0570d231366641dc6d213abf0c51385d0eee42
Opcode Fuzzy Hash: 85e1804356ff59c5f4d094045042b59be7707748641feafcd0cf0f9a13956546
Instruction Fuzzy Hash: 73215E357412115FE7208F2AC884B6ABBA5FF95315B5D9068E84ECB391CB71EC42CBB4

Function 00C78060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00C783E8
VUUU, xrefs: 00C7843C
ERCP, xrefs: 00C7813C
VUUU, xrefs: 00C783FA
VUUU, xrefs: 00CB5DF0

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 135ced6ecddd028e1d6e8d7f0b76eb02af3072d87f2587876420759ed34dcee1
Instruction ID: 83b99a15e72dc0a50cc4e9d07101c04139fd4949e81b2238ecc308a2e989b113
Opcode Fuzzy Hash: 135ced6ecddd028e1d6e8d7f0b76eb02af3072d87f2587876420759ed34dcee1
Instruction Fuzzy Hash: A7A2A170E4061ACBDF24CF59C8447EEB7B1BF54310F2481AAE929A7285DB749E85CF90

Function 00CFA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00CFA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00CFA6BA

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

Process32NextW.KERNEL32(00000000,?), ref: 00CFA79C
CloseHandle.KERNEL32(00000000), ref: 00CFA7AB

Part of subcall function 00C8CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00CB3303,?), ref: 00C8CE8A

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 50922a0f1e44d2383cfc3a8fddc0742bfb1eab3fb50884ad267fba9846577c3b
Instruction ID: 24481a62cae8a28f8aec0d83841ae388c20a104a37e52fce8ae8ebdce4567ce5
Opcode Fuzzy Hash: 50922a0f1e44d2383cfc3a8fddc0742bfb1eab3fb50884ad267fba9846577c3b
Instruction Fuzzy Hash: FF513E71508300AFD750EF25C886E6BBBE8FF89754F00891DF59997292EB70D904DB92

Function 00CDAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00CDAAAC
SetKeyboardState.USER32(00000080), ref: 00CDAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00CDAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00CDAB88

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: dccc52e70923ac32d9cbdafa31f8b0cbedae017f13fd511a86acece433b9d4ba
Instruction ID: d3af0d4c6c937e529488b14385c010b8ded38d8b89947cb806ced38cd094e092
Opcode Fuzzy Hash: dccc52e70923ac32d9cbdafa31f8b0cbedae017f13fd511a86acece433b9d4ba
Instruction Fuzzy Hash: 8B311630A40208BFFB358B658C05BFA7BA6AB45310F04431BF2A5963E0D3758A82D766

Function 00CECE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00CECE89
GetLastError.KERNEL32(?,00000000), ref: 00CECEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00CECEFE

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 5421dc660dbc464afb1909e17c85d4f94ead91639075ec0fbe71e80c18f7b20a
Instruction ID: c8f4c85e64bc06627adf620fb0e849ca6169342ae892d22a830552fa244d4829
Opcode Fuzzy Hash: 5421dc660dbc464afb1909e17c85d4f94ead91639075ec0fbe71e80c18f7b20a
Instruction Fuzzy Hash: 3321BAB1900305AFEB20DFA6C989BAAB7F8EB50314F10441EE556E2251E770EE069B64

Function 00CD8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00CD82AA

Strings

|, xrefs: 00CD82DA
(, xrefs: 00CD82F0

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 47999ce8b58cefc295c4ec3064577206d7a3f5276a81654ebdb41b4891c0cbd2
Instruction ID: 2a8f0c13751035a234515ec66d8da92ed89a9fb8d4ae373f19ffdd15e03cc446
Opcode Fuzzy Hash: 47999ce8b58cefc295c4ec3064577206d7a3f5276a81654ebdb41b4891c0cbd2
Instruction Fuzzy Hash: BD323674A007059FCB28DF19C481A6AB7F0FF48720B15C56EE5AADB3A1EB70E941CB54

Function 00CE5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00CE5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00CE5D17
FindClose.KERNEL32(?), ref: 00CE5D5F

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 8f5271f7874d5c31f6cbd5614123585e4063a163d5a871d7929238e6a42d4101
Instruction ID: 6d7cae7b7742e79740179e75b517734e8a549e43a0fa1b96512803adc6ce4e24
Opcode Fuzzy Hash: 8f5271f7874d5c31f6cbd5614123585e4063a163d5a871d7929238e6a42d4101
Instruction Fuzzy Hash: B351AC34604A419FC714DF29C894A9AB7E4FF49318F14855DE96A8B3A2CB30EE04CB91

Function 00CA2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00CA271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00CA2724
UnhandledExceptionFilter.KERNEL32(?), ref: 00CA2731

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a3a226bd4798539a69b552a68897c704e16f436259f30c0c0c161cf9f0c68422
Instruction ID: b559c1afabae6e62290c19875e8a3adb6651b1ade10fec7b8b14f8f4259af48b
Opcode Fuzzy Hash: a3a226bd4798539a69b552a68897c704e16f436259f30c0c0c161cf9f0c68422
Instruction Fuzzy Hash: 8331C674911328ABCB21DF68DC88798B7B8BF08310F5041DAE81CA7260E7309F819F54

Function 00CE51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CE51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00CE5238
SetErrorMode.KERNEL32(00000000), ref: 00CE52A1

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: c1eef29e85b505ae61ee4dfdf91b5571f93b5451757fb7ca503b0a5002d6686e
Instruction ID: a76789d7bf2151e524bdfee5037d190473cff3b287eddd44fe97b792389baaf4
Opcode Fuzzy Hash: c1eef29e85b505ae61ee4dfdf91b5571f93b5451757fb7ca503b0a5002d6686e
Instruction Fuzzy Hash: 87318075A00608DFDB00DF55D884FADBBB4FF09318F048099E9099B392CB31E845CBA1

Function 00CD16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00C8FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00C90668
Part of subcall function 00C8FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00C90685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CD170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CD173A
GetLastError.KERNEL32 ref: 00CD174A

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 331541e7d3a19f15fbcf1893aecd942a034b482bf06b7758809f2bcf5a8a9c0a
Instruction ID: 2e0280059a3658b1a9d378b6205ef0eb78a2e841f3116f11877660849788e95a
Opcode Fuzzy Hash: 331541e7d3a19f15fbcf1893aecd942a034b482bf06b7758809f2bcf5a8a9c0a
Instruction Fuzzy Hash: 6B11BCB2410304BFE728AF64DC86E6BB7BDEB04714B24852EE55692251EB70BC428B24

Function 00CDD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00CDD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00CDD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00CDD650

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 0f391cf7f7b1c29e51d08cb680d47998e7719816473a39f50021234d74a3f6c7
Instruction ID: b26a53a0122f7c904c266912eccae687eb1ba3c9cde6bcb8d4869c37becebae1
Opcode Fuzzy Hash: 0f391cf7f7b1c29e51d08cb680d47998e7719816473a39f50021234d74a3f6c7
Instruction Fuzzy Hash: AE117C71E01328BBDB108FA59C44FAFBBBCEB45B50F108156F918E7390D2704A018BA1

Function 00CD1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00CD168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00CD16A1
FreeSid.ADVAPI32(?), ref: 00CD16B1

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 70dca1218a268adc3ea710e2c6af0def34cc212911a4f0373cdbebbb77673d1f
Instruction ID: 26cbe2ffa047b56e8b9f58c69b32df65ca45e312fcc2843fe6c816cb4ca3d13f
Opcode Fuzzy Hash: 70dca1218a268adc3ea710e2c6af0def34cc212911a4f0373cdbebbb77673d1f
Instruction Fuzzy Hash: AFF0F471950309FBEB00DFE49D89AAEBBBCEB08604F504565E901E2281E774AA448A60

Function 00C94CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00CA28E9,?,00C94CBE,00CA28E9,00D388B8,0000000C,00C94E15,00CA28E9,00000002,00000000,?,00CA28E9), ref: 00C94D09
TerminateProcess.KERNEL32(00000000,?,00C94CBE,00CA28E9,00D388B8,0000000C,00C94E15,00CA28E9,00000002,00000000,?,00CA28E9), ref: 00C94D10
ExitProcess.KERNEL32 ref: 00C94D22

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: f73c54cbd945fe6a347b672c3db5ae17e2c95a5160552ece2ca8d193396bc16d
Instruction ID: 08d1e5c062152817e199099c446fe1c8a9fd38561ddf3db3f5a45767aa5eb69d
Opcode Fuzzy Hash: f73c54cbd945fe6a347b672c3db5ae17e2c95a5160552ece2ca8d193396bc16d
Instruction Fuzzy Hash: B7E0B636020248ABCF19AF54DD0DE583B69FB46785B108118FC19CA222CB35DE42DA90

Function 00CAC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00CAC36C

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 52ad10df642192e1af0e4085e19690d2815b8ff2b162f342e213ecd8f42d2a69
Instruction ID: 6a1ed8394ac3db60acdcc821310df864efda81c668346c9b95cbf65cbb205cea
Opcode Fuzzy Hash: 52ad10df642192e1af0e4085e19690d2815b8ff2b162f342e213ecd8f42d2a69
Instruction Fuzzy Hash: 60413B7690021A6FCB24DFB9DC89EFB77B8EB85318F104269F915D7190E6709E41CB50

Function 00CCD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00CCD28C

Strings

X64, xrefs: 00CCD2A8

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: f0ed4f37327d08aa803ad0849d0318fab003917d5bac094676ce0d5622b8e9ce
Instruction ID: 484e2aacc7c165cf725fa694e9daf164a4b8d9c36dd7c2d51d4364ef89e8084a
Opcode Fuzzy Hash: f0ed4f37327d08aa803ad0849d0318fab003917d5bac094676ce0d5622b8e9ce
Instruction Fuzzy Hash: F2D0C9B481111DEACB94DB90DCC8ED9B37CBB04305F100295F10AE2140D73095498F20

Function 00C9CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 889f6a180275049e092e9c36b78680d9f1481ff33b9fe0134d5df2df4ed5f887
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 2F021C72E002199FDF14CFA9C9C46ADFBF1EF48314F25816AD829E7384D731AA418B94

Function 00CE68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00CE6918
FindClose.KERNEL32(00000000), ref: 00CE6961

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 47326caccc2fbbf6d6fd0941d41d205c0d6cd39ba69ebd695b9a17d923247c60
Instruction ID: 68ca60cb8f8ce02afc266f42f878ee664ceb085cd91ec6fffa4cfaeeb3763274
Opcode Fuzzy Hash: 47326caccc2fbbf6d6fd0941d41d205c0d6cd39ba69ebd695b9a17d923247c60
Instruction Fuzzy Hash: CF118E316142419FC710DF6AD484A1ABBE5FF85328F14C699E4698F7A2C730EC05CB91

Function 00CE37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00CF4891,?,?,00000035,?), ref: 00CE37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00CF4891,?,?,00000035,?), ref: 00CE37F4

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: dcfec0dd66b16a03b1d507f1787da0e37d6e4c93165e6aee026c3f7b4bb1bf97
Instruction ID: 1afdc0795ac04a8b9f8e7652d3becc67b3f94fba8e653a57d1d1141d10daad6e
Opcode Fuzzy Hash: dcfec0dd66b16a03b1d507f1787da0e37d6e4c93165e6aee026c3f7b4bb1bf97
Instruction Fuzzy Hash: B9F0A0B06053682AEA2057A78C4DFEB3AAEEFC5761F000265B509D22D1D9609904C6B0

Function 00CDB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00CDB25D
keybd_event.USER32(?,7608C0D0,?,00000000), ref: 00CDB270

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 8849233c6608e8d8dcbc5ede5bb557f9c28c62b91ab8ef5da3eb58e804b021e8
Instruction ID: 7fa38fcebb63dc3367abfba50d4fa6c93338240af3e81856e6cfd7357634d69f
Opcode Fuzzy Hash: 8849233c6608e8d8dcbc5ede5bb557f9c28c62b91ab8ef5da3eb58e804b021e8
Instruction Fuzzy Hash: 72F01D7581424EABDB059FA1C805BAE7BB4FF04305F00900AF965A5292C37986119FA4

Function 00CD10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00CD11FC), ref: 00CD10D4
CloseHandle.KERNEL32(?,?,00CD11FC), ref: 00CD10E9

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: dd91ad61738c6c97e1658f40429b072a8bd76ff4d0950c11dedc3a2d337765c6
Instruction ID: 3225818441f484e3cbe468e0b4c326798261d96629d5acbb809510009ccf32c2
Opcode Fuzzy Hash: dd91ad61738c6c97e1658f40429b072a8bd76ff4d0950c11dedc3a2d337765c6
Instruction Fuzzy Hash: 48E04F32014700EEE7252B11FC05F7377A9EB04310B14892EF5A5805B1DB62ACA0EB24

Function 00C7CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00CC0C40

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: a6c2c9161df1bc9151298f9fcd7637a3e12e86af48f856d9d41ee223759563c8
Instruction ID: a4a7e0e3174b7f6a4623e088e8cb90953a3d25ba12abd370a370d0a8f1a7fac1
Opcode Fuzzy Hash: a6c2c9161df1bc9151298f9fcd7637a3e12e86af48f856d9d41ee223759563c8
Instruction Fuzzy Hash: A3328B70900219DBDF14DF94C885FEDB7B5BF05308F24806DE81AAB292D735AE46DB61

Function 00CA676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00CA6766,?,?,00000008,?,?,00CAFEFE,00000000), ref: 00CA6998

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 5b740cf1d799c853502034ff7bde98dcc0f26970211748af1821964e4564e2d4
Instruction ID: 48c271b352c8be24168cff457db8f36a5f0f474083a76af2a9592ee03169739b
Opcode Fuzzy Hash: 5b740cf1d799c853502034ff7bde98dcc0f26970211748af1821964e4564e2d4
Instruction Fuzzy Hash: D0B12D7151060A9FD715CF28C48AB657BE0FF46368F298658E8A9CF2E1C735DE91CB40

Function 00C8B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00CC851F

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6e20d15df19d7f07fc9e3105572c28351bcdfc69370ee9911748f5e8ffdaccf4
Instruction ID: f92bd0cbf3da08644002ff08a841d624dcf79e5c154032edb6ee1d73487e2d67
Opcode Fuzzy Hash: 6e20d15df19d7f07fc9e3105572c28351bcdfc69370ee9911748f5e8ffdaccf4
Instruction Fuzzy Hash: F01270719002299BDB14DF59C881BEEB7B5FF48710F1481AAE809EB251DB309E85CFA4

Function 00CEEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00CEEABD

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 217695f45353514774f5173c5f4030c0c966cbc20997226c147a1d1f69546bfd
Instruction ID: b9b0859efa15aac4b4530aaeea13985a15f321166bf453e4efdfe8f181978c95
Opcode Fuzzy Hash: 217695f45353514774f5173c5f4030c0c966cbc20997226c147a1d1f69546bfd
Instruction Fuzzy Hash: 48E012312102059FC710EF5AD444E9ABBD9AF58760F00842AFC49C7351D770A8409B90

Function 00C909D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00C903EE), ref: 00C909DA

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f31a13ab6f6682ee1e37767498c7835083787ee6ae4432ef8050d9258eb5638e
Instruction ID: 46923d12b51be5985d2a3a5e5f78d1eacbbcdb32454e5d4384e1637fa957531a
Opcode Fuzzy Hash: f31a13ab6f6682ee1e37767498c7835083787ee6ae4432ef8050d9258eb5638e
Instruction Fuzzy Hash:

Function 00C9781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00C9798B

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 0c45e17a8096f7d7a91312b817f15a749498b5fcbaf414fae88ea8df9ecf70a6
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 5451897163F7055BDF388669895E7BE2385DB02704F180709E8A2EB2C2CA15DF06E35E

Function 00CA6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb40b8073dc11f0dfe5e5ec88a93ee9fb89207679faa54a5d1bb24a96559742
Instruction ID: 3b3afdff6f3c3417af60e68ead79501eced84fb1f19d6fdf0f555b494a1e92f9
Opcode Fuzzy Hash: 1cb40b8073dc11f0dfe5e5ec88a93ee9fb89207679faa54a5d1bb24a96559742
Instruction Fuzzy Hash: 2F322522D29F024DDB239635DC223366649AFB73C9F15D737F82AB5AA5EF29C5834100

Function 00C8CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7588bdeb9e89dbec76bcf2302cec703f8a8155062bb5cff34e68c8d7eeed9e42
Instruction ID: 2b43a943924734dca4e157084c79af9618d56f46d52ee1cedbf717fec2144369
Opcode Fuzzy Hash: 7588bdeb9e89dbec76bcf2302cec703f8a8155062bb5cff34e68c8d7eeed9e42
Instruction Fuzzy Hash: 63320532A001158BDF28DF29C4E4F7D7BA1EB45304F29856ED46EDB291D234DE81EB61

Function 00C77920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87627c16a8f2230bd68052d4dc0493c8d5a5a25d56f37f25e9aaeb0f38be3bdb
Instruction ID: fb42541454f2ca8e2348aa0d1624bff58316c6f76c5502a20f74629b46546fc7
Opcode Fuzzy Hash: 87627c16a8f2230bd68052d4dc0493c8d5a5a25d56f37f25e9aaeb0f38be3bdb
Instruction Fuzzy Hash: 3422AE70A00609DFDF14CF65C881AEEB7F5FF48300F248629E816A7291EB36AE15DB50

Function 00C791C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcfa7a32913f18121d76801efcee5b69957d122cae977c2af99923f34ea9dc3c
Instruction ID: 958d574201f9e64237ae1420e3599e4c54382405fc0b9a2daaa8d26dcb490fb7
Opcode Fuzzy Hash: bcfa7a32913f18121d76801efcee5b69957d122cae977c2af99923f34ea9dc3c
Instruction Fuzzy Hash: 1302C7B1A00205EBDF04DF65D881AEEBBB5FF44704F108169E81ADB391EB31AE11DB95

Function 00C91C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: e06fdc9c56439624388cc98827dd0d2d37b48724a18138462c53fc5375cee323
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: F59136736090A34ADF2A463A857E07DFFE15B523A131E079DDCF2CA1C5EE24DA64D620

Function 00C919B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 1e6dd8e6e9ea20a47233dbb3a60ef22df369d3da0c6a9a2694a4623a498229b3
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: A69113722090E34EDF69467A857E03DFFE15B923A231E079DD8F2CA1C5FD24DA54A620

Function 00C97A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed32fbe71f2231879ce58ee54a7a86fb44d900b438ec75f455055666f8aee8db
Instruction ID: 9d3c2aa2b2a8e845bf41a3ebb2cf85387de9c32a8b8f54f233902854e1688b45
Opcode Fuzzy Hash: ed32fbe71f2231879ce58ee54a7a86fb44d900b438ec75f455055666f8aee8db
Instruction Fuzzy Hash: 48618A3123A30997DE389A2C8C9DBBE2395EF41700F141B1AF853DB291DA11DF46E355

Function 00C97CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0611012019e1c4f6d6ad6df589a34ccf416a1065868c1370410a0c7dcffce33c
Instruction ID: a62b0e2f9e4dc225eac12479ab25b89fe7cfb899b690d1f1a6362174714b91b8
Opcode Fuzzy Hash: 0611012019e1c4f6d6ad6df589a34ccf416a1065868c1370410a0c7dcffce33c
Instruction Fuzzy Hash: 5A618A7333A7099BDE384A28889EBBF3384EF42704F100B59E853DB681DA12DF469355

Function 00C91706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 84535b48698272dcd6d4b4725498ca700f9c159e5b35563a0560d0190068a08b
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: F38151726090A349DF69467A853A43EFFE15B923A131F079DD8F2CA1C1EE24D754E620

Function 00CE2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b72e3cad500d82ec822a472369dfe2e90af336cf27c4ffd69a8f08e570eda3
Instruction ID: b4c2899fd66122bbed6111cacc245a6dae0e6e87ec713f1973aa851d0617a90f
Opcode Fuzzy Hash: c4b72e3cad500d82ec822a472369dfe2e90af336cf27c4ffd69a8f08e570eda3
Instruction Fuzzy Hash: F021BB326206158BD728CF79C81367E73E9A754310F55862EE4A7C37D0DE35A904D790

Function 00CF2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00CF2B30
DeleteObject.GDI32(00000000), ref: 00CF2B43
DestroyWindow.USER32 ref: 00CF2B52
GetDesktopWindow.USER32 ref: 00CF2B6D
GetWindowRect.USER32(00000000), ref: 00CF2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00CF2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00CF2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF2CF8
GetClientRect.USER32(00000000,?), ref: 00CF2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00CF2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF2D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF2D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF2DA8
GlobalFree.KERNEL32(00000000), ref: 00CF2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00D0FC38,00000000), ref: 00CF2DDB
GlobalFree.KERNEL32(00000000), ref: 00CF2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00CF2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00CF2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF303F

Strings

DISPLAY, xrefs: 00CF2EA2
, xrefs: 00CF2FC5
AutoIt v3, xrefs: 00CF2CF2
static, xrefs: 00CF2D3A, 00CF2E91

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 40748fb572bdab15981ec40b7fdedc5d13cd26b0c297064cfd175cc9a08805d1
Instruction ID: bdda16f38bfc968dfeea409c283c9afb69f20bb4a1914cc744bb3ddff16c0333
Opcode Fuzzy Hash: 40748fb572bdab15981ec40b7fdedc5d13cd26b0c297064cfd175cc9a08805d1
Instruction Fuzzy Hash: 19027E75510219AFDB14DFA4CC89FAE7BB9EF49710F108258F919EB2A1CB70AD01CB61

Function 00D070D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00D0712F
GetSysColorBrush.USER32(0000000F), ref: 00D07160
GetSysColor.USER32(0000000F), ref: 00D0716C
SetBkColor.GDI32(?,000000FF), ref: 00D07186
SelectObject.GDI32(?,?), ref: 00D07195
InflateRect.USER32(?,000000FF,000000FF), ref: 00D071C0
GetSysColor.USER32(00000010), ref: 00D071C8
CreateSolidBrush.GDI32(00000000), ref: 00D071CF
FrameRect.USER32(?,?,00000000), ref: 00D071DE
DeleteObject.GDI32(00000000), ref: 00D071E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00D07230
FillRect.USER32(?,?,?), ref: 00D07262
GetWindowLongW.USER32(?,000000F0), ref: 00D07284

Part of subcall function 00D073E8: GetSysColor.USER32(00000012), ref: 00D07421
Part of subcall function 00D073E8: SetTextColor.GDI32(?,?), ref: 00D07425
Part of subcall function 00D073E8: GetSysColorBrush.USER32(0000000F), ref: 00D0743B
Part of subcall function 00D073E8: GetSysColor.USER32(0000000F), ref: 00D07446
Part of subcall function 00D073E8: GetSysColor.USER32(00000011), ref: 00D07463
Part of subcall function 00D073E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D07471
Part of subcall function 00D073E8: SelectObject.GDI32(?,00000000), ref: 00D07482
Part of subcall function 00D073E8: SetBkColor.GDI32(?,00000000), ref: 00D0748B
Part of subcall function 00D073E8: SelectObject.GDI32(?,?), ref: 00D07498
Part of subcall function 00D073E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00D074B7
Part of subcall function 00D073E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D074CE
Part of subcall function 00D073E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00D074DB

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 03963e7f9081b12a57f9ea07f2b5d5306b31004974bc62961ff42c0369895f4a
Instruction ID: 9fb4384d3ee3cc33c6b558a461a06125b3a46eb33c4f6f5e4c56ff0b7e8555da
Opcode Fuzzy Hash: 03963e7f9081b12a57f9ea07f2b5d5306b31004974bc62961ff42c0369895f4a
Instruction Fuzzy Hash: 4CA19072418301AFD7109F60DC48B5B7BA9FF89320F141B19F9AADA2E1D771E944CB62

Function 00C88D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00C88E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00CC6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00CC6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00CC6F43

Part of subcall function 00C88F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C88BE8,?,00000000,?,?,?,?,00C88BBA,00000000,?), ref: 00C88FC5

SendMessageW.USER32(?,00001053), ref: 00CC6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00CC6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00CC6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00CC6FB7

Strings

0, xrefs: 00CC6DCF

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: cfe984c4a37f50945dcbd30f6be7ae05700702a2869c49412a1a4470ac2cb85a
Instruction ID: 3aeff4d487e494fafb2385be512ed9c9f0697179ab539ea516efa69ba98885fe
Opcode Fuzzy Hash: cfe984c4a37f50945dcbd30f6be7ae05700702a2869c49412a1a4470ac2cb85a
Instruction Fuzzy Hash: 5812BC38200201AFDB21DF24CA94FA6B7E1FB49304F54456DE4A9CB661CB31ED96DFA1

Function 00CF2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00CF273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00CF286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00CF28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00CF28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00CF2900
GetClientRect.USER32(00000000,?), ref: 00CF290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00CF2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00CF2964
GetStockObject.GDI32(00000011), ref: 00CF2974
SelectObject.GDI32(00000000,00000000), ref: 00CF2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00CF2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CF2991
DeleteDC.GDI32(00000000), ref: 00CF299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00CF29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00CF29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00CF2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00CF2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00CF2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00CF2A77
GetStockObject.GDI32(00000011), ref: 00CF2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00CF2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00CF2A97

Strings

DISPLAY, xrefs: 00CF295A
AutoIt v3, xrefs: 00CF28F8
static, xrefs: 00CF294F, 00CF2A71
msctls_progress32, xrefs: 00CF2A13

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: abd31faf1fcb6891b096ab6fd8b40b5ae0f92243de127ce204ccfaf2e20c509c
Instruction ID: 7de6709c66a1e79768543109628a7e62b1a1c9b1e7c9cd4a4f04cbb377c9cced
Opcode Fuzzy Hash: abd31faf1fcb6891b096ab6fd8b40b5ae0f92243de127ce204ccfaf2e20c509c
Instruction Fuzzy Hash: E0B13E75A50319AFEB14DFA8CC49FAE7BA9EB49710F108215FA15E72D0D770AD40CBA0

Function 00CE4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CE4AED
GetDriveTypeW.KERNEL32(?,00D0CB68,?,\\.\,00D0CC08), ref: 00CE4BCA
SetErrorMode.KERNEL32(00000000,00D0CB68,?,\\.\,00D0CC08), ref: 00CE4D36

Strings

MMC, xrefs: 00CE4CDE
Network, xrefs: 00CE4C02
CDROM, xrefs: 00CE4BFB
iSCSI, xrefs: 00CE4CC2
SCSI, xrefs: 00CE4C8A
Fibre, xrefs: 00CE4CAD
SSD, xrefs: 00CE4C4A
SATA, xrefs: 00CE4CD0
1394, xrefs: 00CE4C9F
Virtual, xrefs: 00CE4CE5
RAID, xrefs: 00CE4CBB
FileBackedVirtual, xrefs: 00CE4CEC
SSA, xrefs: 00CE4CA6
ATA, xrefs: 00CE4C98
Fixed, xrefs: 00CE4C09
Unknown, xrefs: 00CE4BED, 00CE4C83
RAMDisk, xrefs: 00CE4BF4
USB, xrefs: 00CE4CB4
PhysicalDrive, xrefs: 00CE4B76
ATAPI, xrefs: 00CE4C91
\\.\, xrefs: 00CE4B3F
Removable, xrefs: 00CE4C10, 00CE4C15
SAS, xrefs: 00CE4CC9

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 7dc23c390a5b4d45556cc1092a3082f277fad738d7d44106ba977b40111724ee
Instruction ID: 4fe6dec480d29339e5b9dfeaf20591d5f5d152b520cc40a895c7b49870dabcf7
Opcode Fuzzy Hash: 7dc23c390a5b4d45556cc1092a3082f277fad738d7d44106ba977b40111724ee
Instruction Fuzzy Hash: D461AF30605286EFCB08DF26DA829AD77B0EB44740F34C415F80AAB691DB75EE45EB61

Function 00D073E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00D07421
SetTextColor.GDI32(?,?), ref: 00D07425
GetSysColorBrush.USER32(0000000F), ref: 00D0743B
GetSysColor.USER32(0000000F), ref: 00D07446
CreateSolidBrush.GDI32(?), ref: 00D0744B
GetSysColor.USER32(00000011), ref: 00D07463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D07471
SelectObject.GDI32(?,00000000), ref: 00D07482
SetBkColor.GDI32(?,00000000), ref: 00D0748B
SelectObject.GDI32(?,?), ref: 00D07498
InflateRect.USER32(?,000000FF,000000FF), ref: 00D074B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D074CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00D074DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D0752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00D07554
InflateRect.USER32(?,000000FD,000000FD), ref: 00D07572
DrawFocusRect.USER32(?,?), ref: 00D0757D
GetSysColor.USER32(00000011), ref: 00D0758E
SetTextColor.GDI32(?,00000000), ref: 00D07596
DrawTextW.USER32(?,00D070F5,000000FF,?,00000000), ref: 00D075A8
SelectObject.GDI32(?,?), ref: 00D075BF
DeleteObject.GDI32(?), ref: 00D075CA
SelectObject.GDI32(?,?), ref: 00D075D0
DeleteObject.GDI32(?), ref: 00D075D5
SetTextColor.GDI32(?,?), ref: 00D075DB
SetBkColor.GDI32(?,?), ref: 00D075E5

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 5d279fbe016864c286d484075410b5a782f586ff13de643bd5a76fc624898cfc
Instruction ID: 1e186a7820d73d964f59efd6ee0081673e875e2d856fac130348e281ab1a51c7
Opcode Fuzzy Hash: 5d279fbe016864c286d484075410b5a782f586ff13de643bd5a76fc624898cfc
Instruction Fuzzy Hash: 6E616C76D00218AFDB019FA4DC49BEE7FB9EB09320F145215F919EB2E1D771A940CBA0

Function 00D00FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00D01128
GetDesktopWindow.USER32 ref: 00D0113D
GetWindowRect.USER32(00000000), ref: 00D01144
GetWindowLongW.USER32(?,000000F0), ref: 00D01199
DestroyWindow.USER32(?), ref: 00D011B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00D011ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D0120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00D0121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00D01232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00D01245
IsWindowVisible.USER32(00000000), ref: 00D012A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00D012BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00D012D0
GetWindowRect.USER32(00000000,?), ref: 00D012E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00D0130E
GetMonitorInfoW.USER32(00000000,?), ref: 00D01328
CopyRect.USER32(?,?), ref: 00D0133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00D013AA

Strings

(, xrefs: 00D0131B
0, xrefs: 00D010D3
tooltips_class32, xrefs: 00D011E6

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 9d3717abb87c61346560498b7cbae8441a35a163d3c766082a88a4770ba45744
Instruction ID: 7afc32ee1e786767881fa946aba9ebc0e9254c043f202de6129aae94916106ca
Opcode Fuzzy Hash: 9d3717abb87c61346560498b7cbae8441a35a163d3c766082a88a4770ba45744
Instruction Fuzzy Hash: 71B18B75604341AFD714DF64C885B6ABBE4FF84754F008A1CF99D9B2A1C771E844CBA2

Function 00D00241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D002E5
_wcslen.LIBCMT ref: 00D0031F
_wcslen.LIBCMT ref: 00D00389
_wcslen.LIBCMT ref: 00D003F1
_wcslen.LIBCMT ref: 00D00475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00D004C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D00504

Part of subcall function 00C8F9F2: _wcslen.LIBCMT ref: 00C8F9FD

Part of subcall function 00CD223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CD2258
Part of subcall function 00CD223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00CD228A

Strings

SELECTCLEAR, xrefs: 00D0052D
SELECTALL, xrefs: 00D00515
GETSELECTED, xrefs: 00D005E1
GETTEXT, xrefs: 00D003EC, 00D00407
VIEWCHANGE, xrefs: 00D00675
FINDITEM, xrefs: 00D00627
GETSELECTEDCOUNT, xrefs: 00D00470, 00D0048B
GETITEMCOUNT, xrefs: 00D00316, 00D00337
SELECT, xrefs: 00D00548
ISSELECTED, xrefs: 00D004DD
SELECTINVERT, xrefs: 00D0057E
GETSUBITEMCOUNT, xrefs: 00D00384, 00D0039F
DESELECT, xrefs: 00D0059C

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 1cc5158b28ba6a737db4eb171fc68fb36cb55ea9d114f6eeae8ef3c9cc1fc470
Instruction ID: 9c22e71e26f5b0597a1bce014170802645f1b282de4454b6dd0f0956f9b5f5e0
Opcode Fuzzy Hash: 1cc5158b28ba6a737db4eb171fc68fb36cb55ea9d114f6eeae8ef3c9cc1fc470
Instruction Fuzzy Hash: B9E1B031208601AFC724DF24C450A2EBBE6FF98714F14855DF89A9B3A1DB30ED45DBA1

Function 00C88891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C88968
GetSystemMetrics.USER32(00000007), ref: 00C88970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C8899B
GetSystemMetrics.USER32(00000008), ref: 00C889A3
GetSystemMetrics.USER32(00000004), ref: 00C889C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C889E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00C889F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C88A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C88A3C
GetClientRect.USER32(00000000,000000FF), ref: 00C88A5A
GetStockObject.GDI32(00000011), ref: 00C88A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C88A81

Part of subcall function 00C8912D: GetCursorPos.USER32(?), ref: 00C89141
Part of subcall function 00C8912D: ScreenToClient.USER32(00000000,?), ref: 00C8915E
Part of subcall function 00C8912D: GetAsyncKeyState.USER32(00000001), ref: 00C89183
Part of subcall function 00C8912D: GetAsyncKeyState.USER32(00000002), ref: 00C8919D

SetTimer.USER32(00000000,00000000,00000028,00C890FC), ref: 00C88AA8

Strings

AutoIt v3 GUI, xrefs: 00C88A20

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 2ab23f807e311c5a215230309c99485e48572752770582131ee5b863109d0e2e
Instruction ID: b9442e2a8f6f51e8c657d7c69c6202f6994ac4582e5fb9c34db60bc38ef6465f
Opcode Fuzzy Hash: 2ab23f807e311c5a215230309c99485e48572752770582131ee5b863109d0e2e
Instruction Fuzzy Hash: 7AB16D79A00209AFDB14DFA8CD49BAE3BB5FB48314F104229FA15E72D0DB74A941CF65

Function 00CD0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00CD1114
Part of subcall function 00CD10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00CD0B9B,?,?,?), ref: 00CD1120
Part of subcall function 00CD10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00CD0B9B,?,?,?), ref: 00CD112F
Part of subcall function 00CD10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00CD0B9B,?,?,?), ref: 00CD1136
Part of subcall function 00CD10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00CD114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00CD0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00CD0E29
GetLengthSid.ADVAPI32(?), ref: 00CD0E40
GetAce.ADVAPI32(?,00000000,?), ref: 00CD0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00CD0E96
GetLengthSid.ADVAPI32(?), ref: 00CD0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00CD0EB5
HeapAlloc.KERNEL32(00000000), ref: 00CD0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00CD0EDD
CopySid.ADVAPI32(00000000), ref: 00CD0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00CD0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00CD0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00CD0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CD0F6E
HeapFree.KERNEL32(00000000), ref: 00CD0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CD0F7E
HeapFree.KERNEL32(00000000), ref: 00CD0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CD0F8E
HeapFree.KERNEL32(00000000), ref: 00CD0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00CD0FA1
HeapFree.KERNEL32(00000000), ref: 00CD0FA8

Part of subcall function 00CD1193: GetProcessHeap.KERNEL32(00000008,00CD0BB1,?,00000000,?,00CD0BB1,?), ref: 00CD11A1
Part of subcall function 00CD1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00CD0BB1,?), ref: 00CD11A8
Part of subcall function 00CD1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00CD0BB1,?), ref: 00CD11B7

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 953e7989dcb864f85d48ab110af5e1d32adf5f35eb3b1b33eaaa06514503cb9d
Instruction ID: 381f400f9c9ee728c98ba56da4e424b1cdf63ed1c9dfddd4e05e2b76937e9f1c
Opcode Fuzzy Hash: 953e7989dcb864f85d48ab110af5e1d32adf5f35eb3b1b33eaaa06514503cb9d
Instruction Fuzzy Hash: 43714272900309ABDF10DFA5DC49FEEBBB8BF05311F244216FA69E6291D7719A05CB60

Function 00CFC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CFC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00D0CC08,00000000,?,00000000,?,?), ref: 00CFC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00CFC5A4
_wcslen.LIBCMT ref: 00CFC5F4
_wcslen.LIBCMT ref: 00CFC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00CFC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00CFC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00CFC84D
RegCloseKey.ADVAPI32(?), ref: 00CFC881
RegCloseKey.ADVAPI32(00000000), ref: 00CFC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00CFC960

Strings

REG_BINARY, xrefs: 00CFC913
REG_MULTI_SZ, xrefs: 00CFC6F5
REG_DWORD, xrefs: 00CFC804
REG_SZ, xrefs: 00CFC644
REG_QWORD, xrefs: 00CFC8C3
REG_EXPAND_SZ, xrefs: 00CFC5CD

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: fd3f01cc515d62bd6a8878e08a858ca26c12a63425565a8c9400587bf79455d1
Instruction ID: 3c64195d07b3fc7db73e1cd99ea61a603fe3ffa318f99d7b6fb715f328dfae18
Opcode Fuzzy Hash: fd3f01cc515d62bd6a8878e08a858ca26c12a63425565a8c9400587bf79455d1
Instruction Fuzzy Hash: 5B1278312042099FCB54DF24C981E2AB7E5FF88754F14895CF99A9B3A2DB31ED41DB82

Function 00D0091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D009C6
_wcslen.LIBCMT ref: 00D00A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D00A54
_wcslen.LIBCMT ref: 00D00A8A
_wcslen.LIBCMT ref: 00D00B06
_wcslen.LIBCMT ref: 00D00B81

Part of subcall function 00C8F9F2: _wcslen.LIBCMT ref: 00C8F9FD

Part of subcall function 00CD2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CD2BFA

Strings

COLLAPSE, xrefs: 00D00B01, 00D00B1C
GETITEMCOUNT, xrefs: 00D00C1E
UNCHECK, xrefs: 00D00D3E
SELECT, xrefs: 00D00D11
GETSELECTED, xrefs: 00D00C4E
EXPAND, xrefs: 00D00BF8
GETTEXT, xrefs: 00D00C97
ISCHECKED, xrefs: 00D00CE1
EXISTS, xrefs: 00D00B7C, 00D00B97
GETTOTALCOUNT, xrefs: 00D009F2, 00D00A17
CHECK, xrefs: 00D00A85, 00D00AA0

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 34bf5350adbc42d8921fc0e8226bd369fe79d68726dfdcf28b18fcd09ab5f176
Instruction ID: d140d2900af70b7fae97df48abb571180c4baa333eeefe3f262e5259853c457f
Opcode Fuzzy Hash: 34bf5350adbc42d8921fc0e8226bd369fe79d68726dfdcf28b18fcd09ab5f176
Instruction Fuzzy Hash: 3BE19F31208701AFC714DF24C450A2ABBE1FF98354F18895DF89A9B3A2D731ED46DBA1

Function 00CFC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CFB6AE,?,?), ref: 00CFC9B5
_wcslen.LIBCMT ref: 00CFC9F1
_wcslen.LIBCMT ref: 00CFCA68
_wcslen.LIBCMT ref: 00CFCA9E
_wcslen.LIBCMT ref: 00CFCAF9
_wcslen.LIBCMT ref: 00CFCB2F
_wcslen.LIBCMT ref: 00CFCB7F

Strings

HKU, xrefs: 00CFCBF0
HKCC, xrefs: 00CFCBAC
HKEY_LOCAL_MACHINE, xrefs: 00CFCA62, 00CFCA67
HKCU, xrefs: 00CFCBCE
HKEY_CLASSES_ROOT, xrefs: 00CFCAF3, 00CFCAF8
HKLM, xrefs: 00CFCA98, 00CFCA9D
HKEY_USERS, xrefs: 00CFCBDF
HKCR, xrefs: 00CFCB29, 00CFCB2E
HKEY_CURRENT_USER, xrefs: 00CFCBBD
HKEY_CURRENT_CONFIG, xrefs: 00CFCB79, 00CFCB7E

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: bc0f1bc88c49836923b5f9ffe92c9a9d3b360b599b278ad9789493e9fef267c0
Instruction ID: 548ff8f0c2be7e092315bcca8b31b8b70ab5175b03725270d454e1f7b93db57a
Opcode Fuzzy Hash: bc0f1bc88c49836923b5f9ffe92c9a9d3b360b599b278ad9789493e9fef267c0
Instruction Fuzzy Hash: 3871147270052E8BCB60DE3DCAC15BE3391AF60754F210528FA7697284E631DE45E3A2

Function 00D0833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D0835A
_wcslen.LIBCMT ref: 00D0836E
_wcslen.LIBCMT ref: 00D08391
_wcslen.LIBCMT ref: 00D083B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00D083F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00D05BF2), ref: 00D0844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D08487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00D084CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D08501
FreeLibrary.KERNEL32(?), ref: 00D0850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00D0851D
DestroyIcon.USER32(?,?,?,?,?,00D05BF2), ref: 00D0852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00D08549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00D08555

Strings

.dll, xrefs: 00D083AB
.icl, xrefs: 00D08368
.exe, xrefs: 00D08388

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: d6c94904bdd3be6ec7d4bdae0147fdebb033ab5652e16f14e5bbdb48beb51bb6
Instruction ID: 0e02d5a187e975f93abc0b76e63478e7a1b7bd247459507e0e1d59fcb8d88328
Opcode Fuzzy Hash: d6c94904bdd3be6ec7d4bdae0147fdebb033ab5652e16f14e5bbdb48beb51bb6
Instruction Fuzzy Hash: A061BF71900319BEEB14DF64CC89BBE77A8BB04B21F104609F859E61D1DB74E980EBB0

Function 00C77778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#include, xrefs: 00C77847
#pragma compile, xrefs: 00C777D3
Bad directive syntax error, xrefs: 00CB519A
Unterminated group of comments, xrefs: 00CB528C
#cs, xrefs: 00C77873, 00C778C5
#comments-end, xrefs: 00C778D9
Cannot parse #include, xrefs: 00CB5279
#notrayicon, xrefs: 00C777E7
", xrefs: 00CB5153
', xrefs: 00CB5169
#requireadmin, xrefs: 00C777FF
#ce, xrefs: 00C778ED
#OnAutoItStartRegister, xrefs: 00C77817
#comments-start, xrefs: 00C7785F, 00C778B1
#include-once, xrefs: 00C7782F

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 63d7facbb277260824f4b5ff45e771e80ec83ceeed6083bc4ce6d5cb56ee855a
Instruction ID: 5d4946d3284a49056c15ec2f4f7e24c448fa9944050572995ddce79a1d354fa7
Opcode Fuzzy Hash: 63d7facbb277260824f4b5ff45e771e80ec83ceeed6083bc4ce6d5cb56ee855a
Instruction Fuzzy Hash: 4681F271604209BFDF25AF64CC82FAE37A8AF15300F048125F918AB1D6EB70DA15E7A1

Function 00CD5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00CD5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00CD5A40
SetWindowTextW.USER32(?,?), ref: 00CD5A57
GetDlgItem.USER32(?,000003EA), ref: 00CD5A6C
SetWindowTextW.USER32(00000000,?), ref: 00CD5A72
GetDlgItem.USER32(?,000003E9), ref: 00CD5A82
SetWindowTextW.USER32(00000000,?), ref: 00CD5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00CD5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00CD5AC3
GetWindowRect.USER32(?,?), ref: 00CD5ACC
_wcslen.LIBCMT ref: 00CD5B33
SetWindowTextW.USER32(?,?), ref: 00CD5B6F
GetDesktopWindow.USER32 ref: 00CD5B75
GetWindowRect.USER32(00000000), ref: 00CD5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00CD5BD3
GetClientRect.USER32(?,?), ref: 00CD5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00CD5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00CD5C2F

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 3dd5086bd2f5a942293d0003b70159e665e9ef59130b1dc4dbb991f300ab869d
Instruction ID: 9a2e38858558bf33af6fad6e7032437d49bec07c5c31ebfb6087568e91673c4d
Opcode Fuzzy Hash: 3dd5086bd2f5a942293d0003b70159e665e9ef59130b1dc4dbb991f300ab869d
Instruction Fuzzy Hash: 1B717031900B05AFDB20DFA9CD85B6EBBF5FF48704F10461AE256E26A0D775E940CB60

Function 00C900C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00C900C6

Part of subcall function 00C900ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00D4070C,00000FA0,03B5EE7E,?,?,?,?,00CB23B3,000000FF), ref: 00C9011C
Part of subcall function 00C900ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00CB23B3,000000FF), ref: 00C90127
Part of subcall function 00C900ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00CB23B3,000000FF), ref: 00C90138
Part of subcall function 00C900ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00C9014E
Part of subcall function 00C900ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00C9015C
Part of subcall function 00C900ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00C9016A
Part of subcall function 00C900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C90195
Part of subcall function 00C900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C901A0

___scrt_fastfail.LIBCMT ref: 00C900E7

Part of subcall function 00C900A3: __onexit.LIBCMT ref: 00C900A9

Strings

kernel32.dll, xrefs: 00C90133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00C90122
InitializeConditionVariable, xrefs: 00C90148
WakeAllConditionVariable, xrefs: 00C90162
SleepConditionVariableCS, xrefs: 00C90154

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 8d7bf465b838833f22cc7a0a234b264dee9cdfc605784108b95f00de6501a0a9
Instruction ID: 1ef7a818ca470ae88e870960fdbdfb0aae67fad51447f33a3d7937fff94294fe
Opcode Fuzzy Hash: 8d7bf465b838833f22cc7a0a234b264dee9cdfc605784108b95f00de6501a0a9
Instruction Fuzzy Hash: C721DB32654710AFDB206BA4AC0EB6E3798DB05B51F20023AF905E37D1DB749C009AB5

Function 00CD30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CD318D
_wcslen.LIBCMT ref: 00CD31F8

Strings

INSTANCE, xrefs: 00CD3453
CLASSNN, xrefs: 00CD31F3, 00CD3204
CLASS, xrefs: 00CD3188, 00CD31A5
NAME, xrefs: 00CD3335, 00CD3346
REGEXPCLASS, xrefs: 00CD3255, 00CD3266
TEXT, xrefs: 00CD347C

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 4e50a9e20285d89bd5e5c6646c46286639cc375b5acc0fb0cae29eb9b89c1d30
Instruction ID: cd0e13a0013c56532906878587d25e154a6f045f04d88a2a23f5d3a8ad6f2c6a
Opcode Fuzzy Hash: 4e50a9e20285d89bd5e5c6646c46286639cc375b5acc0fb0cae29eb9b89c1d30
Instruction Fuzzy Hash: 94E1F532A00556ABCF189F64C8517EEFBB4BF44710F14811BE666B7350EB30AF8597A1

Function 00CE44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00D0CC08), ref: 00CE4527
_wcslen.LIBCMT ref: 00CE453B
_wcslen.LIBCMT ref: 00CE4599
_wcslen.LIBCMT ref: 00CE45F4
_wcslen.LIBCMT ref: 00CE463F
_wcslen.LIBCMT ref: 00CE46A7

Part of subcall function 00C8F9F2: _wcslen.LIBCMT ref: 00C8F9FD

GetDriveTypeW.KERNEL32(?,00D36BF0,00000061), ref: 00CE4743

Strings

all, xrefs: 00CE4531, 00CE4536
removable, xrefs: 00CE45EA, 00CE45EF
ramdisk, xrefs: 00CE46F1
cdrom, xrefs: 00CE458F, 00CE4594
fixed, xrefs: 00CE4635, 00CE463A
network, xrefs: 00CE469D, 00CE46A2
unknown, xrefs: 00CE4708

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: d7fa6f1a641cab0c12a388d95af1dcc0f637fb934a81fae9dc943ac3bb9aad6e
Instruction ID: 6d93b4d014f6e34bf518959e632ea2a195ffc401c3d77564c4342851725d07f6
Opcode Fuzzy Hash: d7fa6f1a641cab0c12a388d95af1dcc0f637fb934a81fae9dc943ac3bb9aad6e
Instruction Fuzzy Hash: 04B106716083429FC718DF2AC890A6EB7E5FFA5720F50891DF4AAC7291D730D945CBA2

Function 00CFAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CFB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CFB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CFB1D4
_wcslen.LIBCMT ref: 00CFB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CFB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CFB236
_wcslen.LIBCMT ref: 00CFB332

Part of subcall function 00CE05A7: GetStdHandle.KERNEL32(000000F6), ref: 00CE05C6

_wcslen.LIBCMT ref: 00CFB34B
_wcslen.LIBCMT ref: 00CFB366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00CFB3B6
GetLastError.KERNEL32(00000000), ref: 00CFB407
CloseHandle.KERNEL32(?), ref: 00CFB439
CloseHandle.KERNEL32(00000000), ref: 00CFB44A
CloseHandle.KERNEL32(00000000), ref: 00CFB45C
CloseHandle.KERNEL32(00000000), ref: 00CFB46E
CloseHandle.KERNEL32(?), ref: 00CFB4E3

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 1d56fc99d5b2cc9936efa365c1cd5755dd26ac13a69dfae11bed51c64f5fad99
Instruction ID: 54fae65561fa22ef881ea18d1fada99ae80738d9636a7ac0ffde70c44fb9e6bf
Opcode Fuzzy Hash: 1d56fc99d5b2cc9936efa365c1cd5755dd26ac13a69dfae11bed51c64f5fad99
Instruction Fuzzy Hash: C3F1DC31608304DFCB54EF24C881B6EBBE5AF85314F18855DF9998B2A2CB31ED44CB52

Function 00C7326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00D41990), ref: 00CB2F8D
GetMenuItemCount.USER32(00D41990), ref: 00CB303D
GetCursorPos.USER32(?), ref: 00CB3081
SetForegroundWindow.USER32(00000000), ref: 00CB308A
TrackPopupMenuEx.USER32(00D41990,00000000,?,00000000,00000000,00000000), ref: 00CB309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00CB30A9

Strings

0, xrefs: 00C7327D

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: bf999688ee16d557a0c46d1d8a0ac97a7428e3f15b2f450d3ffcf992f3ee93ef
Instruction ID: 758bd81011fa32777dfc8dd5973b05af318e0833966b0fe4f60a8a1cfcea0f6b
Opcode Fuzzy Hash: bf999688ee16d557a0c46d1d8a0ac97a7428e3f15b2f450d3ffcf992f3ee93ef
Instruction Fuzzy Hash: F6712B70640256BFEB219F65DC49FEABF64FF05364F204216F528AA2E1C7B1AE10DB50

Function 00D06CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00D06DEB

Part of subcall function 00C76B57: _wcslen.LIBCMT ref: 00C76B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00D06E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00D06E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D06E94
DestroyWindow.USER32(?), ref: 00D06EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C70000,00000000), ref: 00D06EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D06EFD
GetDesktopWindow.USER32 ref: 00D06F16
GetWindowRect.USER32(00000000), ref: 00D06F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00D06F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00D06F4D

Part of subcall function 00C89944: GetWindowLongW.USER32(?,000000EB), ref: 00C89952

Strings

0, xrefs: 00D06D98
tooltips_class32, xrefs: 00D06E58, 00D06EDD

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: f5c34ee84c80ecd5b2985abe59718367e97be2f778c3f70d7b5226c2931f668f
Instruction ID: 073b7c8209d2ba547f17ae5027869e09c2b83736cc39ad5d7d2f7c6835afd1e5
Opcode Fuzzy Hash: f5c34ee84c80ecd5b2985abe59718367e97be2f778c3f70d7b5226c2931f668f
Instruction Fuzzy Hash: 3C718578104341AFDB21CF18D844BAABBE9FF89300F48491DFA99C72A1D771E956DB21

Function 00D0911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C89BB2

DragQueryPoint.SHELL32(?,?), ref: 00D09147

Part of subcall function 00D07674: ClientToScreen.USER32(?,?), ref: 00D0769A
Part of subcall function 00D07674: GetWindowRect.USER32(?,?), ref: 00D07710
Part of subcall function 00D07674: PtInRect.USER32(?,?,00D08B89), ref: 00D07720

SendMessageW.USER32(?,000000B0,?,?), ref: 00D091B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00D091BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00D091DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00D09225
SendMessageW.USER32(?,000000B0,?,?), ref: 00D0923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00D09255
SendMessageW.USER32(?,000000B1,?,?), ref: 00D09277
DragFinish.SHELL32(?), ref: 00D0927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00D09371

Strings

@GUI_DROPID, xrefs: 00D0929E
@GUI_DRAGID, xrefs: 00D092E9
@GUI_DRAGFILE, xrefs: 00D09320

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 86777a6fe0d1994fa85d3ea6aa97e1325fd8c7908a4b2d102bb92a90f44c8301
Instruction ID: 18cd33a06b231c13d6079a1616379df43529e43ed58b7bf7a8d99eb0b9ff8b32
Opcode Fuzzy Hash: 86777a6fe0d1994fa85d3ea6aa97e1325fd8c7908a4b2d102bb92a90f44c8301
Instruction Fuzzy Hash: 60615971108301AFD701DF64DC85EAFBBE8FF89750F404A1DF599922A1DB70AA49CB62

Function 00CEC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00CEC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00CEC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00CEC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00CEC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00CEC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00CEC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CEC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00CEC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00CEC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00CEC5F0
InternetCloseHandle.WININET(00000000), ref: 00CEC5FB

Strings

, xrefs: 00CEC575

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: c2f4b25ad079409ddd32062467e90bd377d754682c8e28c61da27d8aedf02e23
Instruction ID: 5d8db692fcf860b611a42ea7c1f3afc93d4857027380544060850533137948ed
Opcode Fuzzy Hash: c2f4b25ad079409ddd32062467e90bd377d754682c8e28c61da27d8aedf02e23
Instruction Fuzzy Hash: A4517CB1501348BFDB219F62C988ABB7BBCFF48344F00451AF95AD6250DB34EA05AB60

Function 00D0856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00D08592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00D085A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00D085AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00D085BA
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00D085C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00D085D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00D085E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00D085E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00D085F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00D0FC38,?), ref: 00D08611
GlobalFree.KERNEL32(00000000), ref: 00D08621
GetObjectW.GDI32(?,00000018,?), ref: 00D08641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00D08671
DeleteObject.GDI32(?), ref: 00D08699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00D086AF

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 69a822f50b8d283083a49f276eabd12b8e91126ced4caa813c7a59d2d4928c22
Instruction ID: b698305f78dc88ecdf50d4d18d302f9c7ef3f23dc93408592c09d49eb6ca9a4a
Opcode Fuzzy Hash: 69a822f50b8d283083a49f276eabd12b8e91126ced4caa813c7a59d2d4928c22
Instruction Fuzzy Hash: 21410975610304EFDB119FA5CC88FAA7BB8EF89711F148158F94AE72A0DB719901DB70

Function 00CE14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00CE1502
VariantCopy.OLEAUT32(?,?), ref: 00CE150B
VariantClear.OLEAUT32(?), ref: 00CE1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00CE15FB
VarR8FromDec.OLEAUT32(?,?), ref: 00CE1657
VariantInit.OLEAUT32(?), ref: 00CE1708
SysFreeString.OLEAUT32(?), ref: 00CE178C
VariantClear.OLEAUT32(?), ref: 00CE17D8
VariantClear.OLEAUT32(?), ref: 00CE17E7
VariantInit.OLEAUT32(00000000), ref: 00CE1823

Strings

Default, xrefs: 00CE16AF
%4d%02d%02d%02d%02d%02d, xrefs: 00CE1625

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 03d34ea88060b7a1cb619a92bfcc74721be2e95b44b173fcf098af1c7536f509
Instruction ID: 9f29185b349a369dbff5c40430496b0db93bcef05da4bb44dedc178189516ac2
Opcode Fuzzy Hash: 03d34ea88060b7a1cb619a92bfcc74721be2e95b44b173fcf098af1c7536f509
Instruction Fuzzy Hash: D6D10431600285EBDB00AF67D885BBDB7B5BF45700F18815AFC16AB284DB30ED65EB61

Function 00CFB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

Part of subcall function 00CFC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CFB6AE,?,?), ref: 00CFC9B5
Part of subcall function 00CFC998: _wcslen.LIBCMT ref: 00CFC9F1
Part of subcall function 00CFC998: _wcslen.LIBCMT ref: 00CFCA68
Part of subcall function 00CFC998: _wcslen.LIBCMT ref: 00CFCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CFB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CFB772
RegDeleteValueW.ADVAPI32(?,?), ref: 00CFB80A
RegCloseKey.ADVAPI32(?), ref: 00CFB87E
RegCloseKey.ADVAPI32(?), ref: 00CFB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00CFB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00CFB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00CFB922
FreeLibrary.KERNEL32(00000000), ref: 00CFB983
RegCloseKey.ADVAPI32(00000000), ref: 00CFB994

Strings

advapi32.dll, xrefs: 00CFB8ED
RegDeleteKeyExW, xrefs: 00CFB8FE

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 7e8a58585495bcb1b6580c802e12ee2211a4a0b334407f74884b76fb5223f93c
Instruction ID: ca3b48fb828a0b76acb357257b94d6eef440ab4013554f76894b7c765ec09bcf
Opcode Fuzzy Hash: 7e8a58585495bcb1b6580c802e12ee2211a4a0b334407f74884b76fb5223f93c
Instruction Fuzzy Hash: 4EC16C30204205AFD754DF24C495F2ABBE5FF84318F14855CF6AA8B2A2CB71EE45DB92

Function 00CF255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00CF25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00CF25E8
CreateCompatibleDC.GDI32(?), ref: 00CF25F4
SelectObject.GDI32(00000000,?), ref: 00CF2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00CF266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00CF26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00CF26D0
SelectObject.GDI32(?,?), ref: 00CF26D8
DeleteObject.GDI32(?), ref: 00CF26E1
DeleteDC.GDI32(?), ref: 00CF26E8
ReleaseDC.USER32(00000000,?), ref: 00CF26F3

Strings

(, xrefs: 00CF268D

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 2ceca735d0251eba84940484f1bce45dc1c14f688eb6bbb21d83c83caee8781f
Instruction ID: ea69e54e78a2476473c5eadbd061dba8b5191bc4873458de12e6072cdfac1587
Opcode Fuzzy Hash: 2ceca735d0251eba84940484f1bce45dc1c14f688eb6bbb21d83c83caee8781f
Instruction Fuzzy Hash: 8C61C175D00219EFCB14CFA4D884AAEBBB5FF48310F20852AEA59E7350D774A951DF60

Function 00CADA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00CADAA1

Part of subcall function 00CAD63C: _free.LIBCMT ref: 00CAD659
Part of subcall function 00CAD63C: _free.LIBCMT ref: 00CAD66B
Part of subcall function 00CAD63C: _free.LIBCMT ref: 00CAD67D
Part of subcall function 00CAD63C: _free.LIBCMT ref: 00CAD68F
Part of subcall function 00CAD63C: _free.LIBCMT ref: 00CAD6A1
Part of subcall function 00CAD63C: _free.LIBCMT ref: 00CAD6B3
Part of subcall function 00CAD63C: _free.LIBCMT ref: 00CAD6C5
Part of subcall function 00CAD63C: _free.LIBCMT ref: 00CAD6D7
Part of subcall function 00CAD63C: _free.LIBCMT ref: 00CAD6E9
Part of subcall function 00CAD63C: _free.LIBCMT ref: 00CAD6FB
Part of subcall function 00CAD63C: _free.LIBCMT ref: 00CAD70D
Part of subcall function 00CAD63C: _free.LIBCMT ref: 00CAD71F
Part of subcall function 00CAD63C: _free.LIBCMT ref: 00CAD731

_free.LIBCMT ref: 00CADA96

Part of subcall function 00CA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CAD7D1,00000000,00000000,00000000,00000000,?,00CAD7F8,00000000,00000007,00000000,?,00CADBF5,00000000), ref: 00CA29DE
Part of subcall function 00CA29C8: GetLastError.KERNEL32(00000000,?,00CAD7D1,00000000,00000000,00000000,00000000,?,00CAD7F8,00000000,00000007,00000000,?,00CADBF5,00000000,00000000), ref: 00CA29F0

_free.LIBCMT ref: 00CADAB8
_free.LIBCMT ref: 00CADACD
_free.LIBCMT ref: 00CADAD8
_free.LIBCMT ref: 00CADAFA
_free.LIBCMT ref: 00CADB0D
_free.LIBCMT ref: 00CADB1B
_free.LIBCMT ref: 00CADB26
_free.LIBCMT ref: 00CADB5E
_free.LIBCMT ref: 00CADB65
_free.LIBCMT ref: 00CADB82
_free.LIBCMT ref: 00CADB9A

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 85f4fa7778fe33e8c9ccc33890e4fe11835cd9c3e732d3421172decfc847187b
Instruction ID: 4fe2cbd42cf1be435dd3dee542db308247317bb381c58a9e0ef4d4bc477caf85
Opcode Fuzzy Hash: 85f4fa7778fe33e8c9ccc33890e4fe11835cd9c3e732d3421172decfc847187b
Instruction Fuzzy Hash: A4316B326043069FEB61AA38E845B9B77E8FF02718F114419F46BD7591DF30AE80A721

Function 00CD365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00CD369C
_wcslen.LIBCMT ref: 00CD36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00CD3797
GetClassNameW.USER32(?,?,00000400), ref: 00CD380C
GetDlgCtrlID.USER32(?), ref: 00CD385D
GetWindowRect.USER32(?,?), ref: 00CD3882
GetParent.USER32(?), ref: 00CD38A0
ScreenToClient.USER32(00000000), ref: 00CD38A7
GetClassNameW.USER32(?,?,00000100), ref: 00CD3921
GetWindowTextW.USER32(?,?,00000400), ref: 00CD395D

Strings

%s%u, xrefs: 00CD3734

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 4d6fd4a585a11802773d617c407f71c90fe96c1f3bd508b65ff39e354b6c69fd
Instruction ID: 24edd016896c0b797d6aed5d40da3c29faffe611bfefa89fc4cfa1afcfde93b6
Opcode Fuzzy Hash: 4d6fd4a585a11802773d617c407f71c90fe96c1f3bd508b65ff39e354b6c69fd
Instruction Fuzzy Hash: 8B91B971204746AFD715DF24C895FAAF7A8FF44350F40462AFAA9D2290DB30EB45CB92

Function 00CD4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00CD4994
GetWindowTextW.USER32(?,?,00000400), ref: 00CD49DA
_wcslen.LIBCMT ref: 00CD49EB
CharUpperBuffW.USER32(?,00000000), ref: 00CD49F7
_wcsstr.LIBVCRUNTIME ref: 00CD4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00CD4A64
GetWindowTextW.USER32(?,?,00000400), ref: 00CD4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00CD4AE6
GetClassNameW.USER32(?,?,00000400), ref: 00CD4B20
GetWindowRect.USER32(?,?), ref: 00CD4B8B

Strings

ThumbnailClass, xrefs: 00CD4A6F, 00CD4AF1

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 27c73b72824d56a0675e1d617c9821115ca1709c2026e77f2929617f70b51bfb
Instruction ID: f22785ad13821bd62c02cc93a8691b49a8a4eebbd33d7bff6e6e2f7ff7dc08ae
Opcode Fuzzy Hash: 27c73b72824d56a0675e1d617c9821115ca1709c2026e77f2929617f70b51bfb
Instruction Fuzzy Hash: 0C91CB31004205AFDB18DF14C985BAA77A8FF94304F04856BFF999A296DB30EE45CBA1

Function 00D08D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C89BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00D08D5A
GetFocus.USER32 ref: 00D08D6A
GetDlgCtrlID.USER32(00000000), ref: 00D08D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00D08E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00D08ECF
GetMenuItemCount.USER32(?), ref: 00D08EEC
GetMenuItemID.USER32(?,00000000), ref: 00D08EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00D08F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00D08F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00D08FA1

Strings

0, xrefs: 00D08E9F

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 9ba4fbdafc14d4a48bdb6727f115e0f2ed25376acf877e84d4875b7441df04cc
Instruction ID: 7e46ce087f57f231836e88d25467b35c181445a925de5e930e0db996b4d40aa0
Opcode Fuzzy Hash: 9ba4fbdafc14d4a48bdb6727f115e0f2ed25376acf877e84d4875b7441df04cc
Instruction Fuzzy Hash: D6816B71504301ABDB20DF24D884BABBBE9FF88354F180A19F99997291DB71D940EBB1

Function 00CDDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00CDDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00CDDC46
_wcslen.LIBCMT ref: 00CDDC50
_wcsstr.LIBVCRUNTIME ref: 00CDDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00CDDCBC

Strings

04090000, xrefs: 00CDDCF2
\VarFileInfo\Translation, xrefs: 00CDDCB4
DefaultLangCodepage, xrefs: 00CDDD1F
StringFileInfo\, xrefs: 00CDDC8F
%u.%u.%u.%u, xrefs: 00CDDD9A

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 993dd4696d18f470474e8eecfba51bec8d9a8435e95f58ec553bd313d987361e
Instruction ID: 7b4936253aa4c4af4ba8530d530d0cc639820c56d9a659e6a5ed30665f8b42b9
Opcode Fuzzy Hash: 993dd4696d18f470474e8eecfba51bec8d9a8435e95f58ec553bd313d987361e
Instruction Fuzzy Hash: 414133329402007AEF14AB749C47EBF37ACEF55710F10406AFA05A62C2EB749A05A7B4

Function 00CFCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00CFCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00CFCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00CFCD48

Part of subcall function 00CFCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00CFCCAA
Part of subcall function 00CFCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00CFCCBD
Part of subcall function 00CFCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00CFCCCF
Part of subcall function 00CFCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00CFCD05
Part of subcall function 00CFCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00CFCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00CFCCF3

Strings

advapi32.dll, xrefs: 00CFCCB8
RegDeleteKeyExW, xrefs: 00CFCCC9

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 757f05bf6424cd2e14422208d5a59e3b86a034d43e2bf4ad5e4a93c700bf68b5
Instruction ID: 73331a4d73c2017a25a479085b474a2168801b60dc13e0aa87f60d00f006fa9a
Opcode Fuzzy Hash: 757f05bf6424cd2e14422208d5a59e3b86a034d43e2bf4ad5e4a93c700bf68b5
Instruction Fuzzy Hash: 62317C71A0122CBBDB208B51DD88EFFBB7CEF45750F000165EA1AE3240DA749A45DAB1

Function 00CDE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00CDE6B4

Part of subcall function 00C8E551: timeGetTime.WINMM(?,?,00CDE6D4), ref: 00C8E555

Sleep.KERNEL32(0000000A), ref: 00CDE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00CDE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00CDE727
SetActiveWindow.USER32 ref: 00CDE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00CDE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00CDE773
Sleep.KERNEL32(000000FA), ref: 00CDE77E
IsWindow.USER32 ref: 00CDE78A
EndDialog.USER32(00000000), ref: 00CDE79B

Strings

BUTTON, xrefs: 00CDE719

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 5e89dbeabc65e931a76786122284ff2cc25eddd2be54bb186cb037e8a9d2eda8
Instruction ID: 599289d7db51c307e67a232ff6cd5ad3c8f35d11b9c5cc41defde67984cf71c6
Opcode Fuzzy Hash: 5e89dbeabc65e931a76786122284ff2cc25eddd2be54bb186cb037e8a9d2eda8
Instruction Fuzzy Hash: F7218EB8210314AFEB106F60ECCAB363B69F756348F512526F619C63B1DB72AC019A35

Function 00CDE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00CDEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00CDEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CDEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00CDEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00CDEAA7

Strings

open , xrefs: 00CDEA0C
play PlayMe wait, xrefs: 00CDEA91
close PlayMe, xrefs: 00CDEA6E, 00CDEA9B
alias PlayMe, xrefs: 00CDEA36
play PlayMe, xrefs: 00CDEAA2
status PlayMe mode, xrefs: 00CDEA58

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: d79a6077293ccaa97f93450519b01f1b2e52aa8f1bf18f24646242c262ab87eb
Instruction ID: 47506a57792c13f58b48ad8e3ef53ee0b033090125f9a7963a4ac63507ee48ae
Opcode Fuzzy Hash: d79a6077293ccaa97f93450519b01f1b2e52aa8f1bf18f24646242c262ab87eb
Instruction Fuzzy Hash: 02117331A902697DD720F7A2DC4AEFF6A7CEBD1B00F00442AB519A60D1EE704E09D9B0

Function 00CD5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00CD5CE2
GetWindowRect.USER32(00000000,?), ref: 00CD5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00CD5D59
GetDlgItem.USER32(?,00000002), ref: 00CD5D69
GetWindowRect.USER32(00000000,?), ref: 00CD5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00CD5DCF
GetDlgItem.USER32(?,000003E9), ref: 00CD5DDD
GetWindowRect.USER32(00000000,?), ref: 00CD5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00CD5E31
GetDlgItem.USER32(?,000003EA), ref: 00CD5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00CD5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00CD5E67

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: f65f65a6e97df798db9fd58d97183a28a73ee4f0afa6dfba050bedace44cfd19
Instruction ID: 7a98ea4f726701132d8563ff08f18bb25df626f4558ff1f47eac7e29bda0155e
Opcode Fuzzy Hash: f65f65a6e97df798db9fd58d97183a28a73ee4f0afa6dfba050bedace44cfd19
Instruction Fuzzy Hash: 2851FD71A10709AFDB18DF68DD89BAEBBB5EB48301F548229F519E6390D7709E04CB60

Function 00C88BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00C88F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C88BE8,?,00000000,?,?,?,?,00C88BBA,00000000,?), ref: 00C88FC5

DestroyWindow.USER32(?), ref: 00C88C81
KillTimer.USER32(00000000,?,?,?,?,00C88BBA,00000000,?), ref: 00C88D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00CC6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00C88BBA,00000000,?), ref: 00CC69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00C88BBA,00000000,?), ref: 00CC69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00C88BBA,00000000), ref: 00CC69D4
DeleteObject.GDI32(00000000), ref: 00CC69E6

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: a15a94433dd990edd77c9c5981f80569178e3e4116e2d9d9614400868f7a090f
Instruction ID: 89595f6b25c784205bd47f1806e8febecad040de124394cc1b01bb9a0088c00e
Opcode Fuzzy Hash: a15a94433dd990edd77c9c5981f80569178e3e4116e2d9d9614400868f7a090f
Instruction Fuzzy Hash: 7561BD38102700DFDB21AF15DA48B257BF1FB4531AF50451CE0669BAA4CB31AEC8DFA8

Function 00C89838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00C89944: GetWindowLongW.USER32(?,000000EB), ref: 00C89952

GetSysColor.USER32(0000000F), ref: 00C89862

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: c62ce8e458260a70cb937fd393e59507c31c66bda93f1e138a07edc44cc3ea64
Instruction ID: 10f56bf337507c1d2b7839731be39a0fc0582950a78936c2e7c4897248cc5d6f
Opcode Fuzzy Hash: c62ce8e458260a70cb937fd393e59507c31c66bda93f1e138a07edc44cc3ea64
Instruction Fuzzy Hash: DA418C31104740AFDB20AF38DC88BB93BA5EB06328F194719F9B6872E1C6319942DB25

Function 00CD96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00CBF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00CD9717
LoadStringW.USER32(00000000,?,00CBF7F8,00000001), ref: 00CD9720

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00CBF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00CD9742
LoadStringW.USER32(00000000,?,00CBF7F8,00000001), ref: 00CD9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00CD9866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00CD984A
^ ERROR, xrefs: 00CD97FB
Error: , xrefs: 00CD981D
Line %d:, xrefs: 00CD97A0
Line %d (File "%s"):, xrefs: 00CD978F

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 3bb3d4498a4400127fbf28cceb6178948aeedb0c1d2bedb0f2543603acfc680d
Instruction ID: 3d0012d344879fbfed0ac1a9579390c4539e10db22360ac32bd8ed33bbe6a1e4
Opcode Fuzzy Hash: 3bb3d4498a4400127fbf28cceb6178948aeedb0c1d2bedb0f2543603acfc680d
Instruction Fuzzy Hash: 7B414E72900209AACF14FBE0CD86DEE7378EF55340F504165F609721A2EB356F49EB61

Function 00CD06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C76B57: _wcslen.LIBCMT ref: 00C76B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00CD07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00CD07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00CD07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00CD0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00CD082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00CD0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00CD083C

Strings

\CLSID, xrefs: 00CD0724
\IPC$, xrefs: 00CD0784
SOFTWARE\Classes\, xrefs: 00CD070E

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 8f38962322f244f176443c279bad0bbaf32b6eca56580448bf2f211a5b4a4838
Instruction ID: 8324b0fdf405edb34db58252656d037a83ef579014fb010bc4c92767bd4d79da
Opcode Fuzzy Hash: 8f38962322f244f176443c279bad0bbaf32b6eca56580448bf2f211a5b4a4838
Instruction Fuzzy Hash: 62412A72C10229ABDF11EBA4DC85DEDB778FF44350F148129E915A72A1EB309E04DFA0

Function 00CF3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CF3C5C
CoInitialize.OLE32(00000000), ref: 00CF3C8A
CoUninitialize.OLE32 ref: 00CF3C94
_wcslen.LIBCMT ref: 00CF3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00CF3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00CF3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00CF3F0E
CoGetObject.OLE32(?,00000000,00D0FB98,?), ref: 00CF3F2D
SetErrorMode.KERNEL32(00000000), ref: 00CF3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00CF3FC4
VariantClear.OLEAUT32(?), ref: 00CF3FD8

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: cfffdab02a2ea85c7488440689d1fd77c5d9be1503d580046dc12bdb0b396cee
Instruction ID: cd250360477b628839bd9d36a138ab9975c3db02100e08effc1e46b49162f4db
Opcode Fuzzy Hash: cfffdab02a2ea85c7488440689d1fd77c5d9be1503d580046dc12bdb0b396cee
Instruction Fuzzy Hash: D7C14571608349AFC740DF68C884A2BB7E9FF89744F10495DFA8A9B250D730EE45CB62

Function 00CE7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00CE7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00CE7B8F
SHGetDesktopFolder.SHELL32(?), ref: 00CE7BA3
CoCreateInstance.OLE32(00D0FD08,00000000,00000001,00D36E6C,?), ref: 00CE7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00CE7C74
CoTaskMemFree.OLE32(?,?), ref: 00CE7CCC
SHBrowseForFolderW.SHELL32(?), ref: 00CE7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00CE7D7A
CoTaskMemFree.OLE32(00000000), ref: 00CE7D81
CoTaskMemFree.OLE32(00000000), ref: 00CE7DD6
CoUninitialize.OLE32 ref: 00CE7DDC

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 201dc4154a1572e6b21d871e7b39cc6547177cd765b0194f7c957aab9409a1a4
Instruction ID: 79d81fb8f802f11a214002f4516c474fdcd52f15f14139b9ae6402c430805677
Opcode Fuzzy Hash: 201dc4154a1572e6b21d871e7b39cc6547177cd765b0194f7c957aab9409a1a4
Instruction Fuzzy Hash: 0CC11A75A04249AFCB14DFA5C888DAEBBF9FF48304B148599E819DB361D730EE45CB90

Function 00D0541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00D05504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D05515
CharNextW.USER32(00000158), ref: 00D05544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00D05585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00D0559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D055AC

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 93e2fe587f8fedef72a11e04634005303b574ee22d9d98fcfd80fdcfbd7e5750
Instruction ID: b578f02975d42a6fd0aa941804e4982ddedaf17f6b869b37d8285477b7528222
Opcode Fuzzy Hash: 93e2fe587f8fedef72a11e04634005303b574ee22d9d98fcfd80fdcfbd7e5750
Instruction Fuzzy Hash: 13616934900608ABDB208F54EC84BFF7BB9EB0A320F544145F969AB2E4D7709A81DF70

Function 00CCFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00CCFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00CCFB08
VariantInit.OLEAUT32(?), ref: 00CCFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00CCFB3A
VariantCopy.OLEAUT32(?,?), ref: 00CCFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00CCFBA1
VariantClear.OLEAUT32(?), ref: 00CCFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00CCFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00CCFBCC
VariantClear.OLEAUT32(?), ref: 00CCFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00CCFBE9

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 850585fd0cfb105746fcd9f134732ee1497c32010ccec4f02897b70f48d5cd2c
Instruction ID: 6f4508f391766b6ee8041c734d03aea6d18f58387f3f2e9549fb0a0d8eefd8ed
Opcode Fuzzy Hash: 850585fd0cfb105746fcd9f134732ee1497c32010ccec4f02897b70f48d5cd2c
Instruction Fuzzy Hash: 6F413035A002199FCB00DF64C868EADBBB9FF48344F00816DE959E7261C730EE46DBA0

Function 00CD9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00CD9CA1
GetAsyncKeyState.USER32(000000A0), ref: 00CD9D22
GetKeyState.USER32(000000A0), ref: 00CD9D3D
GetAsyncKeyState.USER32(000000A1), ref: 00CD9D57
GetKeyState.USER32(000000A1), ref: 00CD9D6C
GetAsyncKeyState.USER32(00000011), ref: 00CD9D84
GetKeyState.USER32(00000011), ref: 00CD9D96
GetAsyncKeyState.USER32(00000012), ref: 00CD9DAE
GetKeyState.USER32(00000012), ref: 00CD9DC0
GetAsyncKeyState.USER32(0000005B), ref: 00CD9DD8
GetKeyState.USER32(0000005B), ref: 00CD9DEA

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 8f493696d61156aad81a6f70597b1fb35096bdc51b2fb35fe8044624bed19319
Instruction ID: 857de0e74fa9145d123a77497f315095def7e68d7e8ea881aecce19b3600416f
Opcode Fuzzy Hash: 8f493696d61156aad81a6f70597b1fb35096bdc51b2fb35fe8044624bed19319
Instruction Fuzzy Hash: A441C4385047C969FF309B6488043A5BEA1EB12344F04805BDBD6567C2EBB59BC8C7A2

Function 00CF055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00CF05BC
inet_addr.WSOCK32(?), ref: 00CF061C
gethostbyname.WSOCK32(?), ref: 00CF0628
IcmpCreateFile.IPHLPAPI ref: 00CF0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00CF06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00CF06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00CF07B9
WSACleanup.WSOCK32 ref: 00CF07BF

Strings

Ping, xrefs: 00CF0676

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: bf623046e630947b21045100b91c6966946684402bd3235b3aef3edafac898cf
Instruction ID: 7b0165271bbc4b0d73ad5ebbf5a7607cc3560f6bb6cbbc3708d093f18ec0145a
Opcode Fuzzy Hash: bf623046e630947b21045100b91c6966946684402bd3235b3aef3edafac898cf
Instruction Fuzzy Hash: 8C917C756083019FD760DF15C888F2ABBE0AF84718F2485A9F5698B7A2C770ED45CF92

Function 00CF8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00CF8CF3

Part of subcall function 00CD8E54: _wcslen.LIBCMT ref: 00CD8E77

_wcslen.LIBCMT ref: 00CF8D4E
_wcslen.LIBCMT ref: 00CF8D9C
_wcslen.LIBCMT ref: 00CF8DDC
_wcslen.LIBCMT ref: 00CF8E6E

Strings

stdcall, xrefs: 00CF8DD6, 00CF8DDB
winapi, xrefs: 00CF8D96, 00CF8D9B
cdecl, xrefs: 00CF8D48, 00CF8D4D
none, xrefs: 00CF8E65, 00CF8E6A

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 9b46b1ea522d3b12f63934fe6824d4fe1af2c625693e11b78f3bc57a962fbd9b
Instruction ID: bd725c87818823b326aeebc6c10723fd6c85a87af35615c683009b081f66812b
Opcode Fuzzy Hash: 9b46b1ea522d3b12f63934fe6824d4fe1af2c625693e11b78f3bc57a962fbd9b
Instruction Fuzzy Hash: 9751D136A0051A9BCF64DF68C8419BEB3A5BF65320B214229E626E73C4DB30DE48D791

Function 00CF372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00CF3774
CoUninitialize.OLE32 ref: 00CF377F
CoCreateInstance.OLE32(?,00000000,00000017,00D0FB78,?), ref: 00CF37D9
IIDFromString.OLE32(?,?), ref: 00CF384C
VariantInit.OLEAUT32(?), ref: 00CF38E4
VariantClear.OLEAUT32(?), ref: 00CF3936

Strings

NULL Pointer assignment, xrefs: 00CF381E
Invalid parameter, xrefs: 00CF3865
Failed to create object, xrefs: 00CF37E4, 00CF389A

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 60bc76e87300fbc6d9c14afc2dc1f14926cb1bf36aff37bff530711d271ff256
Instruction ID: 16cb07b654cfcd2dacf923a72a881f10d3e11c5ecccbaa48b827d9b537e19cbe
Opcode Fuzzy Hash: 60bc76e87300fbc6d9c14afc2dc1f14926cb1bf36aff37bff530711d271ff256
Instruction Fuzzy Hash: BE61C070608345AFD310EF55C888B6AB7E4EF48750F10490AFA959B391C774EE48DBA7

Function 00CE3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00CE33CF

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00CE33F0

Strings

"%s" (%d) : ==> %s:, xrefs: 00CE3522
^ ERROR , xrefs: 00CE349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00CE3504
Incorrect parameters to object property !, xrefs: 00CE34AB
Error: , xrefs: 00CE34D1
Line %d (File "%s"):, xrefs: 00CE3443, 00CE345C

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: ab319e987eb31e2378c78a4f0cdf3929b3ef3a6b376a1b162e304cd433655e66
Instruction ID: d9f48cac8648506d42da897e3e2fc2988a100ce86d59e781c26d4b50af79d92f
Opcode Fuzzy Hash: ab319e987eb31e2378c78a4f0cdf3929b3ef3a6b376a1b162e304cd433655e66
Instruction Fuzzy Hash: C5518D31900249ABDF15EBA1CD46EEEB778EF14340F108165F509B21A2EB316F58EB61

Function 00CDB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CDB5FC
_wcslen.LIBCMT ref: 00CDB608
_wcslen.LIBCMT ref: 00CDB64D
_wcslen.LIBCMT ref: 00CDB68C
_wcslen.LIBCMT ref: 00CDB6C7

Strings

EXISTS, xrefs: 00CDB686, 00CDB68B
KEYS, xrefs: 00CDB647, 00CDB64C
REMOVE, xrefs: 00CDB602, 00CDB607
APPEND, xrefs: 00CDB6C1, 00CDB6C6

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 737679998e617f1f00ef10eb6973d957c156779dae7ecf6e7132d92b9ffa1ca8
Instruction ID: 67861a8b226bd743a1bd796c6a81a4f740531f6945ec0a98a87970fe49562ef6
Opcode Fuzzy Hash: 737679998e617f1f00ef10eb6973d957c156779dae7ecf6e7132d92b9ffa1ca8
Instruction Fuzzy Hash: 1A41A732A00126DBCB245F7D88905BEB7A5AF65754B26412BF635D7384E731CE82C7A0

Function 00CE5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CE53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00CE5416
GetLastError.KERNEL32 ref: 00CE5420
SetErrorMode.KERNEL32(00000000,READY), ref: 00CE54A7

Strings

READY, xrefs: 00CE5460, 00CE5468
INVALID, xrefs: 00CE5459
READONLY, xrefs: 00CE5452
UNKNOWN, xrefs: 00CE5444
NOTREADY, xrefs: 00CE544B

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 2090232ba82dce1209f34285066f55477998749c94ac1b43ca07a718e23536f2
Instruction ID: d14cb317915e79166c072c590cf7db0b82ff3e3a04a81620a6af5a933de398b5
Opcode Fuzzy Hash: 2090232ba82dce1209f34285066f55477998749c94ac1b43ca07a718e23536f2
Instruction Fuzzy Hash: 7931AE35A006449FC710DF6AC484BAABBB4EF04309F14C065E415DB3D2D771DE86CBA1

Function 00D03C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00D03C79
SetMenu.USER32(?,00000000), ref: 00D03C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D03D10
IsMenu.USER32(?), ref: 00D03D24
CreatePopupMenu.USER32 ref: 00D03D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00D03D5B
DrawMenuBar.USER32 ref: 00D03D63

Strings

0, xrefs: 00D03C54
F, xrefs: 00D03D4E

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 8f5587a8695b9cad308a17bc802977a6fcccec3e514c036b308c882d7e401941
Instruction ID: 17a9d83acd64d6cad3e956314e3ec1eaf00e81a196b2235b1eda578772b21ea9
Opcode Fuzzy Hash: 8f5587a8695b9cad308a17bc802977a6fcccec3e514c036b308c882d7e401941
Instruction Fuzzy Hash: 33414C79A01309AFDB14CF64D848BAA77B9FF49350F140129E94AD73A0D770AA11DF64

Function 00D03A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00D03A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00D03AA0
GetWindowLongW.USER32(?,000000F0), ref: 00D03AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D03AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00D03B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00D03BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00D03BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00D03BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00D03BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00D03C13

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: f42e1801f3f29478e7aef3abe3ab59c3343beda8ca339b007a277138bfe59017
Instruction ID: c258242b082883545d29a98456e353e044496293927396f6dd0a59a85010687b
Opcode Fuzzy Hash: f42e1801f3f29478e7aef3abe3ab59c3343beda8ca339b007a277138bfe59017
Instruction Fuzzy Hash: D2614875900248AFDB10DFA8CC81FEE77B8EB49704F144199FA19E72E1D770AA85DB60

Function 00CDB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00CDB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00CDA1E1,?,00000001), ref: 00CDB165
GetWindowThreadProcessId.USER32(00000000), ref: 00CDB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00CDA1E1,?,00000001), ref: 00CDB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00CDB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00CDA1E1,?,00000001), ref: 00CDB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00CDA1E1,?,00000001), ref: 00CDB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00CDA1E1,?,00000001), ref: 00CDB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00CDA1E1,?,00000001), ref: 00CDB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00CDA1E1,?,00000001), ref: 00CDB21D

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: a6685774b0fabc0f8824d2dd54a204c2b55816b6995598fbfee563b99b62c128
Instruction ID: 47019b589028c97aa63ab97dc1dd878ee723bc471b565fad39f4e70401c49198
Opcode Fuzzy Hash: a6685774b0fabc0f8824d2dd54a204c2b55816b6995598fbfee563b99b62c128
Instruction Fuzzy Hash: 33318E76610304EFDB209F28EC88B6D7BB9AB52355F11420AFA19D63A0D7B49E408F70

Function 00CA2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CA2C94

Part of subcall function 00CA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CAD7D1,00000000,00000000,00000000,00000000,?,00CAD7F8,00000000,00000007,00000000,?,00CADBF5,00000000), ref: 00CA29DE
Part of subcall function 00CA29C8: GetLastError.KERNEL32(00000000,?,00CAD7D1,00000000,00000000,00000000,00000000,?,00CAD7F8,00000000,00000007,00000000,?,00CADBF5,00000000,00000000), ref: 00CA29F0

_free.LIBCMT ref: 00CA2CA0
_free.LIBCMT ref: 00CA2CAB
_free.LIBCMT ref: 00CA2CB6
_free.LIBCMT ref: 00CA2CC1
_free.LIBCMT ref: 00CA2CCC
_free.LIBCMT ref: 00CA2CD7
_free.LIBCMT ref: 00CA2CE2
_free.LIBCMT ref: 00CA2CED
_free.LIBCMT ref: 00CA2CFB

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 27e38b707288d9c97fd5bb745a06bbe9d8aa9aa34f72c490b82c481c72728a50
Instruction ID: 9b930ab7583d17d411f5a28bb86b17515eb47a2ae5fd741219ef553b86ec50be
Opcode Fuzzy Hash: 27e38b707288d9c97fd5bb745a06bbe9d8aa9aa34f72c490b82c481c72728a50
Instruction Fuzzy Hash: C811CB76100119BFCB42EFA8D842CDE3BA5FF06754F4144A5FA485F232DA31EE50ABA1

Function 00C71410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C71459
OleUninitialize.OLE32(?,00000000), ref: 00C714F8
UnregisterHotKey.USER32(?), ref: 00C716DD
DestroyWindow.USER32(?), ref: 00CB24B9
FreeLibrary.KERNEL32(?), ref: 00CB251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00CB254B

Strings

close all, xrefs: 00C71454

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 32d866a6b8a256b26d590e7815ad88c31c9c034fd9ecf1935a25754cfd2f8180
Instruction ID: a606541a54664dfd7e2fa75975b225e86b310df87b4df16a583f459c91842a1f
Opcode Fuzzy Hash: 32d866a6b8a256b26d590e7815ad88c31c9c034fd9ecf1935a25754cfd2f8180
Instruction Fuzzy Hash: 95D16D31701212CFCB29EF19C899B69F7A4BF05700F1882ADE94EAB251DB30AD16DF55

Function 00CE7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CE7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00CE7FC1
GetFileAttributesW.KERNEL32(?), ref: 00CE7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00CE8005
SetCurrentDirectoryW.KERNEL32(?), ref: 00CE8017
SetCurrentDirectoryW.KERNEL32(?), ref: 00CE8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00CE80B0

Strings

*.*, xrefs: 00CE8066

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: fbd87a27233997e9add4af211dc6a909e044afee8329ffd40d3ac6c4f600ffad
Instruction ID: 8e10a07da258fa7eaeb08e42bc46cbfc181af502bf30b998936b752cf3989cf3
Opcode Fuzzy Hash: fbd87a27233997e9add4af211dc6a909e044afee8329ffd40d3ac6c4f600ffad
Instruction Fuzzy Hash: 5B81A2725083819FCB24EF56C445A6EB3D8FF84310F14495EF899D7250EB35DE498B52

Function 00C75BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00C75C7A

Part of subcall function 00C75D0A: GetClientRect.USER32(?,?), ref: 00C75D30
Part of subcall function 00C75D0A: GetWindowRect.USER32(?,?), ref: 00C75D71
Part of subcall function 00C75D0A: ScreenToClient.USER32(?,?), ref: 00C75D99

GetDC.USER32 ref: 00CB46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00CB4708
SelectObject.GDI32(00000000,00000000), ref: 00CB4716
SelectObject.GDI32(00000000,00000000), ref: 00CB472B
ReleaseDC.USER32(?,00000000), ref: 00CB4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00CB47C4

Strings

U, xrefs: 00CB4693

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 8ddca96f51537dffa993ee0fb891ebaebc147f5b79194e6ba83fdfed8abeb00a
Instruction ID: d5373abeeee2df91ddccfc05c617bffa70cd00d5d00ee5ff43b6d68d26f9f81e
Opcode Fuzzy Hash: 8ddca96f51537dffa993ee0fb891ebaebc147f5b79194e6ba83fdfed8abeb00a
Instruction Fuzzy Hash: A771D034404205DFCF298F64C985AFA7BB5FF4A310F144269F969AA2A7C7319941DF60

Function 00CE359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00CE35E4

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

LoadStringW.USER32(00D42390,?,00000FFF,?), ref: 00CE360A

Strings

"%s" (%d) : ==> %s:, xrefs: 00CE3742
^ ERROR, xrefs: 00CE36C9
"%s" (%d) : ==> %s:%s%s, xrefs: 00CE3724
Error: , xrefs: 00CE36EF
Line %d (File "%s"):, xrefs: 00CE366B

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: a2848d97d29651cf2fd28b94c316eaaee53c15d74802a27d693f1d5c0ef4a507
Instruction ID: 4034989d22d3a9459b32ce711229b7232c53715e13e22883676c74f342555197
Opcode Fuzzy Hash: a2848d97d29651cf2fd28b94c316eaaee53c15d74802a27d693f1d5c0ef4a507
Instruction Fuzzy Hash: 33517C71900289BBDF15EFA1CC46EEEBB78EF15300F148125F509721A1EB316B99EB61

Function 00D08B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C89BB2

Part of subcall function 00C8912D: GetCursorPos.USER32(?), ref: 00C89141
Part of subcall function 00C8912D: ScreenToClient.USER32(00000000,?), ref: 00C8915E
Part of subcall function 00C8912D: GetAsyncKeyState.USER32(00000001), ref: 00C89183
Part of subcall function 00C8912D: GetAsyncKeyState.USER32(00000002), ref: 00C8919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00D08B6B
ImageList_EndDrag.COMCTL32 ref: 00D08B71
ReleaseCapture.USER32 ref: 00D08B77
SetWindowTextW.USER32(?,00000000), ref: 00D08C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00D08C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00D08CFF

Strings

@GUI_DROPID, xrefs: 00D08C51
@GUI_DRAGFILE, xrefs: 00D08C9A

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 70d5b1f754e0f91a961387a831b7524231efbaec61e32effd7e325107b2aef5d
Instruction ID: a9122e5ce06a759605d8b136881c96871959021a6eeb6cfbdf36a3fa0b18b3ac
Opcode Fuzzy Hash: 70d5b1f754e0f91a961387a831b7524231efbaec61e32effd7e325107b2aef5d
Instruction Fuzzy Hash: 7B517974204300AFE714EF24D85ABAA77E4FB88714F440A2DF99A972E1CB719944DB72

Function 00CEC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CEC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CEC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00CEC2CA
GetLastError.KERNEL32 ref: 00CEC322
SetEvent.KERNEL32(?), ref: 00CEC336
InternetCloseHandle.WININET(00000000), ref: 00CEC341

Strings

, xrefs: 00CEC2BB

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: a81b457d7a92625e22b5b303425bd57d1a3efe8bbe976fc6a49e00b5974f7dfe
Instruction ID: 8e5c77b22e2f3f25105ec8ea37a55de934faeac800716879c96a134caaf58f4e
Opcode Fuzzy Hash: a81b457d7a92625e22b5b303425bd57d1a3efe8bbe976fc6a49e00b5974f7dfe
Instruction Fuzzy Hash: B1319FB1500784AFD7219F668CC8AAB7BFCEB49740B14851DF45AD3210DB34DE069B70

Function 00CD989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00CB3AAF,?,?,Bad directive syntax error,00D0CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00CD98BC
LoadStringW.USER32(00000000,?,00CB3AAF,?), ref: 00CD98C3

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00CD9987

Strings

Error: , xrefs: 00CD9955
%s (%d) : ==> %s.: %s %s, xrefs: 00CD98F1
., xrefs: 00CD996D
Line %d:, xrefs: 00CD9912
Line %d (File "%s"):, xrefs: 00CD992D

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 8aaede1dc4e1ca6b3bf6b14bc91139776f9566a874cdd27026f71cc8493d100b
Instruction ID: a31263ba2528df0474d6940c0df30e25bed454a680d0ea104507d5eeb8503f8a
Opcode Fuzzy Hash: 8aaede1dc4e1ca6b3bf6b14bc91139776f9566a874cdd27026f71cc8493d100b
Instruction Fuzzy Hash: CE219131D4021ABFCF21AF90CC16EEE7735FF18300F04846AF619661A2EB319618EB21

Function 00CD209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00CD20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00CD20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00CD214D

Strings

list, xrefs: 00CD212F
largeicons, xrefs: 00CD20E1
details, xrefs: 00CD20FB
SHELLDLL_DefView, xrefs: 00CD20CC
smallicons, xrefs: 00CD2115

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 2aea90f55f32c428939d80289a11c0f52613a50e0ede931a437a8cc03ddf4ecd
Instruction ID: 87291919a7635a001f12c03326bd284d1cf9b79146f617c29b4203b5fedbb7e5
Opcode Fuzzy Hash: 2aea90f55f32c428939d80289a11c0f52613a50e0ede931a437a8cc03ddf4ecd
Instruction Fuzzy Hash: FC115C76284707B9FA152320EC0BEAA739CCF24324F205217F705E52E1FE616C076624

Function 00CACE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00CACEB7
_free.LIBCMT ref: 00CACF22
_free.LIBCMT ref: 00CACF48
_free.LIBCMT ref: 00CACF71
_free.LIBCMT ref: 00CACFA9
_free.LIBCMT ref: 00CACFDA
_free.LIBCMT ref: 00CAD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00CAD09C
_free.LIBCMT ref: 00CAD0B5

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: ce5591a09a0b1b41b5ec40c0ff565387312490dc44a60187fe4a36db3f9c8b92
Instruction ID: 73f34acc126b499aab21140fc345eb3bb243f487fb6cde3550ffc14eb2c298ec
Opcode Fuzzy Hash: ce5591a09a0b1b41b5ec40c0ff565387312490dc44a60187fe4a36db3f9c8b92
Instruction Fuzzy Hash: 1B615772904313AFDF21AFF89CC5A6A7BA5AF03368F04416DFA65D7281D7319E0197A0

Function 00D050D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00D05186
ShowWindow.USER32(?,00000000), ref: 00D051C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00D051CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00D051D1

Part of subcall function 00D06FBA: DeleteObject.GDI32(00000000), ref: 00D06FE6

GetWindowLongW.USER32(?,000000F0), ref: 00D0520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D0521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00D0524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00D05287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00D05296

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 5057472c378c21bb7c4d6386849a5f90fb8da23443a82f2260f8a8bd86dd8646
Instruction ID: 21fb357ca6b133c0676dd1275bead8bfd255f8338217e1de820eaaa7926b49f7
Opcode Fuzzy Hash: 5057472c378c21bb7c4d6386849a5f90fb8da23443a82f2260f8a8bd86dd8646
Instruction Fuzzy Hash: E2518C30A50B08FFEF209F24EC4AB9A3B65EF05325F184111FA1D962E4C771A980DF66

Function 00C88B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00CC6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00CC68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00CC68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00CC68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00CC68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00C88874,00000000,00000000,00000000,000000FF,00000000), ref: 00CC6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00CC691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00C88874,00000000,00000000,00000000,000000FF,00000000), ref: 00CC692D

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 1292bd8e894a2e40ca5aee5da32de2ec08d0dafda58feed40c94ab5e05919721
Instruction ID: 4d12a0387b8d73782a9241837004b1724d4ff8a399608c33c98dc94ac3adbe7f
Opcode Fuzzy Hash: 1292bd8e894a2e40ca5aee5da32de2ec08d0dafda58feed40c94ab5e05919721
Instruction Fuzzy Hash: 3D518874600309AFDB20DF25CC95FAA7BB5EB88754F104618F926D72E0DB70EA90DB60

Function 00CEC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00CEC182
GetLastError.KERNEL32 ref: 00CEC195
SetEvent.KERNEL32(?), ref: 00CEC1A9

Part of subcall function 00CEC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CEC272
Part of subcall function 00CEC253: GetLastError.KERNEL32 ref: 00CEC322
Part of subcall function 00CEC253: SetEvent.KERNEL32(?), ref: 00CEC336
Part of subcall function 00CEC253: InternetCloseHandle.WININET(00000000), ref: 00CEC341

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 7bb62e0a5a358e074a4d9a3b67ab2e6f1544ab3381dc6adcf49020e2cf3aef20
Instruction ID: 96ba0b31370fbbdaac28250560d2d74efc3641d057bb37c90dba9459ccf2e811
Opcode Fuzzy Hash: 7bb62e0a5a358e074a4d9a3b67ab2e6f1544ab3381dc6adcf49020e2cf3aef20
Instruction Fuzzy Hash: 22318F71600781AFDB259FB6DC84A6ABBF9FF58300B00451DFA6AC2610D730E916AB60

Function 00CD25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CD3A57
Part of subcall function 00CD3A3D: GetCurrentThreadId.KERNEL32 ref: 00CD3A5E
Part of subcall function 00CD3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00CD25B3), ref: 00CD3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00CD25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00CD25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00CD25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00CD25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00CD2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00CD2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00CD260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00CD2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00CD2627

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 807906e127dfa591fe0294290fd5e2ef632d7645f475d53da22bbb843994d976
Instruction ID: d3354e5b03330d9e91c4972687a8ba3be94ef2812c290221f51b0321704d1dcb
Opcode Fuzzy Hash: 807906e127dfa591fe0294290fd5e2ef632d7645f475d53da22bbb843994d976
Instruction Fuzzy Hash: 4401D830390710BBFB2067699C8AF593F59DB5EB11F501102F31CEF2E1C9E254449ABA

Function 00CD1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00CD1449,?,?,00000000), ref: 00CD180C
HeapAlloc.KERNEL32(00000000,?,00CD1449,?,?,00000000), ref: 00CD1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00CD1449,?,?,00000000), ref: 00CD1828
GetCurrentProcess.KERNEL32(?,00000000,?,00CD1449,?,?,00000000), ref: 00CD1830
DuplicateHandle.KERNEL32(00000000,?,00CD1449,?,?,00000000), ref: 00CD1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00CD1449,?,?,00000000), ref: 00CD1843
GetCurrentProcess.KERNEL32(00CD1449,00000000,?,00CD1449,?,?,00000000), ref: 00CD184B
DuplicateHandle.KERNEL32(00000000,?,00CD1449,?,?,00000000), ref: 00CD184E
CreateThread.KERNEL32(00000000,00000000,00CD1874,00000000,00000000,00000000), ref: 00CD1868

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 1648d5f921a2851fb354d7be6c7d92a72f2871fa8314d6d92c08dbb099a6a3be
Instruction ID: 6774711824d6a75a4995244f023f432c36a277c548588bc252fb1cb4121de06b
Opcode Fuzzy Hash: 1648d5f921a2851fb354d7be6c7d92a72f2871fa8314d6d92c08dbb099a6a3be
Instruction Fuzzy Hash: 3701BF75250304BFE710AB65DC4DF573B6CEB89B11F015515FA05DB291C6709800CB31

Function 00CFA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00CDD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00CDD501
Part of subcall function 00CDD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00CDD50F
Part of subcall function 00CDD4DC: CloseHandle.KERNEL32(00000000), ref: 00CDD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CFA16D
GetLastError.KERNEL32 ref: 00CFA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CFA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00CFA268
GetLastError.KERNEL32(00000000), ref: 00CFA273
CloseHandle.KERNEL32(00000000), ref: 00CFA2C4

Strings

SeDebugPrivilege, xrefs: 00CFA18F

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: e109a7d0a31688496433a72301f3187c9e5da0a7a3a5242f69226f55ce568bfb
Instruction ID: 810b42675fef3f160e972938a3512c5e8bbb84088eae78efc6c84c4ad1efad41
Opcode Fuzzy Hash: e109a7d0a31688496433a72301f3187c9e5da0a7a3a5242f69226f55ce568bfb
Instruction Fuzzy Hash: B2617CB1204642AFD720DF19C494F29BBA1AF44318F19C49CE56E8B7A3C772ED45CB92

Function 00D03886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00D03925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00D0393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00D03954
_wcslen.LIBCMT ref: 00D03999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00D039C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00D039F4

Strings

SysListView32, xrefs: 00D038F7

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: b0f2c4a01aab14baf856b5ab3d1586fa522de3a41699a53efdabddae95ce16fd
Instruction ID: cab9ab4d75db81ff0c7335023ef6d0e69342f59bb2c9ab7f7e750fdf49f0bc96
Opcode Fuzzy Hash: b0f2c4a01aab14baf856b5ab3d1586fa522de3a41699a53efdabddae95ce16fd
Instruction Fuzzy Hash: F5418271A00319ABEF219F64CC49BEA77ADEF08350F140566F958E72D1D7B1D984CBA0

Function 00CDBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CDBCFD
IsMenu.USER32(00000000), ref: 00CDBD1D
CreatePopupMenu.USER32 ref: 00CDBD53
GetMenuItemCount.USER32(010356D0), ref: 00CDBDA4
InsertMenuItemW.USER32(010356D0,?,00000001,00000030), ref: 00CDBDCC

Strings

0, xrefs: 00CDBCA8
2, xrefs: 00CDBD37

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: dc3b515d78712e17f9cbf7b24d50c8804df42e84c601442f4e72aeeb62c28a43
Instruction ID: ca6766ab9d3b943438d283a9a48f785d70887157cdb69d8b7fecc644354380bc
Opcode Fuzzy Hash: dc3b515d78712e17f9cbf7b24d50c8804df42e84c601442f4e72aeeb62c28a43
Instruction Fuzzy Hash: FF51BE70A00305DBDB10CFA9D888BAEBBF6BF49314F15421AE661D7398D770AE40CB61

Function 00CDC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00CDC913

Strings

stop, xrefs: 00CDC8E4
warning, xrefs: 00CDC8FC
blank, xrefs: 00CDC895
question, xrefs: 00CDC8CC
info, xrefs: 00CDC8B4

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: ab10ae6c9ce2560bf325fd898df5184d39a12ee8ae2a3c431a0acbf03d8f46f9
Instruction ID: 4aca7d62601861247312b17a7fced5b826e2526d3b71b3821df677c74f867410
Opcode Fuzzy Hash: ab10ae6c9ce2560bf325fd898df5184d39a12ee8ae2a3c431a0acbf03d8f46f9
Instruction Fuzzy Hash: 5011EB31689307BEEB059B559CD3DAA779CDF15364B60402BF604A63C2DBB09E01B274

Function 00CDED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00CDED2A
_wcslen.LIBCMT ref: 00CDED3B
_wcslen.LIBCMT ref: 00CDED79
_wcslen.LIBCMT ref: 00CDEDAF
_wcslen.LIBCMT ref: 00CDEDDF
_wcslen.LIBCMT ref: 00CDEDEF
_wcslen.LIBCMT ref: 00CDEE2B
_wcslen.LIBCMT ref: 00CDEE5A

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 8a9d53ab61d577533a9c523c240c73e89120d862a8facc5f72bb27e6ceca8b08
Instruction ID: 21da221cad5db9466e4aa711f07ef65d1c0c499d70614c391c6bd2ca33758696
Opcode Fuzzy Hash: 8a9d53ab61d577533a9c523c240c73e89120d862a8facc5f72bb27e6ceca8b08
Instruction Fuzzy Hash: 4E418F75C1061865CF11FBB4C88E9CFB7ACAF45710F508562E618E3262EB34E656C3A5

Function 00C8F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00CC682C,00000004,00000000,00000000), ref: 00C8F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00CC682C,00000004,00000000,00000000), ref: 00CCF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00CC682C,00000004,00000000,00000000), ref: 00CCF454

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 7161461a5eb72ece1529736e0c0bc9ad0ca733dd0f51faec249f5205a912e027
Instruction ID: e5ba439095f0e0175499473e23601b0312a76d05ab0738143ade7ffba0690ff4
Opcode Fuzzy Hash: 7161461a5eb72ece1529736e0c0bc9ad0ca733dd0f51faec249f5205a912e027
Instruction Fuzzy Hash: E0412031514780FBC739AF2DC888B2A7B92AB56318F14453CE09796670C6759983CB25

Function 00D02D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00D02D1B
GetDC.USER32(00000000), ref: 00D02D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D02D2E
ReleaseDC.USER32(00000000,00000000), ref: 00D02D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00D02D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00D02D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00D05A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00D02DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00D02DE1

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: e8aa302afd0a2394f17bb4bd1ddffae69afa4a04eca557b9f8b80a8b47fb8acf
Instruction ID: 66d3361b5d417a0827664d91071c844b0b70bfbdbb00d04ef2f6a4626fe78d72
Opcode Fuzzy Hash: e8aa302afd0a2394f17bb4bd1ddffae69afa4a04eca557b9f8b80a8b47fb8acf
Instruction Fuzzy Hash: EF315A72212214ABEB218F508C8AFBB3BA9EB09715F084155FE0CDA2E1D6759C51CBB4

Function 00CD5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00CD5637
_memcmp.LIBVCRUNTIME ref: 00CD5659
_memcmp.LIBVCRUNTIME ref: 00CD5671
_memcmp.LIBVCRUNTIME ref: 00CD5684
_memcmp.LIBVCRUNTIME ref: 00CD569E
_memcmp.LIBVCRUNTIME ref: 00CD56B1
_memcmp.LIBVCRUNTIME ref: 00CD56C9
_memcmp.LIBVCRUNTIME ref: 00CD56E4

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: ba738563c14ffb6b1476a3f011c2cc1ef61f602b75f1a578fdcd01db2b35c7cb
Instruction ID: a450d6361a7bc1ea568733b08292623a7dd21ef31155aa18a729b49b9a7a412a
Opcode Fuzzy Hash: ba738563c14ffb6b1476a3f011c2cc1ef61f602b75f1a578fdcd01db2b35c7cb
Instruction Fuzzy Hash: 7121DE61744A09BBE61556118D87FFB336CBF10384F680026FF185ABC1F760EE1595B5

Function 00CF4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00CF502E, 00CF5383
Not an Object type, xrefs: 00CF5007

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: c2be5337868cef2f4bb08a9862017c3bbe722cacf2db8c4a0a7064b7e0cd830e
Instruction ID: cbb5240234909266112d16722061e4dba58061d487f5ffc42baec6e10bd679c5
Opcode Fuzzy Hash: c2be5337868cef2f4bb08a9862017c3bbe722cacf2db8c4a0a7064b7e0cd830e
Instruction Fuzzy Hash: C0D1A171A0060EAFDB54CF58C880BBEB7B5BF48344F148169EB15AB291D770EE45CB61

Function 00CB1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00CB17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00CB15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00CB17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00CB1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00CB17FB,?,00CB17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00CB16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00CB17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00CB16FB

Part of subcall function 00CA3820: RtlAllocateHeap.NTDLL(00000000,?,00D41444,?,00C8FDF5,?,?,00C7A976,00000010,00D41440,00C713FC,?,00C713C6,?,00C71129), ref: 00CA3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00CB17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00CB1777
__freea.LIBCMT ref: 00CB17A2
__freea.LIBCMT ref: 00CB17AE

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: d77134424cba9f9101b01778eee343c810dc704ace3e8bb51bbfa8b81c8f30aa
Instruction ID: cd1c161a9c5422ab1c9144e29ce3441005d07face1937c390c338b9df44068d2
Opcode Fuzzy Hash: d77134424cba9f9101b01778eee343c810dc704ace3e8bb51bbfa8b81c8f30aa
Instruction Fuzzy Hash: EE91B371E102169ADB208FA5C8A1AEEBBB5DF49310F9C0669FC15E7181DB35DE44CBA0

Function 00CF4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CF4648
VariantInit.OLEAUT32(?), ref: 00CF4749
VariantClear.OLEAUT32(?), ref: 00CF4753
VariantClear.OLEAUT32(?), ref: 00CF47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00CF472C
Null Object assignment in FOR..IN loop, xrefs: 00CF45D8, 00CF4706, 00CF47BE

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 9feca17cb4a79da3f29d068de45eb856a27cfd56a8d1675de56a991e0c8f9424
Instruction ID: 2956fa8acee412d7200d6aed370fdc40bcc0ee78c8881ecdc0fe1b8ad218337c
Opcode Fuzzy Hash: 9feca17cb4a79da3f29d068de45eb856a27cfd56a8d1675de56a991e0c8f9424
Instruction Fuzzy Hash: 5491B171A00219ABDF68DFA5C884FBFB7B8EF46714F10851AF615AB280D7709941CFA1

Function 00CE1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00CE125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00CE1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00CE12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00CE12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00CE135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00CE13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00CE1430

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: be284ca368d03e274e6842a4ea5733fc25835a59f690c928915e89bf36d17467
Instruction ID: e9fc0c5ed96dc2d9f32267d261a0879f7c93551fd3dff6c64f3bb87c61a4a38a
Opcode Fuzzy Hash: be284ca368d03e274e6842a4ea5733fc25835a59f690c928915e89bf36d17467
Instruction Fuzzy Hash: 4E91F271A002589FDB00DFAAC884BBEB7B5FF44325F294029EE10EB291D774E951DB90

Function 00C8948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: cc11d60e0ebb4aae5ff43a63cce1654df8f7a4d3a911151c2e1c54e13970db0d
Instruction ID: 6e4faa7aa756eeb9488e407319bb2a557f57f45bff6a65686991e31d8567a147
Opcode Fuzzy Hash: cc11d60e0ebb4aae5ff43a63cce1654df8f7a4d3a911151c2e1c54e13970db0d
Instruction Fuzzy Hash: 9D912471D00219EFCB10DFA9C884AEEBBB8FF49324F188259E515B7251D374AA42DF64

Function 00CF3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CF396B
CharUpperBuffW.USER32(?,?), ref: 00CF3A7A
_wcslen.LIBCMT ref: 00CF3A8A
VariantClear.OLEAUT32(?), ref: 00CF3C1F

Part of subcall function 00CE0CDF: VariantInit.OLEAUT32(00000000), ref: 00CE0D1F
Part of subcall function 00CE0CDF: VariantCopy.OLEAUT32(?,?), ref: 00CE0D28
Part of subcall function 00CE0CDF: VariantClear.OLEAUT32(?), ref: 00CE0D34

Strings

Incorrect Parameter format, xrefs: 00CF39A6, 00CF3BA1
AUTOIT.ERROR, xrefs: 00CF3A80, 00CF3A85

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 586b744b0c895d7c324f418e301c1250cfa0bc8cd50720ea938302303973501e
Instruction ID: 928dbc6bbb050cbef550265b3d09a0efe13435a4e5ae91d81220e3f30b6bb540
Opcode Fuzzy Hash: 586b744b0c895d7c324f418e301c1250cfa0bc8cd50720ea938302303973501e
Instruction Fuzzy Hash: B291AA70608349AFC744EF25C48092AB7E4FF88314F14892EF99A9B351DB30EE05DB92

Function 00CF4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00CD000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CCFF41,80070057,?,?,?,00CD035E), ref: 00CD002B
Part of subcall function 00CD000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CCFF41,80070057,?,?), ref: 00CD0046
Part of subcall function 00CD000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CCFF41,80070057,?,?), ref: 00CD0054
Part of subcall function 00CD000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CCFF41,80070057,?), ref: 00CD0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00CF4C51
_wcslen.LIBCMT ref: 00CF4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00CF4DCF
CoTaskMemFree.OLE32(?), ref: 00CF4DDA

Strings

NULL Pointer assignment, xrefs: 00CF4E23, 00CF4E52

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: fea5472dacf09938da3efe722888f4f140fe3256c45217b57d801623c080b0da
Instruction ID: 919db614bf90cd2f77219f06f71bfec5e9d5ec60fc2afec01ac81df82cdf2b14
Opcode Fuzzy Hash: fea5472dacf09938da3efe722888f4f140fe3256c45217b57d801623c080b0da
Instruction Fuzzy Hash: 41910771D0021DAFDF14DFA4C891AEEB7B9FF48310F10816AEA19A7291DB309A45DF61

Function 00D020FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00D02183
GetMenuItemCount.USER32(00000000), ref: 00D021B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00D021DD
_wcslen.LIBCMT ref: 00D02213
GetMenuItemID.USER32(?,?), ref: 00D0224D
GetSubMenu.USER32(?,?), ref: 00D0225B

Part of subcall function 00CD3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CD3A57
Part of subcall function 00CD3A3D: GetCurrentThreadId.KERNEL32 ref: 00CD3A5E
Part of subcall function 00CD3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00CD25B3), ref: 00CD3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00D022E3

Part of subcall function 00CDE97B: Sleep.KERNEL32 ref: 00CDE9F3

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 977569f3dc7ed9ade9fe57971493a7d4d2fb9ffc234fdca3430d5064ae27bca4
Instruction ID: a3339145d201b36c5fb7055f0832b33c799b9a987a83515b4d09d239169b5dfd
Opcode Fuzzy Hash: 977569f3dc7ed9ade9fe57971493a7d4d2fb9ffc234fdca3430d5064ae27bca4
Instruction Fuzzy Hash: D7715E75A00205AFCB14EFA4C889BBEB7F5EF48310F148459E95AEB391D734ED419BA0

Function 00CDAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00CDAEF9
GetKeyboardState.USER32(?), ref: 00CDAF0E
SetKeyboardState.USER32(?), ref: 00CDAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00CDAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00CDAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00CDAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00CDB020

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: c700f7aacf5b8469275f7b4d416e4a9bf9b8b99f2387121bcb2aa77098da22f8
Instruction ID: c5bc747042bd7d3bb4df61c82bbabfdbc31825f42910ae399813d21db3e86d9e
Opcode Fuzzy Hash: c700f7aacf5b8469275f7b4d416e4a9bf9b8b99f2387121bcb2aa77098da22f8
Instruction Fuzzy Hash: 525103E06047D17DFB3643348845BBBBEE95B06304F08858AE2E9859C2C3D8EEC8D361

Function 00CDACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00CDAD19
GetKeyboardState.USER32(?), ref: 00CDAD2E
SetKeyboardState.USER32(?), ref: 00CDAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00CDADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00CDADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00CDAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00CDAE38

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: de9a894ebfd2a2e5c3505cabe12f4291282aa98928ec9bfa0430f56bc054fe7e
Instruction ID: 30c8525ca3f9033bfca1acb7c2e12277aa85b1882a8d240bc5a8a8580d2bd58a
Opcode Fuzzy Hash: de9a894ebfd2a2e5c3505cabe12f4291282aa98928ec9bfa0430f56bc054fe7e
Instruction Fuzzy Hash: 0C510AA15047D53DFB374334CC45B7A7F995B46300F08858AE2E546ED2C394ED94E762

Function 00CA542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00CB3CD6,?,?,?,?,?,?,?,?,00CA5BA3,?,?,00CB3CD6,?,?), ref: 00CA5470
__fassign.LIBCMT ref: 00CA54EB
__fassign.LIBCMT ref: 00CA5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00CB3CD6,00000005,00000000,00000000), ref: 00CA552C
WriteFile.KERNEL32(?,00CB3CD6,00000000,00CA5BA3,00000000,?,?,?,?,?,?,?,?,?,00CA5BA3,?), ref: 00CA554B
WriteFile.KERNEL32(?,?,00000001,00CA5BA3,00000000,?,?,?,?,?,?,?,?,?,00CA5BA3,?), ref: 00CA5584

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: ba7d3e1d025a68e16f3faa6338c87ca9841d8923d1b5f5edcb3fb650ee70ded5
Instruction ID: 9122ea5012f1c61369a75eefbbef2e677124e09a634e5dd1df5d785c08bad136
Opcode Fuzzy Hash: ba7d3e1d025a68e16f3faa6338c87ca9841d8923d1b5f5edcb3fb650ee70ded5
Instruction Fuzzy Hash: 1B51A4B1E0074A9FDB10CFA8D845AEEBBF9EF0A304F14815AF955E7291D7309A41CB60

Function 00C92D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00C92D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00C92D53
_ValidateLocalCookies.LIBCMT ref: 00C92DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00C92E0C
_ValidateLocalCookies.LIBCMT ref: 00C92E61

Strings

csm, xrefs: 00C92DF6

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 9d857adcc291ab2eeee55581709d522eb61189b2d20165704c67e70c327096b6
Instruction ID: 7904dffadca40f6df57185ab655a15cc9f8e767656925ae24e04b8cb09617062
Opcode Fuzzy Hash: 9d857adcc291ab2eeee55581709d522eb61189b2d20165704c67e70c327096b6
Instruction Fuzzy Hash: 9241C135A01209BBCF10DF68C889A9EBBB5BF44324F148155F864AB392D731AE55CBE0

Function 00CF10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00CF307A
Part of subcall function 00CF304E: _wcslen.LIBCMT ref: 00CF309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00CF1112
WSAGetLastError.WSOCK32 ref: 00CF1121
WSAGetLastError.WSOCK32 ref: 00CF11C9
closesocket.WSOCK32(00000000), ref: 00CF11F9

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: d55257a6ce964c20297840fe1594b881fbf14da654defd9845dddb3ae59b9e55
Instruction ID: eb2ad36d1e9e2d7d5327c90a86c5c31c2c2c343f41adfe158d19d2e916905022
Opcode Fuzzy Hash: d55257a6ce964c20297840fe1594b881fbf14da654defd9845dddb3ae59b9e55
Instruction Fuzzy Hash: A741A231600208EFDB109F64C885BBDB7A9EF45364F18C159FE199B291C771AE41CBA2

Function 00CDCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CDDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00CDCF22,?), ref: 00CDDDFD

Part of subcall function 00CDDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00CDCF22,?), ref: 00CDDE16

lstrcmpiW.KERNEL32(?,?), ref: 00CDCF45
MoveFileW.KERNEL32(?,?), ref: 00CDCF7F
_wcslen.LIBCMT ref: 00CDD005
_wcslen.LIBCMT ref: 00CDD01B
SHFileOperationW.SHELL32(?), ref: 00CDD061

Strings

\*.*, xrefs: 00CDCFF3

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 319e053c779e4930b64274ac0fa124d09bd28931ee5a524b3ef6449b3411cfad
Instruction ID: ed5e80d70e3f8a5e3489855d7cd4d7d0a1d428063c791c6da047fb8d4d8b0463
Opcode Fuzzy Hash: 319e053c779e4930b64274ac0fa124d09bd28931ee5a524b3ef6449b3411cfad
Instruction Fuzzy Hash: BF4135719452195FDF12EBA4D9C1ADDB7B9AF08380F1000E7E619EB242EB34A748DB50

Function 00D02DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00D02E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00D02E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00D02E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00D02EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00D02EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00D02EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00D02F0B

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 5e80ca54041f7b02c5c0caa61351bbf5ae4644b21426a9068a0ce1082a88214d
Instruction ID: 6f6b9538d46eab6b9e9462182c2c3fdb8685101532cdc5d233e93dfe1497c97f
Opcode Fuzzy Hash: 5e80ca54041f7b02c5c0caa61351bbf5ae4644b21426a9068a0ce1082a88214d
Instruction Fuzzy Hash: 46310538686250AFDB21CF58DC88F6537E5EB4A750F191164FA18CB2F2CB71A880DB61

Function 00CD7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CD7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CD778F
SysAllocString.OLEAUT32(00000000), ref: 00CD7792
SysAllocString.OLEAUT32(?), ref: 00CD77B0
SysFreeString.OLEAUT32(?), ref: 00CD77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00CD77DE
SysAllocString.OLEAUT32(?), ref: 00CD77EC

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 88a73e800da2f26bc838298447b1878d284c88ce5fbfcf390663d4e002faadbd
Instruction ID: 12a4aa23c5bfac0de86748b1f1efe006b2bd4bf03f0ade25a919eb64904f4ab9
Opcode Fuzzy Hash: 88a73e800da2f26bc838298447b1878d284c88ce5fbfcf390663d4e002faadbd
Instruction Fuzzy Hash: D221A376604219AFDB11DFA8CC84DBB73ECEB09364701862ABA14DB290E670DD41C764

Function 00CD77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CD7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CD7868
SysAllocString.OLEAUT32(00000000), ref: 00CD786B
SysAllocString.OLEAUT32 ref: 00CD788C
SysFreeString.OLEAUT32 ref: 00CD7895
StringFromGUID2.OLE32(?,?,00000028), ref: 00CD78AF
SysAllocString.OLEAUT32(?), ref: 00CD78BD

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 806fe0701c20701f4c3655dbe74589b4092abaad8f2e1c882e9dc2bae77262e7
Instruction ID: de18d27708a24b3a8d6f53a856b63e52189ef8e241abefbfe727b42db5124bbe
Opcode Fuzzy Hash: 806fe0701c20701f4c3655dbe74589b4092abaad8f2e1c882e9dc2bae77262e7
Instruction Fuzzy Hash: E1217431604204AFDB10AFA8DC89DAA77ECFB097607108226FA15DB3E1E674ED41DB74

Function 00CE04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00CE04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00CE052E

Strings

nul, xrefs: 00CE0567

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 7e43d75a5b5b071be39dc1fb691c8e0bcfbe0f3585c22692db85a01715e4343b
Instruction ID: 2619ef134206a56d1bc5b92285085401f2f06737740f20666b0bfcb93a64a142
Opcode Fuzzy Hash: 7e43d75a5b5b071be39dc1fb691c8e0bcfbe0f3585c22692db85a01715e4343b
Instruction Fuzzy Hash: 52218D71501345AFDB208F2ADC04A9A77B4AF45724F304A19F8B1E62E0D7B0DA80CFA4

Function 00CE05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00CE05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00CE0601

Strings

nul, xrefs: 00CE0639

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 3cf40f152e3655701cb4cf0682d8e4ed967785b8505dfe8a7d20f55cf5c492ab
Instruction ID: 098d735c7b6c658771e2c867f3ae7ce21f822e5a20eb2c299c881d5cc7e8f6b5
Opcode Fuzzy Hash: 3cf40f152e3655701cb4cf0682d8e4ed967785b8505dfe8a7d20f55cf5c492ab
Instruction Fuzzy Hash: A9217F755003459BDB209F6A9C04B9A77A8AF95721F340B19FCB1E72E0D7B099A0CBA4

Function 00D040AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C7604C
Part of subcall function 00C7600E: GetStockObject.GDI32(00000011), ref: 00C76060
Part of subcall function 00C7600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C7606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00D04112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00D0411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00D0412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00D04139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00D04145

Strings

Msctls_Progress32, xrefs: 00D040E3

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 944956232c288fe3e6835bccdbf651cdd566e6071d3588b3ad8e90f56c0b4463
Instruction ID: 059d5d85c145c1268c321a0d40f5a664ce17a7568458a77736350628d972f698
Opcode Fuzzy Hash: 944956232c288fe3e6835bccdbf651cdd566e6071d3588b3ad8e90f56c0b4463
Instruction Fuzzy Hash: 801190B215021DBEEF218F64CC85EE77F6DEF08798F004110BB58A21A0CA729C61DBB4

Function 00CAD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CAD7A3: _free.LIBCMT ref: 00CAD7CC

_free.LIBCMT ref: 00CAD82D

Part of subcall function 00CA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CAD7D1,00000000,00000000,00000000,00000000,?,00CAD7F8,00000000,00000007,00000000,?,00CADBF5,00000000), ref: 00CA29DE
Part of subcall function 00CA29C8: GetLastError.KERNEL32(00000000,?,00CAD7D1,00000000,00000000,00000000,00000000,?,00CAD7F8,00000000,00000007,00000000,?,00CADBF5,00000000,00000000), ref: 00CA29F0

_free.LIBCMT ref: 00CAD838
_free.LIBCMT ref: 00CAD843
_free.LIBCMT ref: 00CAD897
_free.LIBCMT ref: 00CAD8A2
_free.LIBCMT ref: 00CAD8AD
_free.LIBCMT ref: 00CAD8B8

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction ID: 3f49c79b0783b8bd7731d99c1b1bfc0deca6b3a6784e36ce971d980f00ce2bb0
Opcode Fuzzy Hash: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction Fuzzy Hash: B3115E71540B19AAD621BFB0CC47FCB7BDCAF02B04F400825B29BE68A2DA65B505A661

Function 00CDDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00CDDA74
LoadStringW.USER32(00000000), ref: 00CDDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00CDDA91
LoadStringW.USER32(00000000), ref: 00CDDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00CDDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00CDDAB9

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 6c6d6fd55287fcdd0e71f258e1965b0acc3e7b6b576a4bc24869cfa9b9fcc4d2
Instruction ID: 78ec766aa419bb2d369f5cbd9eba3856fd5f942ebb78eef2e91e743b17a6fc3b
Opcode Fuzzy Hash: 6c6d6fd55287fcdd0e71f258e1965b0acc3e7b6b576a4bc24869cfa9b9fcc4d2
Instruction Fuzzy Hash: 500162F69103087FE7109BA49D89FEB326CE708701F405592B70AE2181E6749E844F75

Function 00CE096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0102E1A8,0102E1A8), ref: 00CE097B
EnterCriticalSection.KERNEL32(0102E188,00000000), ref: 00CE098D
TerminateThread.KERNEL32(00000000,000001F6), ref: 00CE099B
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00CE09A9
CloseHandle.KERNEL32(00000000), ref: 00CE09B8
InterlockedExchange.KERNEL32(0102E1A8,000001F6), ref: 00CE09C8
LeaveCriticalSection.KERNEL32(0102E188), ref: 00CE09CF

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 384fd60e5b62262c2a5cba4bedd01ed31c408b3d6ba11ceef832e766c3b02acb
Instruction ID: b3fc06fba45260469dfac61ccc5d40bce4e40bc0cad3f0efd36199d7cd4befaa
Opcode Fuzzy Hash: 384fd60e5b62262c2a5cba4bedd01ed31c408b3d6ba11ceef832e766c3b02acb
Instruction Fuzzy Hash: FCF03C32552B02BBD7415FA4EE8CBD6BB39FF01702F502225F20690DA1C7749565CFA4

Function 00CF1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00CF1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00CF1DE1
WSAGetLastError.WSOCK32 ref: 00CF1DF2
htons.WSOCK32(?,?,?,?,?), ref: 00CF1EDB
inet_ntoa.WSOCK32(?), ref: 00CF1E8C

Part of subcall function 00CD39E8: _strlen.LIBCMT ref: 00CD39F2

Part of subcall function 00CF3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00CEEC0C), ref: 00CF3240

_strlen.LIBCMT ref: 00CF1F35

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: fa0a48df6083d8613603a1c9a52a61c621fd3a369946431e19c423da4b22f888
Instruction ID: 56e11dda27951a88f254bc902711c5e34c6244db2bfc293aff59575656caf868
Opcode Fuzzy Hash: fa0a48df6083d8613603a1c9a52a61c621fd3a369946431e19c423da4b22f888
Instruction Fuzzy Hash: 5DB1D030204344AFC364DF64C885F3A77A5AF84318F58854CF96A5B2E2DB31EE46CB92

Function 00CA01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00CA00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CA00D6
__allrem.LIBCMT ref: 00CA00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CA010B
__allrem.LIBCMT ref: 00CA0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CA0140

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 7a0b642fef2eff9d56cd4256c5e02c7c466c416de0e2c218885651ab70ecd7e9
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 0981E672A00B079BEB249F69CC46BAE73E9AF42368F24413EF561D7281E770DA019750

Function 00CA61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00C982D9,00C982D9,?,?,?,00CA644F,00000001,00000001,8BE85006), ref: 00CA6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00CA644F,00000001,00000001,8BE85006,?,?,?), ref: 00CA62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00CA63D8
__freea.LIBCMT ref: 00CA63E5

Part of subcall function 00CA3820: RtlAllocateHeap.NTDLL(00000000,?,00D41444,?,00C8FDF5,?,?,00C7A976,00000010,00D41440,00C713FC,?,00C713C6,?,00C71129), ref: 00CA3852

__freea.LIBCMT ref: 00CA63EE
__freea.LIBCMT ref: 00CA6413

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: d55e05fbe2f576d9c5625b23c422de1d13753029f653c7e45c6f34d6df48f941
Instruction ID: e8d12f660b8364cd6b2b0aaaf235a20c802883a1454de4b0176db2f5e9952052
Opcode Fuzzy Hash: d55e05fbe2f576d9c5625b23c422de1d13753029f653c7e45c6f34d6df48f941
Instruction Fuzzy Hash: B751EF72A00217ABDF258F64CC81EAF7BAAEF46718F184229FD15D6190EB34DD41D6A0

Function 00CFBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

Part of subcall function 00CFC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CFB6AE,?,?), ref: 00CFC9B5
Part of subcall function 00CFC998: _wcslen.LIBCMT ref: 00CFC9F1
Part of subcall function 00CFC998: _wcslen.LIBCMT ref: 00CFCA68
Part of subcall function 00CFC998: _wcslen.LIBCMT ref: 00CFCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CFBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CFBD25
RegCloseKey.ADVAPI32(00000000), ref: 00CFBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00CFBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CFBDF3
RegCloseKey.ADVAPI32(?), ref: 00CFBDFF

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 0a8dcd51520e3f741a3d94610ae00edc6ff6d8f08631e3bfb0898ecd46b6486e
Instruction ID: fe82e159f35a23856bab88f5043380ff51f4510aa04c5ae3b7e6c592f975cd20
Opcode Fuzzy Hash: 0a8dcd51520e3f741a3d94610ae00edc6ff6d8f08631e3bfb0898ecd46b6486e
Instruction Fuzzy Hash: 99819C30218245EFD754DF24C881E2ABBE5FF84308F14895CF6598B2A2DB31EE45DB92

Function 00CCF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00CCF7B9
SysAllocString.OLEAUT32(00000001), ref: 00CCF860
VariantCopy.OLEAUT32(00CCFA64,00000000), ref: 00CCF889
VariantClear.OLEAUT32(00CCFA64), ref: 00CCF8AD
VariantCopy.OLEAUT32(00CCFA64,00000000), ref: 00CCF8B1
VariantClear.OLEAUT32(?), ref: 00CCF8BB

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 71b9c58f883a8fc3fe8d320a21f56accbac02ca6e9b0e22617cee825f5ce1b0f
Instruction ID: ecc902fb899e48fd4b62662be3fc753dfa0e92b95303588414d1e8f5ae294bdd
Opcode Fuzzy Hash: 71b9c58f883a8fc3fe8d320a21f56accbac02ca6e9b0e22617cee825f5ce1b0f
Instruction Fuzzy Hash: 7A51D431610310ABCF24BF66D895F29B3A6EF45310B24946FE906DF291DB709C82D7A7

Function 00CE910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00C77620: _wcslen.LIBCMT ref: 00C77625

Part of subcall function 00C76B57: _wcslen.LIBCMT ref: 00C76B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00CE94E5
_wcslen.LIBCMT ref: 00CE9506
_wcslen.LIBCMT ref: 00CE952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00CE9585

Strings

X, xrefs: 00CE9412

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 904927a164bc064177e2b82317b92f90f4563511c60c01d5ecf5bc1c3f6e5e56
Instruction ID: 4fffb07c7b329c88517aec552783230f8761ae0c2f9bf45fa8ea07f6d1a75789
Opcode Fuzzy Hash: 904927a164bc064177e2b82317b92f90f4563511c60c01d5ecf5bc1c3f6e5e56
Instruction Fuzzy Hash: 9AE1BF315083419FD724EF25C881A6EB7E4FF85314F14896DF8999B2A2DB31EE05CB92

Function 00C8920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00C89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C89BB2

BeginPaint.USER32(?,?,?), ref: 00C89241
GetWindowRect.USER32(?,?), ref: 00C892A5
ScreenToClient.USER32(?,?), ref: 00C892C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00C892D3
EndPaint.USER32(?,?,?,?,?), ref: 00C89321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00CC71EA

Part of subcall function 00C89339: BeginPath.GDI32(00000000), ref: 00C89357

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: cf6b0fa9be36d38c360c5198b91de21dd9e642dd15fc21b1ba7074d375d056b3
Instruction ID: 607da9bdd178e400ccdd219e044d0066a12c007da57de84b113637c01e93ad65
Opcode Fuzzy Hash: cf6b0fa9be36d38c360c5198b91de21dd9e642dd15fc21b1ba7074d375d056b3
Instruction Fuzzy Hash: 4B41AC74104300AFD721EF24D884FBA7BA8EB46324F180229F9A9D72F1C7719985DB62

Function 00CE07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00CE080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00CE0847
EnterCriticalSection.KERNEL32(?), ref: 00CE0863
LeaveCriticalSection.KERNEL32(?), ref: 00CE08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00CE08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00CE0921

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 1a4a4c4744b452f065591599c26498d17cde2b4b96f2fa07dad2f165c8952513
Instruction ID: b12c3abb89ca922570a08ccafadd91fc411ca8c76845fdfc9e4ecf3935b884d5
Opcode Fuzzy Hash: 1a4a4c4744b452f065591599c26498d17cde2b4b96f2fa07dad2f165c8952513
Instruction Fuzzy Hash: 30417A71900205EFDF14AF64DC85AAA77B8FF44304F2440A9ED04DA297DB70DEA1DBA4

Function 00D081DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00CCF3AB,00000000,?,?,00000000,?,00CC682C,00000004,00000000,00000000), ref: 00D0824C
EnableWindow.USER32(00000000,00000000), ref: 00D08272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00D082D1
ShowWindow.USER32(00000000,00000004), ref: 00D082E5
EnableWindow.USER32(00000000,00000001), ref: 00D0830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00D0832F

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: b5e88630bbbbec12ecfc4b46680d783499e21c0c204f2b00211dc73fbc2914ef
Instruction ID: e4958abebac269043890da7f465e736d8e74d1cadf356ca22cba8dcd126363d8
Opcode Fuzzy Hash: b5e88630bbbbec12ecfc4b46680d783499e21c0c204f2b00211dc73fbc2914ef
Instruction Fuzzy Hash: C0418338601744AFDF21CF25C899BA47BE0FB4A715F185269E55C8B2E2CB31A841DF74

Function 00CD4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00CD4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00CD4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00CD4CEA
_wcslen.LIBCMT ref: 00CD4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00CD4D10
_wcsstr.LIBVCRUNTIME ref: 00CD4D1A

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 1e3da8db2d9e0cec8eefd8cd1ad60187ad57d5348923f8d824004f60d80c6d45
Instruction ID: 49abb039091da2d242ea3e990181fdae801d33d9a33af211eaf65bf2ca100767
Opcode Fuzzy Hash: 1e3da8db2d9e0cec8eefd8cd1ad60187ad57d5348923f8d824004f60d80c6d45
Instruction Fuzzy Hash: FE210832204204BBEB295B39EC49E7B7B9DDF45750F10813EFA09CA2A1EE71DD4197A0

Function 00CE581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C73AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C73A97,?,?,00C72E7F,?,?,?,00000000), ref: 00C73AC2

_wcslen.LIBCMT ref: 00CE587B
CoInitialize.OLE32(00000000), ref: 00CE5995
CoCreateInstance.OLE32(00D0FCF8,00000000,00000001,00D0FB68,?), ref: 00CE59AE
CoUninitialize.OLE32 ref: 00CE59CC

Strings

.lnk, xrefs: 00CE5876, 00CE58C1, 00CE5985

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 4ae4e3ef6d0d6b4420e6bacaab924478c49a08a41f23f15243ad4858f24d633c
Instruction ID: 5f9ca23dbc698c69cbeee8f4697ee4d1ad2fa09aa0f7dbdacda1be7bce75087e
Opcode Fuzzy Hash: 4ae4e3ef6d0d6b4420e6bacaab924478c49a08a41f23f15243ad4858f24d633c
Instruction Fuzzy Hash: E1D185716047019FC714DF26C484A2ABBE1FF89718F14895DF8999B362CB31ED46CB92

Function 00CD175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00CD0FCA
Part of subcall function 00CD0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00CD0FD6
Part of subcall function 00CD0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00CD0FE5
Part of subcall function 00CD0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00CD0FEC
Part of subcall function 00CD0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00CD1002

GetLengthSid.ADVAPI32(?,00000000,00CD1335), ref: 00CD17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00CD17BA
HeapAlloc.KERNEL32(00000000), ref: 00CD17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00CD17DA
GetProcessHeap.KERNEL32(00000000,00000000,00CD1335), ref: 00CD17EE
HeapFree.KERNEL32(00000000), ref: 00CD17F5

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 38eaa145ca229016dece84706f348674259b23a7035ef0d6353db0803f3aafff
Instruction ID: cbd8bc3a3f2e66df25a2bea4a5ac409234ed03e4da1f63765eef4f21a5db28b6
Opcode Fuzzy Hash: 38eaa145ca229016dece84706f348674259b23a7035ef0d6353db0803f3aafff
Instruction Fuzzy Hash: 99119A31610305FBDB109FA4CC49BAE7BB9EB45355F19421AF945D7320C735AA40CB60

Function 00CD14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00CD14FF
OpenProcessToken.ADVAPI32(00000000), ref: 00CD1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00CD1515
CloseHandle.KERNEL32(00000004), ref: 00CD1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00CD154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00CD1563

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 3088b5c2554893597885c1bdf31033002dfa743d3ee376a2c4680af95c418e2b
Instruction ID: 7ee84d6e5237c20dbc02bfdf8176c98b0172d15f8dc44855dfbd42e32e26dd6a
Opcode Fuzzy Hash: 3088b5c2554893597885c1bdf31033002dfa743d3ee376a2c4680af95c418e2b
Instruction Fuzzy Hash: 35112972510209BBDF118F98ED49BDE7BA9EF48744F088119FE19A22A0D375CE60DB60

Function 00C93382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00C93379,00C92FE5), ref: 00C93390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00C9339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00C933B7
SetLastError.KERNEL32(00000000,?,00C93379,00C92FE5), ref: 00C93409

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a6154386cf7a02f5edfac67c62e736269ffb09200013b8bc10fe618a579cf995
Instruction ID: 00e0b56a5c2cd8a6b81594f441f5c76a593eab588080cf9c06ebbe646719f04f
Opcode Fuzzy Hash: a6154386cf7a02f5edfac67c62e736269ffb09200013b8bc10fe618a579cf995
Instruction Fuzzy Hash: F501283226D391BEEF2827757C8D61B2E54FB057BA3200329F420D02F0EF114E026264

Function 00CA2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00CA5686,00CB3CD6,?,00000000,?,00CA5B6A,?,?,?,?,?,00C9E6D1,?,00D38A48), ref: 00CA2D78
_free.LIBCMT ref: 00CA2DAB
_free.LIBCMT ref: 00CA2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00C9E6D1,?,00D38A48,00000010,00C74F4A,?,?,00000000,00CB3CD6), ref: 00CA2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00C9E6D1,?,00D38A48,00000010,00C74F4A,?,?,00000000,00CB3CD6), ref: 00CA2DEC
_abort.LIBCMT ref: 00CA2DF2

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 54e828c6e2b0b45e378237e8e9a0a48fd20365ddb660ab05b6fe8b20d02ecbc1
Instruction ID: 082534432524de331b52aae58cb4aa906fbe8da5f8d13b2604befc1dce768455
Opcode Fuzzy Hash: 54e828c6e2b0b45e378237e8e9a0a48fd20365ddb660ab05b6fe8b20d02ecbc1
Instruction Fuzzy Hash: D4F0A9319157232BC222273DBC06B5B1665AFC376DB250614F438D22D3EF248901A171

Function 00D08A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00C89639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C89693
Part of subcall function 00C89639: SelectObject.GDI32(?,00000000), ref: 00C896A2
Part of subcall function 00C89639: BeginPath.GDI32(?), ref: 00C896B9
Part of subcall function 00C89639: SelectObject.GDI32(?,00000000), ref: 00C896E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00D08A4E
LineTo.GDI32(?,00000003,00000000), ref: 00D08A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00D08A70
LineTo.GDI32(?,00000000,00000003), ref: 00D08A80
EndPath.GDI32(?), ref: 00D08A90
StrokePath.GDI32(?), ref: 00D08AA0

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: b7254a2ba918ce9a724434fa48094c651e9d1eff84ea9a26d8ea5999fdcbf0c1
Instruction ID: 154ba7e349de1153ef9fb38a29740f94ec907864c1782458c3c1f078402e0aaf
Opcode Fuzzy Hash: b7254a2ba918ce9a724434fa48094c651e9d1eff84ea9a26d8ea5999fdcbf0c1
Instruction Fuzzy Hash: 5D11C976000209FFEB129F94DC88FAA7F6DEB08394F048112FA599A2A1D7719D55DFB0

Function 00CD51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00CD5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00CD5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CD5230
ReleaseDC.USER32(00000000,00000000), ref: 00CD5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00CD524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00CD5261

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: beeef21133320a9cc8e832abc5f09cb254bf8931710e57628ca60fc8cd48dd0b
Instruction ID: d2aece3c9cda9b3ec0ebd7eb23a49d7fa6d8d69a36cc87625e16139e54c98316
Opcode Fuzzy Hash: beeef21133320a9cc8e832abc5f09cb254bf8931710e57628ca60fc8cd48dd0b
Instruction Fuzzy Hash: 67014F75E00718BBEB109BA59C49F5EBFB8EB48751F044166FA08E7391D6709904CBA0

Function 00C71BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C71BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00C71BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C71C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C71C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00C71C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C71C22

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 2e011c15800c06540fdd2798a43918dec3ef6f99330623f8762c0f0a6c70f168
Instruction ID: 2462ed7be34e763f903937b2babda911bb4452220dd1deb198544e046c53cd14
Opcode Fuzzy Hash: 2e011c15800c06540fdd2798a43918dec3ef6f99330623f8762c0f0a6c70f168
Instruction Fuzzy Hash: EF016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47A41C7F5A864CBE5

Function 00CDEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00CDEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00CDEB46
GetWindowThreadProcessId.USER32(?,?), ref: 00CDEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CDEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CDEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CDEB75

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: e06d4ba0e3a9a7a5be55823dfa56a86911f55acd40a9f159bb6752a894c18240
Instruction ID: 8bd131eac2a2b89198c887c5e5e182cdc65ee8acf26f2c66d8b429f6ea3d8801
Opcode Fuzzy Hash: e06d4ba0e3a9a7a5be55823dfa56a86911f55acd40a9f159bb6752a894c18240
Instruction Fuzzy Hash: 9AF09A72210318BBE7206B629C0EFEF3A7CEFCAB11F001259F605D12A0D7A11A01CAB5

Function 00CC7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00CC7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00CC7469
GetWindowDC.USER32(?), ref: 00CC7475
GetPixel.GDI32(00000000,?,?), ref: 00CC7484
ReleaseDC.USER32(?,00000000), ref: 00CC7496
GetSysColor.USER32(00000005), ref: 00CC74B0

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 407f27f3ed0844592e7479c03f6f789be4286edcf88ba791e23d701c97a2d978
Instruction ID: 82bc42ea0ce0b736623a0028a9d3c2759b9e1a25d309eadc4421e7fbb88918b7
Opcode Fuzzy Hash: 407f27f3ed0844592e7479c03f6f789be4286edcf88ba791e23d701c97a2d978
Instruction Fuzzy Hash: 3B012831410615EFDB619F64DC08BAA7BB5FB04321F551264FA29E22A1CB311E51AF61

Function 00CD1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CD187F
UnloadUserProfile.USERENV(?,?), ref: 00CD188B
CloseHandle.KERNEL32(?), ref: 00CD1894
CloseHandle.KERNEL32(?), ref: 00CD189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00CD18A5
HeapFree.KERNEL32(00000000), ref: 00CD18AC

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 9f707e86e6ac8b3baa4f2a63e2bad312f573cb8f03dfde3769fbb936eae4c656
Instruction ID: 8ebd31ec4dcf5b0aae42111e0c14b65de43e8bb4f9a5d31bf8bba2eabba746c6
Opcode Fuzzy Hash: 9f707e86e6ac8b3baa4f2a63e2bad312f573cb8f03dfde3769fbb936eae4c656
Instruction Fuzzy Hash: 79E0ED36124301BBD7015FA1ED0CA05BF39FF597217109324F229C1270CB325420DF61

Function 00CDC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C77620: _wcslen.LIBCMT ref: 00C77625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CDC6EE
_wcslen.LIBCMT ref: 00CDC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CDC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00CDC7CA

Strings

0, xrefs: 00CDC6AF

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 8577491e0d05200b004fc0b867d03598b917c777d6059b204928cad3b6a9a0ad
Instruction ID: 7cdd15fe34f2894141b16ec670e28aee5e96db6570d3a6af5e925b3d821fa53c
Opcode Fuzzy Hash: 8577491e0d05200b004fc0b867d03598b917c777d6059b204928cad3b6a9a0ad
Instruction Fuzzy Hash: D651A0716143029BD714AF28C8C5B6AB7E8AF45314F050A2EFAA5D23D0DB70DA45DB52

Function 00CFAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00CFAEA3

Part of subcall function 00C77620: _wcslen.LIBCMT ref: 00C77625

GetProcessId.KERNEL32(00000000), ref: 00CFAF38
CloseHandle.KERNEL32(00000000), ref: 00CFAF67

Strings

<, xrefs: 00CFAE6B
@, xrefs: 00CFAE72

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: b3fafa332a0491a6f670cc15c199384ecfdacb0b438e73c6a81d21bcf345a510
Instruction ID: b4dd5c55830fa733f1df0969b5cb03071d80f4db1a5e6d0e95c95a48aaf6a409
Opcode Fuzzy Hash: b3fafa332a0491a6f670cc15c199384ecfdacb0b438e73c6a81d21bcf345a510
Instruction Fuzzy Hash: 5C717D71A00219DFCB14DF94C484AAEBBF0FF08314F148499E91AAB362C774EE41DB92

Function 00CD719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00CD7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00CD723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00CD724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00CD72CF

Strings

DllGetClassObject, xrefs: 00CD7242

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 1d8e0435fab50e2a5b9f1c48409c69f57ac07c0eb14bac5476128c40bf8295ba
Instruction ID: bb6bf52e49ec36db1828676ce3689e3d1009e7c03fc0d12d1d83e9e101f490e9
Opcode Fuzzy Hash: 1d8e0435fab50e2a5b9f1c48409c69f57ac07c0eb14bac5476128c40bf8295ba
Instruction Fuzzy Hash: B8416171604204EFDB15CF54C884B9A7BA9EF44310F1482AEBE09DF34AE7B5DA45DBA0

Function 00CD1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

Part of subcall function 00CD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00CD3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00CD1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00CD1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00CD1EA9

Part of subcall function 00C76B57: _wcslen.LIBCMT ref: 00C76B6A

Strings

ListBox, xrefs: 00CD1E25
ComboBox, xrefs: 00CD1DF0

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 84d50be524ad28eaf477924595bfffaae88d10b0917947787970b0e121010150
Instruction ID: b0439533a61abc6bc809d8699d1fd2cec2519845ef4e8cd4ed8a7f624264ca15
Opcode Fuzzy Hash: 84d50be524ad28eaf477924595bfffaae88d10b0917947787970b0e121010150
Instruction Fuzzy Hash: 79214971A00104BFDB14AB60DC4ADFFB7B8DF42354F14411AFD29A36E1DB344A0AA630

Function 00D02F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00D02F8D
LoadLibraryW.KERNEL32(?), ref: 00D02F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00D02FA9
DestroyWindow.USER32(?), ref: 00D02FB1

Strings

SysAnimate32, xrefs: 00D02F68

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: d082f78dfeb4a15c075437e30688b0131a224708dc5ebdda675c44b32d9336e8
Instruction ID: 0f2f283ce7d6cee3eed26e3e8aa31ebbfb8061b1f6bf3037ce50a79d367ff7bd
Opcode Fuzzy Hash: d082f78dfeb4a15c075437e30688b0131a224708dc5ebdda675c44b32d9336e8
Instruction Fuzzy Hash: F821CA7120120AABEB214F66DC88FBB7BB9EF593A4F140218FA58D21E0C771DC819770

Function 00C94D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00C94D1E,00CA28E9,?,00C94CBE,00CA28E9,00D388B8,0000000C,00C94E15,00CA28E9,00000002), ref: 00C94D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00C94DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00C94D1E,00CA28E9,?,00C94CBE,00CA28E9,00D388B8,0000000C,00C94E15,00CA28E9,00000002,00000000), ref: 00C94DC3

Strings

mscoree.dll, xrefs: 00C94D86
CorExitProcess, xrefs: 00C94D98

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f4dce6fc0aa02ead331b6ed64e4f744aadc075b0278605297290378d07ecd113
Instruction ID: 3158db6a95e8b26a608b5316d85f496b78e3e32e563ec44825088e6d05727041
Opcode Fuzzy Hash: f4dce6fc0aa02ead331b6ed64e4f744aadc075b0278605297290378d07ecd113
Instruction Fuzzy Hash: EEF03C35A50308BBDB159F90DC49BEDBFA5EB44752F0401A4B809E22A0DB705A85DBA1

Function 00CCD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00CCD3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00CCD3BF
FreeLibrary.KERNEL32(00000000), ref: 00CCD3E5

Strings

X64, xrefs: 00CCD2A8
GetSystemWow64DirectoryW, xrefs: 00CCD3B9

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: ef41784f567aa22f75214bc8df5b582c9a3e95fb178b1de643452c4cac87d358
Instruction ID: 1fcfc701d358c8f26a3e29c5e6a4744fb977868b36d60e8ab9f1f2cabe1d21aa
Opcode Fuzzy Hash: ef41784f567aa22f75214bc8df5b582c9a3e95fb178b1de643452c4cac87d358
Instruction Fuzzy Hash: 54F05C70915B519BD7312711CC58F6E77209F11701F59927CF40BE22A0C760CE4087A3

Function 00C74E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C74EDD,?,00D41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C74E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C74EAE
FreeLibrary.KERNEL32(00000000,?,?,00C74EDD,?,00D41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C74EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00C74EA8
kernel32.dll, xrefs: 00C74E94

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: d2e22dcac22d0ea0106cda9e222644d277e54ec5c3629f553690713f47a8a31a
Instruction ID: e8fe35077e2013e2555c38c8ab60194fa541328478b18123350ad8881a7bd088
Opcode Fuzzy Hash: d2e22dcac22d0ea0106cda9e222644d277e54ec5c3629f553690713f47a8a31a
Instruction Fuzzy Hash: ABE0C236A127225FD2321B25AC18B6FB658EF82F72B054215FC0CE2380DBE4CE0580F2

Function 00C74E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00CB3CDE,?,00D41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C74E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C74E74
FreeLibrary.KERNEL32(00000000,?,?,00CB3CDE,?,00D41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C74E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00C74E6E
kernel32.dll, xrefs: 00C74E5B

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 39bf2c69ca4c8703b75f39fe3aadb0bd0ef940636d2aa2c8d0c16ff7fba1436f
Instruction ID: a8b086ac86acd1ffba626ffcc1c0871319c6598572359272ab29aab5b4dd166e
Opcode Fuzzy Hash: 39bf2c69ca4c8703b75f39fe3aadb0bd0ef940636d2aa2c8d0c16ff7fba1436f
Instruction Fuzzy Hash: 3BD012365127215BD6261B266C18F8BAA1CEF85B613056715B91DE2254CFA4CE0186F1

Function 00CFA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00CFA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00CFA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00CFA468
CloseHandle.KERNEL32(?), ref: 00CFA63D

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 6c1fd8243bac20281a63b565c2a8ed1e07a3c38150bd5ac1e02139a8fabbe4ad
Instruction ID: 639cec1b7e8559288a493c8a718df4c51ac3352082d78244f692cf269b43b066
Opcode Fuzzy Hash: 6c1fd8243bac20281a63b565c2a8ed1e07a3c38150bd5ac1e02139a8fabbe4ad
Instruction Fuzzy Hash: BCA190B16047019FD760DF28C886F2AB7E5AF84714F14881DFA6ADB392D770ED418B92

Function 00CABB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00D13700), ref: 00CABB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00D4121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00CABC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00D41270,000000FF,?,0000003F,00000000,?), ref: 00CABC36
_free.LIBCMT ref: 00CABB7F

Part of subcall function 00CA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CAD7D1,00000000,00000000,00000000,00000000,?,00CAD7F8,00000000,00000007,00000000,?,00CADBF5,00000000), ref: 00CA29DE
Part of subcall function 00CA29C8: GetLastError.KERNEL32(00000000,?,00CAD7D1,00000000,00000000,00000000,00000000,?,00CAD7F8,00000000,00000007,00000000,?,00CADBF5,00000000,00000000), ref: 00CA29F0

_free.LIBCMT ref: 00CABD4B

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 59b883b9e5d0acc0b7ea412227270d907adf92f641898025928e02341af02212
Instruction ID: 93a47e978f1dcbad4e04d547a116c66692e0f3dcc431a0009032a6645b1061e6
Opcode Fuzzy Hash: 59b883b9e5d0acc0b7ea412227270d907adf92f641898025928e02341af02212
Instruction Fuzzy Hash: 2B51EC7590031A9FCB10DF659C819AEB7B8EF42328F10426AE564D72A2EB705E40D764

Function 00CDE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CDDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00CDCF22,?), ref: 00CDDDFD

Part of subcall function 00CDDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00CDCF22,?), ref: 00CDDE16

Part of subcall function 00CDE199: GetFileAttributesW.KERNEL32(?,00CDCF95), ref: 00CDE19A

lstrcmpiW.KERNEL32(?,?), ref: 00CDE473
MoveFileW.KERNEL32(?,?), ref: 00CDE4AC
_wcslen.LIBCMT ref: 00CDE5EB
_wcslen.LIBCMT ref: 00CDE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00CDE650

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 59a25ca36e698ee6a7d91960a451f5cd260ab8751115bbbf6512adc25aa243b6
Instruction ID: 5608c6c293bf3310deca2c45d969f9389b0840c1d6c1c577e1f7fd942a094ca8
Opcode Fuzzy Hash: 59a25ca36e698ee6a7d91960a451f5cd260ab8751115bbbf6512adc25aa243b6
Instruction Fuzzy Hash: B85180B25087455BCB24EB90D881ADF73ECAF84340F00491FF699D7291EF34A6889766

Function 00CFB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

Part of subcall function 00CFC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CFB6AE,?,?), ref: 00CFC9B5
Part of subcall function 00CFC998: _wcslen.LIBCMT ref: 00CFC9F1
Part of subcall function 00CFC998: _wcslen.LIBCMT ref: 00CFCA68
Part of subcall function 00CFC998: _wcslen.LIBCMT ref: 00CFCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CFBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CFBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00CFBB63
RegCloseKey.ADVAPI32(?,?), ref: 00CFBBA6
RegCloseKey.ADVAPI32(00000000), ref: 00CFBBB3

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: f4c10d9cef9c3e142afb81b819525366a98e9715a85abdd84b95fc430da78ba0
Instruction ID: b4bb43f19554c17fea793165d3cf171269a954af9a946302d33f79c3537f2a92
Opcode Fuzzy Hash: f4c10d9cef9c3e142afb81b819525366a98e9715a85abdd84b95fc430da78ba0
Instruction Fuzzy Hash: 6A619D31208245AFD754DF24C891E3ABBE5FF84308F14899CF5998B2A2DB31ED45DB92

Function 00CD8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CD8BCD
VariantClear.OLEAUT32 ref: 00CD8C3E
VariantClear.OLEAUT32 ref: 00CD8C9D
VariantClear.OLEAUT32(?), ref: 00CD8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00CD8D3B

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: e07e1766432ec0835b5e33deba2eb77c9475149d9d05ce0ef53e1469a219b1fd
Instruction ID: e9bc86561df6e4d8e0632870242f51fb4ed2c05e5dc8d074d99db4792f2738b1
Opcode Fuzzy Hash: e07e1766432ec0835b5e33deba2eb77c9475149d9d05ce0ef53e1469a219b1fd
Instruction Fuzzy Hash: CA516DB5A1021AEFCB14CF58C894AAAB7F5FF89310B15855AF919DB350E730E911CFA0

Function 00CE8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00CE8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00CE8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00CE8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00CE8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00CE8C5F

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 4d85a89d47576f09a32ee721cde08d91982a7d455bb14e33dffa7aebf3f03829
Instruction ID: fe3c05c4c68c646b6b8b8369e29698b544ace345c4cda98863547fd66ce1ea04
Opcode Fuzzy Hash: 4d85a89d47576f09a32ee721cde08d91982a7d455bb14e33dffa7aebf3f03829
Instruction Fuzzy Hash: 4F513835A002199FCB05DF65C881A69BBF5FF49314F18C058E84DAB3A2CB31ED51DBA0

Function 00CF8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00CF8F40
GetProcAddress.KERNEL32(00000000,?), ref: 00CF8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00CF8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00CF9032
FreeLibrary.KERNEL32(00000000), ref: 00CF9052

Part of subcall function 00C8F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00CE1043,?,7556E610), ref: 00C8F6E6
Part of subcall function 00C8F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00CCFA64,00000000,00000000,?,?,00CE1043,?,7556E610,?,00CCFA64), ref: 00C8F70D

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 899b0a90144d5ab9a0daf4167f99af166251953f8191d34b036d31c08d8057e0
Instruction ID: ea92d8f632f553c89435d60c3fe60399b7f17a9f9b0dd650d161fbc4eaa0d81e
Opcode Fuzzy Hash: 899b0a90144d5ab9a0daf4167f99af166251953f8191d34b036d31c08d8057e0
Instruction Fuzzy Hash: 8D515D34600209DFCB55DF58C495DADBBF1FF49314B0481A8E91A9B362DB31EE86CB92

Function 00D06B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00D06C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00D06C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00D06C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00CEAB79,00000000,00000000), ref: 00D06C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00D06CC7

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: a4418f04b7fc9888e97390f1e345540ab370ec8138581a42fa888d1ea94231bf
Instruction ID: 8ff452a96b22660a7a4901f1436f96be38e39b4afc1b6277eedca999d2cb6cb1
Opcode Fuzzy Hash: a4418f04b7fc9888e97390f1e345540ab370ec8138581a42fa888d1ea94231bf
Instruction Fuzzy Hash: 56418035A04204AFE724CF28CC59BA97FA5EB09350F190268F99DE73E0C771ED61DA64

Function 00CA2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CA20C3
_free.LIBCMT ref: 00CA20E3

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b74f896d2c907d00be9ff4f5756b34393539ddc8ba4175c5b22c0b35e2a37b11
Instruction ID: 0cdad9ebde6fcb4ff23448c1ddb3168589c04fc2c119872bd07ffa83248d7427
Opcode Fuzzy Hash: b74f896d2c907d00be9ff4f5756b34393539ddc8ba4175c5b22c0b35e2a37b11
Instruction Fuzzy Hash: 6841F372A002119FCB24DF7CC880A5EB7F5EF8A318F154569E615EB392D731AE01DB80

Function 00C8912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C89141
ScreenToClient.USER32(00000000,?), ref: 00C8915E
GetAsyncKeyState.USER32(00000001), ref: 00C89183
GetAsyncKeyState.USER32(00000002), ref: 00C8919D

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: d5cee629e1958eb47fb5da0d8a22f63ee7f655ebca2a1e9d764e766afea55602
Instruction ID: ee550a4a4550d58c4daa10d78dfe271681e6dc959511ca68957f42d48d1216de
Opcode Fuzzy Hash: d5cee629e1958eb47fb5da0d8a22f63ee7f655ebca2a1e9d764e766afea55602
Instruction Fuzzy Hash: B8416F31A0860ABBDF15AF65C848BFEB774FB05324F248319E429A32D0C7746A50DFA5

Function 00CE3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00CE38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00CE3922
TranslateMessage.USER32(?), ref: 00CE394B
DispatchMessageW.USER32(?), ref: 00CE3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CE3966

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: d67d6ae06bc68e1b19f3f8e6aea6f9194002bac2ae76a4faeb5a37cfeba67046
Instruction ID: 3e8b3b2426dc3b817de9fcc94292cdd43c92341b0049507328202fd855052b0a
Opcode Fuzzy Hash: d67d6ae06bc68e1b19f3f8e6aea6f9194002bac2ae76a4faeb5a37cfeba67046
Instruction Fuzzy Hash: F13182745043C1ABEB35CF36984DBB637A8AB46304F040569E476C72A1E3A4BB85CB31

Function 00CECF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 00CECF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00CECF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00CEC21E,00000000), ref: 00CECFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00CEC21E,00000000), ref: 00CECFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00CEC21E,00000000), ref: 00CECFF2

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: c4d4c0129713081869346cb381edc0b9af06e3767496432952ada560360789fa
Instruction ID: 3639f7ccc44cb4f156cb9e3ca983cd15c4c16c5055399cb3a8f2a5482addfdd9
Opcode Fuzzy Hash: c4d4c0129713081869346cb381edc0b9af06e3767496432952ada560360789fa
Instruction Fuzzy Hash: 3E312C71604345EFDB20DFE6C8C4AABBBF9EF14355B10452EF51AD2251DB30AE429B60

Function 00CD1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00CD1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00CD19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00CD19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00CD19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00CD19E2

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: d046151bf67228831ad70e091dade678f095f7c94d2966a222bac0f81b15c057
Instruction ID: 77233eec10675a9011b737c9c21372035982b0b28622d2d6a761e8c5450ac650
Opcode Fuzzy Hash: d046151bf67228831ad70e091dade678f095f7c94d2966a222bac0f81b15c057
Instruction Fuzzy Hash: D0319071A10219EFCB10CFA8C999ADE7BB5EB04315F144326FE25E72D1C7709A44CB91

Function 00D05706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00D05745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00D0579D
_wcslen.LIBCMT ref: 00D057AF
_wcslen.LIBCMT ref: 00D057BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00D05816

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: bd99105c84d1067c0b31f487c146cbaad93dbed84d17d1f648b095bd077d0b7c
Instruction ID: f345b1b4eae902cc9ea616bfb89da62030653a6024cf0dbbc8dbf1015008bdd3
Opcode Fuzzy Hash: bd99105c84d1067c0b31f487c146cbaad93dbed84d17d1f648b095bd077d0b7c
Instruction Fuzzy Hash: 0C218035904618AADB208F60EC84BEE77BCFB45320F148216ED1DEA1C4D7B0C985CF60

Function 00CF0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00CF0951
GetForegroundWindow.USER32 ref: 00CF0968
GetDC.USER32(00000000), ref: 00CF09A4
GetPixel.GDI32(00000000,?,00000003), ref: 00CF09B0
ReleaseDC.USER32(00000000,00000003), ref: 00CF09E8

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: ed8f3780a5e1a4cb868060cb403665c5d8cdbe71d62ff716aec913c91f9b6e77
Instruction ID: 86dc7c52d8ea50913a7d953f7ef27dfacca3c753aff1438e60c4bbb3569f410c
Opcode Fuzzy Hash: ed8f3780a5e1a4cb868060cb403665c5d8cdbe71d62ff716aec913c91f9b6e77
Instruction Fuzzy Hash: D0218E35600204AFD754EF69C889AAEBBF9EF48700F148168F94AD7362DB70AD04DB60

Function 00CACDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00CACDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CACDE9

Part of subcall function 00CA3820: RtlAllocateHeap.NTDLL(00000000,?,00D41444,?,00C8FDF5,?,?,00C7A976,00000010,00D41440,00C713FC,?,00C713C6,?,00C71129), ref: 00CA3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00CACE0F
_free.LIBCMT ref: 00CACE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00CACE31

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 71dd9214c0b17aae57145cdb792c46c92370ac3fe663d765df54915d25e3a802
Instruction ID: 097d89ca8a017620bd69690d978f28251e80ea772f01cf79d3eb70e04a3b3419
Opcode Fuzzy Hash: 71dd9214c0b17aae57145cdb792c46c92370ac3fe663d765df54915d25e3a802
Instruction Fuzzy Hash: 5901D4726013167F672117BA6CCCD7B696DDFC7BA93150229F915D7201EA608E0192F0

Function 00C89639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C89693
SelectObject.GDI32(?,00000000), ref: 00C896A2
BeginPath.GDI32(?), ref: 00C896B9
SelectObject.GDI32(?,00000000), ref: 00C896E2

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 64fee9d5870ad45b164ba82b2810d2bc6346aa563a9d02c5db4feea74a8c9238
Instruction ID: 5d52bb34eb9ba6b343f89d64210eea72f1cb0ab2b0b49192ac0572b0794b664b
Opcode Fuzzy Hash: 64fee9d5870ad45b164ba82b2810d2bc6346aa563a9d02c5db4feea74a8c9238
Instruction Fuzzy Hash: 9A214F38812305EBDB11AF65DC14BB93BA8FB51369F184316F434E62B0E3709991CFA8

Function 00CD5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00CD5726
_memcmp.LIBVCRUNTIME ref: 00CD5744
_memcmp.LIBVCRUNTIME ref: 00CD5757
_memcmp.LIBVCRUNTIME ref: 00CD576F
_memcmp.LIBVCRUNTIME ref: 00CD5787

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 35339e47506a64547733347814dfd472ccb9ca65f4b528e93d609eb6da921c08
Instruction ID: 35d2a8e4232e8dfa42ab27df441a4da2081c15ed882fd52b23cf9379fc29d5dc
Opcode Fuzzy Hash: 35339e47506a64547733347814dfd472ccb9ca65f4b528e93d609eb6da921c08
Instruction Fuzzy Hash: 7F01D2A125160AFEE61856119D87FBA735CAB21394B250022FE189A781F760EE1486B0

Function 00CA2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00C9F2DE,00CA3863,00D41444,?,00C8FDF5,?,?,00C7A976,00000010,00D41440,00C713FC,?,00C713C6), ref: 00CA2DFD
_free.LIBCMT ref: 00CA2E32
_free.LIBCMT ref: 00CA2E59
SetLastError.KERNEL32(00000000,00C71129), ref: 00CA2E66
SetLastError.KERNEL32(00000000,00C71129), ref: 00CA2E6F

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 5125d5618d9547ae8e60b038c7d4c6779dd839dfdaf4397024726abb0f53136c
Instruction ID: fa03986b7143d00b377e94b9efa177a30f1633bf1b97838f0878ec0441f3ee5a
Opcode Fuzzy Hash: 5125d5618d9547ae8e60b038c7d4c6779dd839dfdaf4397024726abb0f53136c
Instruction Fuzzy Hash: 6801F4322157236BC612673D6C46E6B2669ABD37BEB200228F435E2393EB74CD416130

Function 00CD000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CCFF41,80070057,?,?,?,00CD035E), ref: 00CD002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CCFF41,80070057,?,?), ref: 00CD0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CCFF41,80070057,?,?), ref: 00CD0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CCFF41,80070057,?), ref: 00CD0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CCFF41,80070057,?,?), ref: 00CD0070

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 95b3433e294c1d04af2c4c54925f2e0b112e70f1f25030c3c1fae5cb9213b86b
Instruction ID: 0d023530a1a4445cc2c7938ab7f747bd85d654bb3c0304ec868331a96c29b975
Opcode Fuzzy Hash: 95b3433e294c1d04af2c4c54925f2e0b112e70f1f25030c3c1fae5cb9213b86b
Instruction Fuzzy Hash: 7201A272610304BFDB105F69DC08BAA7EEDEF88752F249225FA09D2310D771EE408BA0

Function 00CDE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00CDE997
QueryPerformanceFrequency.KERNEL32(?), ref: 00CDE9A5
Sleep.KERNEL32(00000000), ref: 00CDE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00CDE9B7
Sleep.KERNEL32 ref: 00CDE9F3

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 33692dfab515682c5d93e0fddc270e1428b4cf9be0abe431b402ee78220d8df6
Instruction ID: b4ff153ba1dc26d1b4c35d21c2bbce18c5e3da6d17e0428bbc0cad8f163c5800
Opcode Fuzzy Hash: 33692dfab515682c5d93e0fddc270e1428b4cf9be0abe431b402ee78220d8df6
Instruction Fuzzy Hash: A6011B31D02629DBCF00ABE5D9696DDBBB8BB09701F000656E616B6341CB30965587A2

Function 00CD10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00CD1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00CD0B9B,?,?,?), ref: 00CD1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00CD0B9B,?,?,?), ref: 00CD112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00CD0B9B,?,?,?), ref: 00CD1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00CD114D

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: cbb12505b1670d56b5745b801bc9a2eba4c44bbf6d1d2b8096bc49d34c8af760
Instruction ID: 8e86d5ca8f894fb2c3a0218b679531b69d059da45e027a30213d2c99d492ac73
Opcode Fuzzy Hash: cbb12505b1670d56b5745b801bc9a2eba4c44bbf6d1d2b8096bc49d34c8af760
Instruction Fuzzy Hash: 1D011479210305BFEB114FA5DC49B6A3B7EEF893A0B245529FA49D7360DA31DD009A70

Function 00CD0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00CD0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00CD0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00CD0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00CD0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00CD1002

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: e5e6ab64e0e47aadf877cf195659f32728b0c472a914163a08ba84f98cf987d5
Instruction ID: b9266dbca13e31316d79c700edb0c3f51a95a0dc9ddc16dd279ffd186ab1449b
Opcode Fuzzy Hash: e5e6ab64e0e47aadf877cf195659f32728b0c472a914163a08ba84f98cf987d5
Instruction Fuzzy Hash: F0F04935210301BFDB215FA4AC4AF563BADEF89762F144515FA49C6391CA70EC408A70

Function 00CD1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00CD102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00CD1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CD1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00CD104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CD1062

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 49b72eb4b726fd5e55ee6a4c9c03910200e86ac50dc2d70430c9b08501ab8844
Instruction ID: 062c50bfc0f59503467f28adfd242723e4e8c3507e53a9419bbd4ec479db003d
Opcode Fuzzy Hash: 49b72eb4b726fd5e55ee6a4c9c03910200e86ac50dc2d70430c9b08501ab8844
Instruction Fuzzy Hash: 80F04935210301BBDB216FA4EC49F563BADEF89761F140515FA49C6350CA70E9408A70

Function 00CE030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00CE017D,?,00CE32FC,?,00000001,00CB2592,?), ref: 00CE0324
CloseHandle.KERNEL32(?,?,?,?,00CE017D,?,00CE32FC,?,00000001,00CB2592,?), ref: 00CE0331
CloseHandle.KERNEL32(?,?,?,?,00CE017D,?,00CE32FC,?,00000001,00CB2592,?), ref: 00CE033E
CloseHandle.KERNEL32(?,?,?,?,00CE017D,?,00CE32FC,?,00000001,00CB2592,?), ref: 00CE034B
CloseHandle.KERNEL32(?,?,?,?,00CE017D,?,00CE32FC,?,00000001,00CB2592,?), ref: 00CE0358
CloseHandle.KERNEL32(?,?,?,?,00CE017D,?,00CE32FC,?,00000001,00CB2592,?), ref: 00CE0365

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 685394f47158563831d9c46e302b72a1f7f65e0983f6500abc9cae76dddacd4e
Instruction ID: afe1ef9442c00c42f2851ee8043f5f89a95c3fbd98a5ca75e11492fcc744e8d1
Opcode Fuzzy Hash: 685394f47158563831d9c46e302b72a1f7f65e0983f6500abc9cae76dddacd4e
Instruction Fuzzy Hash: 4801A272800B559FC7309F66D880412F7F5BF503153258A3FD1A652931C3B1AA94CF80

Function 00CAD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CAD752

Part of subcall function 00CA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CAD7D1,00000000,00000000,00000000,00000000,?,00CAD7F8,00000000,00000007,00000000,?,00CADBF5,00000000), ref: 00CA29DE
Part of subcall function 00CA29C8: GetLastError.KERNEL32(00000000,?,00CAD7D1,00000000,00000000,00000000,00000000,?,00CAD7F8,00000000,00000007,00000000,?,00CADBF5,00000000,00000000), ref: 00CA29F0

_free.LIBCMT ref: 00CAD764
_free.LIBCMT ref: 00CAD776
_free.LIBCMT ref: 00CAD788
_free.LIBCMT ref: 00CAD79A

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 70b76654b5831589daec8d4b92c0cb7ff17f1d741bce43951ed6093ca88e1abe
Instruction ID: 65a73a0925e8f252e720cb8fc8b6c1d5d611baacb094a7e952ba36c90c5d51a0
Opcode Fuzzy Hash: 70b76654b5831589daec8d4b92c0cb7ff17f1d741bce43951ed6093ca88e1abe
Instruction Fuzzy Hash: C6F0AF3211031AAF8264EB28F8C1C1B37DDBB06718B950805F01AE3A05C720FD808B70

Function 00CD5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00CD5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00CD5C6F
MessageBeep.USER32(00000000), ref: 00CD5C87
KillTimer.USER32(?,0000040A), ref: 00CD5CA3
EndDialog.USER32(?,00000001), ref: 00CD5CBD

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 59dd8a5c90139a7242cbea1c35c0684a4bbca861b1a97e10c6a023d7a3994e0f
Instruction ID: f849b36baa14d249fef69afe05b59a4bb129b325b0504fa6e2777eb641675e64
Opcode Fuzzy Hash: 59dd8a5c90139a7242cbea1c35c0684a4bbca861b1a97e10c6a023d7a3994e0f
Instruction Fuzzy Hash: 3A01DB30510B049BEB305B10DD4EFA577B8BB44741F04125AA657A11E1DBF15A448A50

Function 00CA22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CA22BE

Part of subcall function 00CA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CAD7D1,00000000,00000000,00000000,00000000,?,00CAD7F8,00000000,00000007,00000000,?,00CADBF5,00000000), ref: 00CA29DE
Part of subcall function 00CA29C8: GetLastError.KERNEL32(00000000,?,00CAD7D1,00000000,00000000,00000000,00000000,?,00CAD7F8,00000000,00000007,00000000,?,00CADBF5,00000000,00000000), ref: 00CA29F0

_free.LIBCMT ref: 00CA22D0
_free.LIBCMT ref: 00CA22E3
_free.LIBCMT ref: 00CA22F4
_free.LIBCMT ref: 00CA2305

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: da6c5b81b98b38f32aedc3d41f0eba786cbc63f8f16886cd93cfc920e90249ac
Instruction ID: 36214ecdfcb06886bd3ed8566b83ccff0ef2c3ea201b89e61736584d4e46569b
Opcode Fuzzy Hash: da6c5b81b98b38f32aedc3d41f0eba786cbc63f8f16886cd93cfc920e90249ac
Instruction Fuzzy Hash: 6FF03A7C8103328F8756AF78BC428093F64BB1BB65B04161AF610E23B1C7300A51BBF9

Function 00C895C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00C895D4
StrokeAndFillPath.GDI32(?,?,00CC71F7,00000000,?,?,?), ref: 00C895F0
SelectObject.GDI32(?,00000000), ref: 00C89603
DeleteObject.GDI32 ref: 00C89616
StrokePath.GDI32(?), ref: 00C89631

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 974a94a5e11dad40f0b848f22ef989b7bc0c877edfc9fe9d4691ec4bfe791086
Instruction ID: 3f8b679efd87b46d02e1914e56e031f25687cc216633377f48f06975881707ce
Opcode Fuzzy Hash: 974a94a5e11dad40f0b848f22ef989b7bc0c877edfc9fe9d4691ec4bfe791086
Instruction Fuzzy Hash: CBF01938006304EBDB126F65ED187A43B61EB02326F089314F439D52F0D7308A91DF35

Function 00CA0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMON

Download Yara Rule

APIs

__freea.LIBCMT ref: 00CA10F9
__freea.LIBCMT ref: 00CA1117

Part of subcall function 00CA1537: _free.LIBCMT ref: 00CA154F

Strings

a/p, xrefs: 00CA11DE
am/pm, xrefs: 00CA117A

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 0db762c377d7a6370b84eedbf4f55ed61ab8d84e2452abda0db2d843d43a73d2
Instruction ID: bd2924609d32ef17956e3cd05dfaa846efced4479296d9f56952b83cb29695c0
Opcode Fuzzy Hash: 0db762c377d7a6370b84eedbf4f55ed61ab8d84e2452abda0db2d843d43a73d2
Instruction Fuzzy Hash: E2D1E2319012479ACF249FA8C855BFEB7B1EF07318F2C0159EE21AB660D3359E80CB91

Function 00CF7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00C90242: EnterCriticalSection.KERNEL32(00D4070C,00D41884,?,?,00C8198B,00D42518,?,?,?,00C712F9,00000000), ref: 00C9024D
Part of subcall function 00C90242: LeaveCriticalSection.KERNEL32(00D4070C,?,00C8198B,00D42518,?,?,?,00C712F9,00000000), ref: 00C9028A

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

Part of subcall function 00C900A3: __onexit.LIBCMT ref: 00C900A9

__Init_thread_footer.LIBCMT ref: 00CF7BFB

Part of subcall function 00C901F8: EnterCriticalSection.KERNEL32(00D4070C,?,?,00C88747,00D42514), ref: 00C90202
Part of subcall function 00C901F8: LeaveCriticalSection.KERNEL32(00D4070C,?,00C88747,00D42514), ref: 00C90235

Strings

G, xrefs: 00CF7C7F
Variable must be of type 'Object'., xrefs: 00CF7C3A
5, xrefs: 00CF7C78

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 4f53bf40a5d19acb79e3fbd712fb4920fbdebd04e189f39dd3a128d8dfa3a43f
Instruction ID: c0d1501317435d4de6da3225c478e9c63773450edad931088997dd322f54c581
Opcode Fuzzy Hash: 4f53bf40a5d19acb79e3fbd712fb4920fbdebd04e189f39dd3a128d8dfa3a43f
Instruction Fuzzy Hash: 78919C70A04209EFCB04EF58D885DBDB7B1FF49300F508259FA169B292DB31AE45DB62

Function 00CD2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CDB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00CD21D0,?,?,00000034,00000800,?,00000034), ref: 00CDB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00CD2760

Part of subcall function 00CDB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00CD21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00CDB3F8

Part of subcall function 00CDB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00CDB355
Part of subcall function 00CDB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00CD2194,00000034,?,?,00001004,00000000,00000000), ref: 00CDB365
Part of subcall function 00CDB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00CD2194,00000034,?,?,00001004,00000000,00000000), ref: 00CDB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00CD27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00CD281A

Strings

@, xrefs: 00CD2832

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 4a58f20b59e55f11c561e2415c9e72f98d7a6910143ce599a0e62fa7d5b82ab0
Instruction ID: ae23e633fc40d74e4885aee57666f53e709e13292912b5cb9a5e4d2ad5bceacb
Opcode Fuzzy Hash: 4a58f20b59e55f11c561e2415c9e72f98d7a6910143ce599a0e62fa7d5b82ab0
Instruction Fuzzy Hash: 42413C72900218AFDB20DBA4CD81AEEBBB8EF09300F004056FA55B7291DB716E45DBA0

Function 00CA172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Shipping Documents_pdf.exe,00000104), ref: 00CA1769
_free.LIBCMT ref: 00CA1834
_free.LIBCMT ref: 00CA183E

Strings

C:\Users\user\Desktop\Shipping Documents_pdf.exe, xrefs: 00CA1760, 00CA1767, 00CA1796, 00CA17CE

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\Shipping Documents_pdf.exe
API String ID: 2506810119-2324658085
Opcode ID: d25fd5ce95dc36181ee1dae6001d522fc07b23f01ab0a43eb138eda4930ede91
Instruction ID: 3bd0707889148a214c34838c144728ab2e70e757fbdd136617a13c3ef08a17fb
Opcode Fuzzy Hash: d25fd5ce95dc36181ee1dae6001d522fc07b23f01ab0a43eb138eda4930ede91
Instruction Fuzzy Hash: C531B075A00319EFCB21DF99D885D9EBBFCEB86314F184166F814D7251D6B08E80DBA0

Function 00CDC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00CDC306
DeleteMenu.USER32(?,00000007,00000000), ref: 00CDC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00D41990,010356D0), ref: 00CDC395

Strings

0, xrefs: 00CDC2DF

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 908a94b3f27ed7839b3d8303ed625d388d4e7396d920565a60e59676ad250fb1
Instruction ID: 48f17edd81caabb1161c7e7b09a3c3b7965343b7e59ca921ae23ab859ce4e6af
Opcode Fuzzy Hash: 908a94b3f27ed7839b3d8303ed625d388d4e7396d920565a60e59676ad250fb1
Instruction Fuzzy Hash: 7E4191312043429FDB24DF29D8C4B9ABBE4AF85310F14861EFAA5973E1D770E904DB62

Function 00D04416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00D0CC08,00000000,?,?,?,?), ref: 00D044AA
GetWindowLongW.USER32 ref: 00D044C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D044D7

Strings

SysTreeView32, xrefs: 00D0447C

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 56d6ab7911983d0fd7084f7b439065120924a5e0496a03dcbf7190fe539d8928
Instruction ID: aaa802e0449761810a8e8d1f33026378f91c5b1b6206980213cf03b69a3e0022
Opcode Fuzzy Hash: 56d6ab7911983d0fd7084f7b439065120924a5e0496a03dcbf7190fe539d8928
Instruction Fuzzy Hash: 28317C71210605AFDB209F38DC45FEA77A9EB08334F244715FA79922E0D7B0EC509760

Function 00CF304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00CF3077,?,?), ref: 00CF3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00CF307A
_wcslen.LIBCMT ref: 00CF309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00CF3106

Strings

255.255.255.255, xrefs: 00CF3095, 00CF309A

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: edfe5a3263039ce3412d624d8eb7d32189d1dc33156104a70cdac6748426ebc1
Instruction ID: 4a82848f4a9ffe43b8fb4665ce4343b5b408687a33229efbf3627acbc02d98f0
Opcode Fuzzy Hash: edfe5a3263039ce3412d624d8eb7d32189d1dc33156104a70cdac6748426ebc1
Instruction Fuzzy Hash: 9131E435200289AFCB50CF28C485EBA77E0EF54318F24C059EA258B392DB32DF45C762

Function 00D04653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00D04705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00D04713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00D0471A

Strings

msctls_updown32, xrefs: 00D04684

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 4ddd701afc8871e20209230a0d4045045bb04aaa7f1ba7f9988b7a845415fe99
Instruction ID: d35ab1642c0974b95fb02f569370130e8233551abe78ab752aeea579091edadd
Opcode Fuzzy Hash: 4ddd701afc8871e20209230a0d4045045bb04aaa7f1ba7f9988b7a845415fe99
Instruction Fuzzy Hash: F0214FF5600208AFDB10DF68DC91EA637ADEB9A364B040459F604973A1DB71EC51DA70

Function 00CD95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CD961D

Strings

#requireadmin, xrefs: 00CD95D9
#OnAutoItStartRegister, xrefs: 00CD95F3
#notrayicon, xrefs: 00CD95B7

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: b1ac3a73cd656f440deb7f39c49e7dc25d1039bec65774b5cb41c008ffbf6f4d
Instruction ID: 6017a9b88c34e345b9580d98776149f51db6b57993dbb6cbea1e31755f6dd6f9
Opcode Fuzzy Hash: b1ac3a73cd656f440deb7f39c49e7dc25d1039bec65774b5cb41c008ffbf6f4d
Instruction Fuzzy Hash: 4121463A204110A6C731BB259802FAB7398DF51300F104027FA5997281FB70EE96D3A5

Function 00D037B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00D03840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00D03850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00D03876

Strings

Listbox, xrefs: 00D0380F

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 25795d9020a1b0485a1699fa5f53dffcd94fa673ea5d40ca1815a665152ed46c
Instruction ID: 0f7b2afc39819564200863d2c5d4cae70da02ec7cfd379805e21f415447729e8
Opcode Fuzzy Hash: 25795d9020a1b0485a1699fa5f53dffcd94fa673ea5d40ca1815a665152ed46c
Instruction Fuzzy Hash: 35218E72610218BBEB218F54CC85FAB376EEF89750F148124F9489B1D0CA71DC5287B0

Function 00CE49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CE4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00CE4A5C
SetErrorMode.KERNEL32(00000000,?,?,00D0CC08), ref: 00CE4AD0

Strings

%lu, xrefs: 00CE4A6F

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 28cbd2456e9ea87e3452b18b897c1fd7aae162ed24402ffb3e7cf2436c1697f8
Instruction ID: ee82007449c78d1702a71b51212510a915990ed981eb6286e316a1e8f1e91137
Opcode Fuzzy Hash: 28cbd2456e9ea87e3452b18b897c1fd7aae162ed24402ffb3e7cf2436c1697f8
Instruction Fuzzy Hash: A0315175A00209AFDB10DF64C885EAA7BF8EF08318F1480A9F909DB352D771EE45DB61

Function 00D041EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00D0424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00D04264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00D04271

Strings

msctls_trackbar32, xrefs: 00D04226

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: b267dd29dc7e6151f2857e8be80ee643a957ab9c95168c6eb3b1fdd79dd6ebfd
Instruction ID: cf4fe108a962febc7a03e8b3f8297378f0af4ebe12fe19753601a14af215d07b
Opcode Fuzzy Hash: b267dd29dc7e6151f2857e8be80ee643a957ab9c95168c6eb3b1fdd79dd6ebfd
Instruction Fuzzy Hash: CA11C171240208BEEF205E39CC06FAB3BACEF85B54F010114FA59E20E0D671D8619B24

Function 00CD2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C76B57: _wcslen.LIBCMT ref: 00C76B6A

Part of subcall function 00CD2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00CD2DC5
Part of subcall function 00CD2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CD2DD6
Part of subcall function 00CD2DA7: GetCurrentThreadId.KERNEL32 ref: 00CD2DDD
Part of subcall function 00CD2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00CD2DE4

GetFocus.USER32 ref: 00CD2F78

Part of subcall function 00CD2DEE: GetParent.USER32(00000000), ref: 00CD2DF9

GetClassNameW.USER32(?,?,00000100), ref: 00CD2FC3
EnumChildWindows.USER32(?,00CD303B), ref: 00CD2FEB

Strings

%s%d, xrefs: 00CD2FFF

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: c131a54b6ab7c833086a2a9fba47540cf13492a3c14ce2d38bab55a374dccc95
Instruction ID: f482a97c930f7785f54bc16afd3ecfa357f669322b7f7ccaaa0cf62538302305
Opcode Fuzzy Hash: c131a54b6ab7c833086a2a9fba47540cf13492a3c14ce2d38bab55a374dccc95
Instruction Fuzzy Hash: 4711A2756002056BCF547F608CC5EEE376AAF94304F049076BA099B392DE719A49EB71

Function 00D05882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00D058C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00D058EE
DrawMenuBar.USER32(?), ref: 00D058FD

Strings

0, xrefs: 00D0588F

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 497e9bc8540991382908030632c8d3e7739616222e31c99e8ace8d58fad68ae0
Instruction ID: 41e632baf24d36e5faf0e0e82c1a5b2d408643d19c1e6b732a392d7abb4e19bc
Opcode Fuzzy Hash: 497e9bc8540991382908030632c8d3e7739616222e31c99e8ace8d58fad68ae0
Instruction Fuzzy Hash: FF016935500218EFDB219F11EC48BAFBBB4FB45361F1481A9E88DD6291DB708A95EF31

Function 00CD007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db1ae55c27c098257a45abcc13957ebf8857e349a240c9ec94951a01aff47a79
Instruction ID: 8872afb10964d0a1518d1bf0a426e3110457d8065ac41be78822c7a1aa1b40ea
Opcode Fuzzy Hash: db1ae55c27c098257a45abcc13957ebf8857e349a240c9ec94951a01aff47a79
Instruction Fuzzy Hash: 71C12A75A00206AFDB14CF98C898BAEB7B5FF48704F208599E615EB351D731EE81CB90

Function 00CF342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00CF3459
CoUninitialize.OLE32 ref: 00CF3463
VariantInit.OLEAUT32(?), ref: 00CF346E
VariantClear.OLEAUT32(?), ref: 00CF371B

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 8a5522c8a55b283a591dcabd87c4920f1c2144cd83f4dcc20bb6f3ee911a51a1
Instruction ID: 40b041536b0ddcd1287843aaf7c1ae6343a69fe0748b16a4463ea7edee387f26
Opcode Fuzzy Hash: 8a5522c8a55b283a591dcabd87c4920f1c2144cd83f4dcc20bb6f3ee911a51a1
Instruction Fuzzy Hash: 02A14C75204304AFC740EF28C585A2AB7E5FF88714F14895DF99A9B362DB30EE01DB52

Function 00CD0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00D0FC08,?), ref: 00CD05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00D0FC08,?), ref: 00CD0608
CLSIDFromProgID.OLE32(?,?,00000000,00D0CC40,000000FF,?,00000000,00000800,00000000,?,00D0FC08,?), ref: 00CD062D
_memcmp.LIBVCRUNTIME ref: 00CD064E

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 1a5b79ee406ef592f110686e46b154544fc70bb57fc12d4b95a850cf51cd7495
Instruction ID: d30839b2b4f8ba0b5695068b8c3e4177a1bd923609988a5d11b05d6f9c85ad8d
Opcode Fuzzy Hash: 1a5b79ee406ef592f110686e46b154544fc70bb57fc12d4b95a850cf51cd7495
Instruction Fuzzy Hash: 3F810D71A00109EFCB04DF98C984EEEB7B9FF89315F204559F616AB250DB71AE46CB60

Function 00CB1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CB14C0

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 35aa61b8c8bfe012fccea056d090a823880b4ce4e8835cff870e2082b7d5b35e
Instruction ID: 2fee4dee8733c596f636e38bfa22e8b4cbcdbc819937bfcc19385ca16349cc3f
Opcode Fuzzy Hash: 35aa61b8c8bfe012fccea056d090a823880b4ce4e8835cff870e2082b7d5b35e
Instruction Fuzzy Hash: 6A415D31A00511ABDF216BFD8C567FE3AA4EF46370F6C4225FC29D7192E6348A416A72

Function 00D06278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0103E6D0,?), ref: 00D062E2
ScreenToClient.USER32(?,?), ref: 00D06315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00D06382

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 192f69aa7a7ec01a2b475fe65a80b0bd45f94288ff068eb63529be4f7f408a5b
Instruction ID: 0f7f2c8ff6fd76928f3921708c7aac27039fe2b6c5f30e2a1e02ad4acdcb4650
Opcode Fuzzy Hash: 192f69aa7a7ec01a2b475fe65a80b0bd45f94288ff068eb63529be4f7f408a5b
Instruction Fuzzy Hash: 1A510C74900209EFDB20DF64D881AAE7BB5EB45360F188259F819DB2E0D730ED91CBA0

Function 00CF1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00CF1AFD
WSAGetLastError.WSOCK32 ref: 00CF1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00CF1B8A
WSAGetLastError.WSOCK32 ref: 00CF1B94

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 885cdbdb2e7c7f4a9b62334da0af691953cad9dcd3a52ca1e3269a864443d0d0
Instruction ID: c996dc77f90f8a44e9ef8b227b9ea38e778aac6179c712f056948715358b4a28
Opcode Fuzzy Hash: 885cdbdb2e7c7f4a9b62334da0af691953cad9dcd3a52ca1e3269a864443d0d0
Instruction Fuzzy Hash: E941C174640200AFE760AF24C886F3977E5AB44718F58C548FA1A9F3D3D772DD419B91

Function 00CAB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8557612153d7ff584e208325909319c38fc85ad58eebebefb060638bbc9594f4
Instruction ID: fff8eafc38a94f5b206f7aa0277a7d340f83906a5f6deda7263e25e1f57d8d13
Opcode Fuzzy Hash: 8557612153d7ff584e208325909319c38fc85ad58eebebefb060638bbc9594f4
Instruction Fuzzy Hash: 3B412671A00705BFD7249F78CC45BAABBE9EB8A714F10452EF511DB283D771AE019790

Function 00CE56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00CE5783
GetLastError.KERNEL32(?,00000000), ref: 00CE57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00CE57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00CE57FA

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 68cbaccdc6301d0db5cb412214f0287a1643dc7d462119f24a642beac72c63aa
Instruction ID: 6e5985eb63daba56e5807df8eb9e5dd36e0d9758489edcbdf2873c0d77f5c46c
Opcode Fuzzy Hash: 68cbaccdc6301d0db5cb412214f0287a1643dc7d462119f24a642beac72c63aa
Instruction Fuzzy Hash: F5414C39600611DFCB11EF15C584A1EBBE2EF89724B18C488E85EAB362CB30FD00DB91

Function 00CAD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00C96D71,00000000,00000000,00C982D9,?,00C982D9,?,00000001,00C96D71,8BE85006,00000001,00C982D9,00C982D9), ref: 00CAD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CAD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00CAD9AB
__freea.LIBCMT ref: 00CAD9B4

Part of subcall function 00CA3820: RtlAllocateHeap.NTDLL(00000000,?,00D41444,?,00C8FDF5,?,?,00C7A976,00000010,00D41440,00C713FC,?,00C713C6,?,00C71129), ref: 00CA3852

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: bf49248a9cfa2d0c88b1b8f4041a34c9552dec116d030c6aa5e39d92bb479176
Instruction ID: ed021dbde141f259550330363c4e038a8f20450286d9f2bbc4d31361615d7c5c
Opcode Fuzzy Hash: bf49248a9cfa2d0c88b1b8f4041a34c9552dec116d030c6aa5e39d92bb479176
Instruction Fuzzy Hash: 3831D272A1020AABDF249F75DC45EAF7BA9EB41314F050168FC16D7250EB35CE54DBA0

Function 00D052C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00D05352
GetWindowLongW.USER32(?,000000F0), ref: 00D05375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D05382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00D053A8

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 387eca4f55a6036800e59ec10b5df311e761c6983ff736c2563393c4875cad1d
Instruction ID: 87a01e2a35f1cadc4840169f2c10377ceb60cc667bee438984b189bd3ef8ec09
Opcode Fuzzy Hash: 387eca4f55a6036800e59ec10b5df311e761c6983ff736c2563393c4875cad1d
Instruction Fuzzy Hash: CF31E234A55A08EFEB309F14EC06BEA7765EB05390F9C4101FE59962E4C7B1A980DF72

Function 00CDAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7608C0D0,?,00008000), ref: 00CDABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00CDAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00CDAC74
SendInput.USER32(00000001,?,0000001C,7608C0D0,?,00008000), ref: 00CDACC6

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 3886daf6d6c280b7e29f19f414516fa1d448e62b2155f4c99c254b4eb9de70a5
Instruction ID: 5b795db24d225a07bad75e567e0e669ead12539adb913e5fb4ebb0272300bbe3
Opcode Fuzzy Hash: 3886daf6d6c280b7e29f19f414516fa1d448e62b2155f4c99c254b4eb9de70a5
Instruction Fuzzy Hash: 81310930A607186FEF35CB658C047FE7BA5ABC5330F04431BE695923E1C3768A859762

Function 00D07674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00D0769A
GetWindowRect.USER32(?,?), ref: 00D07710
PtInRect.USER32(?,?,00D08B89), ref: 00D07720
MessageBeep.USER32(00000000), ref: 00D0778C

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: bcc1be4c8818f805656e2062a76bae20d805ed989c2499c06523883c0b490379
Instruction ID: 82bc92a8905b61c1ab7c35749b894fe53ca87fa3804b82b9d5a6088dba322da9
Opcode Fuzzy Hash: bcc1be4c8818f805656e2062a76bae20d805ed989c2499c06523883c0b490379
Instruction Fuzzy Hash: ED415B38A052149FCB11CF58C894BA977F5FB89354F1941A9E429DF3A1C771B982CFA0

Function 00D016DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00D016EB

Part of subcall function 00CD3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CD3A57
Part of subcall function 00CD3A3D: GetCurrentThreadId.KERNEL32 ref: 00CD3A5E
Part of subcall function 00CD3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00CD25B3), ref: 00CD3A65

GetCaretPos.USER32(?), ref: 00D016FF
ClientToScreen.USER32(00000000,?), ref: 00D0174C
GetForegroundWindow.USER32 ref: 00D01752

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: ce668601ef2a72f0d5e085cdf54479ef56af8a94e4dd50dd9be15c7b09f64afc
Instruction ID: 374eb86933910cd6739167efda7b90ebc2ed485a78816f4677693b6d46064daa
Opcode Fuzzy Hash: ce668601ef2a72f0d5e085cdf54479ef56af8a94e4dd50dd9be15c7b09f64afc
Instruction Fuzzy Hash: 2B313075D00249AFC700DFA9C881DAEB7F9FF88304B54806AE419E7251D7319E45DBA0

Function 00CDD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00CDD501
Process32FirstW.KERNEL32(00000000,?), ref: 00CDD50F
Process32NextW.KERNEL32(00000000,?), ref: 00CDD52F
CloseHandle.KERNEL32(00000000), ref: 00CDD5DC

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: e47d50be609a314cd3cab9450926d832c13a6d4dc644c6f49ef021b2d06a82aa
Instruction ID: 5766c9b48c928733899598e79debfefa109af51c10982215364596699baebf20
Opcode Fuzzy Hash: e47d50be609a314cd3cab9450926d832c13a6d4dc644c6f49ef021b2d06a82aa
Instruction Fuzzy Hash: D231C4711083009FD300EF54D881EAFBBF8EF99354F10452DF58A862A1EB719A45DBA3

Function 00D08FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C89BB2

GetCursorPos.USER32(?), ref: 00D09001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00CC7711,?,?,?,?,?), ref: 00D09016
GetCursorPos.USER32(?), ref: 00D0905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00CC7711,?,?,?), ref: 00D09094

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 89aa0014a6e8e29adb32bb50688ab296962609f542225a1b836c964b014b0752
Instruction ID: 4a93adf4c0a8855064b66cacc6351f0752751c50f3030586d6767bbf9ae051e5
Opcode Fuzzy Hash: 89aa0014a6e8e29adb32bb50688ab296962609f542225a1b836c964b014b0752
Instruction Fuzzy Hash: 08217F39600118EFDB258F94CC68FFBBBB9EB4A350F184165F949872A2C7319990DB70

Function 00CDD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00D0CB68), ref: 00CDD2FB
GetLastError.KERNEL32 ref: 00CDD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00CDD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00D0CB68), ref: 00CDD376

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: d72af7322956d21dfde46b95332e6ab17ffc82363e5cef9b2ca8a07e9c3c979c
Instruction ID: bde9ea470f64bdcbe87a216986e2a9c3f34fbe2436969af6dd00b93e9c22876b
Opcode Fuzzy Hash: d72af7322956d21dfde46b95332e6ab17ffc82363e5cef9b2ca8a07e9c3c979c
Instruction Fuzzy Hash: B0216D709193019FC710DF28C88196AB7E4EE56364F504A1EF5AAC73E1D731DA49CB93

Function 00CD1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00CD102A
Part of subcall function 00CD1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00CD1036
Part of subcall function 00CD1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CD1045
Part of subcall function 00CD1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00CD104C
Part of subcall function 00CD1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CD1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00CD15BE
_memcmp.LIBVCRUNTIME ref: 00CD15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CD1617
HeapFree.KERNEL32(00000000), ref: 00CD161E

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 6a1153ebaeb4324e295a8c3ff1ceaf87acbdda19cd861284fffebdbd05f5cb48
Instruction ID: a0cfdaad3cb6bf4218408638a5a98d6b68263c649c594827bf3cdd0e86768c86
Opcode Fuzzy Hash: 6a1153ebaeb4324e295a8c3ff1ceaf87acbdda19cd861284fffebdbd05f5cb48
Instruction Fuzzy Hash: 03218631E00208BFDB00DFA4C949BEEB7B8EF40354F08445AE915AB341E730AA46CBA0

Function 00D02782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00D0280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00D02824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00D02832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00D02840

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 92b909924505d53239b7c09d7e0318c6cf08f6e1e0e679cd154c2e8f6e59e117
Instruction ID: 573b079a57f9da57c7d01236c465db1c972ba5835e5cd76d5a1d286df78b34ea
Opcode Fuzzy Hash: 92b909924505d53239b7c09d7e0318c6cf08f6e1e0e679cd154c2e8f6e59e117
Instruction Fuzzy Hash: 74219235605511AFD7149B24CC49F7A77A5AF85324F148258F41ACB6E2CB75EC42C7A0

Function 00CD78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00CD790A,?,000000FF,?,00CD8754,00000000,?,0000001C,?,?), ref: 00CD8D8C
Part of subcall function 00CD8D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00CD8DB2
Part of subcall function 00CD8D7D: lstrcmpiW.KERNEL32(00000000,?,00CD790A,?,000000FF,?,00CD8754,00000000,?,0000001C,?,?), ref: 00CD8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00CD8754,00000000,?,0000001C,?,?,00000000), ref: 00CD7923
lstrcpyW.KERNEL32(00000000,?), ref: 00CD7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00CD8754,00000000,?,0000001C,?,?,00000000), ref: 00CD7984

Strings

cdecl, xrefs: 00CD797B

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: f348c774422dc86b1bb8bad1d3e52b391f4a93ced3cb128a070684a4b00fc3c0
Instruction ID: f33d0bf84f0250a858ae64b71cb0a74d5cbe197ffc03492e226597ab3367e662
Opcode Fuzzy Hash: f348c774422dc86b1bb8bad1d3e52b391f4a93ced3cb128a070684a4b00fc3c0
Instruction Fuzzy Hash: FD11E13A200302ABCB15AF34D855E7A77A9FF85350B00412BEA06C73A4FB319911D7A1

Function 00D07CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00D07D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00D07D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00D07D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00CEB7AD,00000000), ref: 00D07D6B

Part of subcall function 00C89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C89BB2

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 917cd1eff047de562c763b4cf579607b871bbb761a8d6735bc54edd6f15063c5
Instruction ID: 1b69d6bec50d144d6712d1cb810fe0e454b5eee6282ef5e1b44ba0e47b5e87a4
Opcode Fuzzy Hash: 917cd1eff047de562c763b4cf579607b871bbb761a8d6735bc54edd6f15063c5
Instruction Fuzzy Hash: D8119035A15615AFDB109F28CC04BAA3BA5AF46360B194724F83DCB2F0E731E951DB70

Function 00D05660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00D056BB
_wcslen.LIBCMT ref: 00D056CD
_wcslen.LIBCMT ref: 00D056D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00D05816

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 7d6aea00a7507a9fa4c8dfe370dd219fccc34c5e84e8ff069c0bb1a7becfc9a6
Instruction ID: cdf4e6f1aa65107d97475028672bbf9c85591ecc594165c749ce0b5132942e4c
Opcode Fuzzy Hash: 7d6aea00a7507a9fa4c8dfe370dd219fccc34c5e84e8ff069c0bb1a7becfc9a6
Instruction Fuzzy Hash: 2111CA35A00608A6DF209B61EC85BEF37ACEB01360B544026FD09D60C9EAB0CA808F70

Function 00CD1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00CD1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CD1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CD1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CD1A8A

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4e3bf64dcf7f257d7fc6f4c51233d3dcad142f58daf22a634a591dc6c8e38c94
Instruction ID: f26a506f794ce027423542a4a75bcc188f6210b898b699b6553880f8911c58c2
Opcode Fuzzy Hash: 4e3bf64dcf7f257d7fc6f4c51233d3dcad142f58daf22a634a591dc6c8e38c94
Instruction Fuzzy Hash: 4711273A901219FFEB109BA5C985FADBB78EB08750F240092EA04B7290D7716E50EB94

Function 00CDE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00CDE1FD
MessageBoxW.USER32(?,?,?,?), ref: 00CDE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00CDE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00CDE24D

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: e9f36990733c9c29b27d262c825096c1c870c3547e4532732b9a042581e56713
Instruction ID: 8b9bde908bef7c7a299fd0d7d40bb7a189bd863d03c8ed5a7eef06bb4932e0f0
Opcode Fuzzy Hash: e9f36990733c9c29b27d262c825096c1c870c3547e4532732b9a042581e56713
Instruction Fuzzy Hash: BF11C87A914354BBC701AFA89C09B9F7FAC9B45310F14435AF925E7391D670DE0487B1

Function 00C9D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00C9CFF9,00000000,00000004,00000000), ref: 00C9D218
GetLastError.KERNEL32 ref: 00C9D224
__dosmaperr.LIBCMT ref: 00C9D22B
ResumeThread.KERNEL32(00000000), ref: 00C9D249

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 53f9676ac844a02010d5061096140cdc6feaea3271f3744309178d43e5d2cffe
Instruction ID: ea8a2dcfcf7de4349e7625f72eb337220a8a4fc79194dc9d32d2c6a04a086b31
Opcode Fuzzy Hash: 53f9676ac844a02010d5061096140cdc6feaea3271f3744309178d43e5d2cffe
Instruction Fuzzy Hash: A101F576815604BBCF116BA5DC0DBAE7A69DF81731F200319F926E21D0CB70CE01D6B1

Function 00C7600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C7604C
GetStockObject.GDI32(00000011), ref: 00C76060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C7606A

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 7010540b0b60c258b0d5c9f05acf97723a3a5a2ea695ea19bd3c6bd3c0727b69
Instruction ID: 03d781e805b9db6f87f77718d98ad04f790bd3733d9bb5d4a532cf1b0abf702f
Opcode Fuzzy Hash: 7010540b0b60c258b0d5c9f05acf97723a3a5a2ea695ea19bd3c6bd3c0727b69
Instruction Fuzzy Hash: 73115E72501A09BFEF124FA49C44AEABF69EF09364F044215FA1892150D7329D609FA4

Function 00C93B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00C93B56

Part of subcall function 00C93AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00C93AD2
Part of subcall function 00C93AA3: ___AdjustPointer.LIBCMT ref: 00C93AED

_UnwindNestedFrames.LIBCMT ref: 00C93B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00C93B7C
CallCatchBlock.LIBVCRUNTIME ref: 00C93BA4

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 22a8bf5587b5fc3f804d8141147922b97137c0bf3fb320f0732e2ccb570d5f55
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: C901E932100189BBDF126E95CC4AEEB7B6AEF58754F044014FE5896121C732EA62EBA0

Function 00CA3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00C713C6,00000000,00000000,?,00CA301A,00C713C6,00000000,00000000,00000000,?,00CA328B,00000006,FlsSetValue), ref: 00CA30A5
GetLastError.KERNEL32(?,00CA301A,00C713C6,00000000,00000000,00000000,?,00CA328B,00000006,FlsSetValue,00D12290,FlsSetValue,00000000,00000364,?,00CA2E46), ref: 00CA30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00CA301A,00C713C6,00000000,00000000,00000000,?,00CA328B,00000006,FlsSetValue,00D12290,FlsSetValue,00000000), ref: 00CA30BF

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: c4c454b61bd398ba89c33995abe5cc54d91ec5fd071104534c47d0425b62f458
Instruction ID: 983eecebd62f7a326bb4c196c108625ff3305e20f5e048aa674092c5bac07116
Opcode Fuzzy Hash: c4c454b61bd398ba89c33995abe5cc54d91ec5fd071104534c47d0425b62f458
Instruction Fuzzy Hash: DD012B36311363ABCB314B799C54A577B98AF47BA5B204720F919E3280C731DA01C6F0

Function 00CD7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00CD747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00CD7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00CD74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00CD74CA

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 88956ab586f06c6a55d7a67a1a9e6f9dea8c5ec88a99fe547a5a18301921dea2
Instruction ID: 18d11a9394e14eacf00628ee1c80b10ffa5690dc41abf5e47a7025346fedbd5e
Opcode Fuzzy Hash: 88956ab586f06c6a55d7a67a1a9e6f9dea8c5ec88a99fe547a5a18301921dea2
Instruction Fuzzy Hash: 0611A1B12053149BE721CF14DD08B92BBFCEB00B00F10866AA61AD6291E770E944DF60

Function 00CDB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00CDACD3,?,00008000), ref: 00CDB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00CDACD3,?,00008000), ref: 00CDB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00CDACD3,?,00008000), ref: 00CDB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00CDACD3,?,00008000), ref: 00CDB126

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 60ffea60509d6bf34ffbd69f63499d3443ed65b858cde3dc5c750795ba04ba87
Instruction ID: 138ca75fa08f9c89c2879cb2930adbf84828a0b555d52cc8d38c7c7eaf5d1e69
Opcode Fuzzy Hash: 60ffea60509d6bf34ffbd69f63499d3443ed65b858cde3dc5c750795ba04ba87
Instruction Fuzzy Hash: A7113C71D01A18D7CF00AFA5D9596EEBB78FF09711F124186DA51B2341CB309A508BA5

Function 00CD2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00CD2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00CD2DD6
GetCurrentThreadId.KERNEL32 ref: 00CD2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00CD2DE4

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 523d8fbdf523e767f3fe1799ef40d440baedb92bf9d2d876b7bda1e22318cec2
Instruction ID: 9ed4e486b8ec81c69b2bbecb0e6c8e3bea80b5d059d23cb5ea104a1c9084b82c
Opcode Fuzzy Hash: 523d8fbdf523e767f3fe1799ef40d440baedb92bf9d2d876b7bda1e22318cec2
Instruction Fuzzy Hash: EFE092712113247BD7301B739C0DFEB3E6DEF56BA1F40121AF209D12909AA1C940C6B0

Function 00D08863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00C89639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C89693
Part of subcall function 00C89639: SelectObject.GDI32(?,00000000), ref: 00C896A2
Part of subcall function 00C89639: BeginPath.GDI32(?), ref: 00C896B9
Part of subcall function 00C89639: SelectObject.GDI32(?,00000000), ref: 00C896E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00D08887
LineTo.GDI32(?,?,?), ref: 00D08894
EndPath.GDI32(?), ref: 00D088A4
StrokePath.GDI32(?), ref: 00D088B2

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 896417bf583b5687e9a1ebaf31740b8a1f4411f8f3f3711818f7e684f3416dd3
Instruction ID: 46f7f364d15725dbc5e064b5deb3c606ee41303f46f897a8db96d320676759cf
Opcode Fuzzy Hash: 896417bf583b5687e9a1ebaf31740b8a1f4411f8f3f3711818f7e684f3416dd3
Instruction Fuzzy Hash: C6F03A3A041358FBEB126F94AC09FCA3E59AF06310F088100FA15A62E1C7755551DFF9

Function 00C898B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00C898CC
SetTextColor.GDI32(?,?), ref: 00C898D6
SetBkMode.GDI32(?,00000001), ref: 00C898E9
GetStockObject.GDI32(00000005), ref: 00C898F1

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 6ae2d053b11050ec13f50cc3150bea1ccfb2454f2a801948338d8a841772d06a
Instruction ID: d4f9a84f5062e4b1b3754edf1aa1c2ee6ff99067c9c56a6156dc33640bcd7922
Opcode Fuzzy Hash: 6ae2d053b11050ec13f50cc3150bea1ccfb2454f2a801948338d8a841772d06a
Instruction Fuzzy Hash: 35E06D31254780AEDB215B74EC09BE83F20EB12336F048319FAFE981E1C37246509F21

Function 00CD162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00CD1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00CD11D9), ref: 00CD163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00CD11D9), ref: 00CD1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00CD11D9), ref: 00CD164F

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 6fe460c06f913ee0ed658ccb2f7223241c7d35c2b4e95fa04b93a9948a6add2e
Instruction ID: 02c3df7fa0bf75502cba3e312c644068678ad1368d81b74b267ad9d9bbe7b1dc
Opcode Fuzzy Hash: 6fe460c06f913ee0ed658ccb2f7223241c7d35c2b4e95fa04b93a9948a6add2e
Instruction Fuzzy Hash: 16E08C32612311EBE7301FB0AE0DB863B7CEF44792F188909F749C9180E6348541CB74

Function 00CCD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00CCD858
GetDC.USER32(00000000), ref: 00CCD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00CCD882
ReleaseDC.USER32(?), ref: 00CCD8A3

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b1263b6ab88360c9dc42257a6a089c16ee7451a86fefb40a88cd90b122301fc7
Instruction ID: 2ac9231178e78440a4d7d30bfd80a8b7f39f682fb0fe57166968dfbb71589589
Opcode Fuzzy Hash: b1263b6ab88360c9dc42257a6a089c16ee7451a86fefb40a88cd90b122301fc7
Instruction Fuzzy Hash: 7BE01AB0810305DFCF51AFA1D808B6DBBB1FB08310F109119F84AE73A0CB398901AF60

Function 00CCD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00CCD86C
GetDC.USER32(00000000), ref: 00CCD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00CCD882
ReleaseDC.USER32(?), ref: 00CCD8A3

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e119053fd7ab8587d9bd46003e4e9a19f99290f8b2a95dd04b63cfa8ad3f5465
Instruction ID: 3cdccca7ad6af00470078d1e63e594dd8fa89301489bf970ccd5507526302d5e
Opcode Fuzzy Hash: e119053fd7ab8587d9bd46003e4e9a19f99290f8b2a95dd04b63cfa8ad3f5465
Instruction Fuzzy Hash: 9CE012B0C10300EFCF60AFA0D80876DBBB1BB08310F10A108F84AE73A0CB395901AF60

Function 00CE4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C77620: _wcslen.LIBCMT ref: 00C77625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00CE4ED4

Strings

*, xrefs: 00CE4E10
LPT, xrefs: 00CE4DFB

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: b6518fda4b67356bec0dd5f97aaed0056b54b2d47d478b1b4a7b04918c876620
Instruction ID: 97108e09edb292fa54b4f14a5d41ffaf8570f24a3b56c979e568e06092f847e6
Opcode Fuzzy Hash: b6518fda4b67356bec0dd5f97aaed0056b54b2d47d478b1b4a7b04918c876620
Instruction Fuzzy Hash: E0916275A00244DFCB18DF99C484EAABBF1BF44704F198099E81A9F362D735EE85CB91

Function 00C9E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00C9E30D

Strings

pow, xrefs: 00C9E2E5, 00C9E302

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: d1cf9c8940d9d8c962608380bd8fd77d065abaa91825106a3e0602420136bafc
Instruction ID: 9aca16aa9f5e505c553cd48564f91bcf53ee5e8a9a23a02957e66da1fdf3c4c4
Opcode Fuzzy Hash: d1cf9c8940d9d8c962608380bd8fd77d065abaa91825106a3e0602420136bafc
Instruction Fuzzy Hash: 14513C61E0C203A6CF15B714CD453BA2BA4FF61744F348E68E0E5823B9EF358D929A46

Function 00C8E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00C8E1B1

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 0e4e7ecf9d7393897a513edb9dafe40af02e494da51f7544a3786227b6f9d56c
Instruction ID: db3e21d5c6c88a9903c1464c5122e6dc165db1353a47ba7ac2ba712d87abe5cb
Opcode Fuzzy Hash: 0e4e7ecf9d7393897a513edb9dafe40af02e494da51f7544a3786227b6f9d56c
Instruction Fuzzy Hash: 1D511375500356DFDF15EF68C481FBA7BA8EF26314F248059E8A19B2D0D7349E42DBA0

Function 00C8F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00C8F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00C8F2BB

Strings

@, xrefs: 00C8F2AF

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: d58e71dfbd4a9882166df81e54351e85fb002f6a6fb4f808cf04c9d67a012e78
Instruction ID: 78511bb1de06c669802f94347324fd28b4aa0850cde7c54adcaa816e4cc97708
Opcode Fuzzy Hash: d58e71dfbd4a9882166df81e54351e85fb002f6a6fb4f808cf04c9d67a012e78
Instruction Fuzzy Hash: 9D5145714087499BD320AF64DC86BAFBBF8FB95300F81895DF1D9811A5EB308529CB67

Function 00CF5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00CF57E0
_wcslen.LIBCMT ref: 00CF57EC

Strings

CALLARGARRAY, xrefs: 00CF57E6, 00CF57EB

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 898933652e80c38cf28bca0ccb2e35d74444fb951b5d22538e8babbd3b717029
Instruction ID: 4a3724692c92c8d1caf47f5a367af878188549fb7401300e0e861d98c3d1bb4f
Opcode Fuzzy Hash: 898933652e80c38cf28bca0ccb2e35d74444fb951b5d22538e8babbd3b717029
Instruction Fuzzy Hash: D341C131E402099FCB54EFA9C8819BEBBB5FF59364F104129E715A7391E7309E81CBA1

Function 00CED0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CED130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00CED13A

Strings

|, xrefs: 00CED10B

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 3c3464200032a5f07cbb9cbfc91129f115b2d23305e3283905b86af71ce7de45
Instruction ID: 6227797a790a6f291fd0aab99bd8d14390875df00f14fdd71d83d7ee59c54f03
Opcode Fuzzy Hash: 3c3464200032a5f07cbb9cbfc91129f115b2d23305e3283905b86af71ce7de45
Instruction Fuzzy Hash: 17315E71D00209ABCF15EFA5CC85EEEBFB9FF04310F004019F81AA6162E731AA06DB61

Function 00D0356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00D03621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00D0365C

Strings

static, xrefs: 00D035BC

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 8b55b206811d7722d10422c0542300c5a041ed5668c701c72f0f1a4be05e1c25
Instruction ID: fb5e2528060d0dcd543973d457e0fca6fb68b2935d151391d634145644284553
Opcode Fuzzy Hash: 8b55b206811d7722d10422c0542300c5a041ed5668c701c72f0f1a4be05e1c25
Instruction Fuzzy Hash: E8318871110604AADB209F68DC80BFB73ADFF88724F509619F8A9D7290DA31AD919B70

Function 00D04537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00D0461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D04634

Strings

', xrefs: 00D0458E

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 4a75d00c4176298b09c4aceedc7e9607276bced573c91c34a6cc315f44b764e7
Instruction ID: 51284e484f0f66effb0f3f64d51e7cfd75edfdcb65a14b868481ffbf81463836
Opcode Fuzzy Hash: 4a75d00c4176298b09c4aceedc7e9607276bced573c91c34a6cc315f44b764e7
Instruction Fuzzy Hash: 053108B4A013099FDB14CFA9C995FDA7BB5FF49300F144069EA09AB391E771A941CFA0

Function 00D031EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00D0327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D03287

Strings

Combobox, xrefs: 00D03249

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 3c9ed579683f38c5c5ca4d9ee528fd89a87b9ce4780cce82b0b2fb3504fc3998
Instruction ID: 800431ee77a387e3720173a26e538ede79c3e15bdd93f0dc29fcc27cd41b7dca
Opcode Fuzzy Hash: 3c9ed579683f38c5c5ca4d9ee528fd89a87b9ce4780cce82b0b2fb3504fc3998
Instruction Fuzzy Hash: DE118E712002087FEF259E64DC81FAB376EEB94364F144129F918972D0D6719D519774

Function 00D03710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00C7600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C7604C
Part of subcall function 00C7600E: GetStockObject.GDI32(00000011), ref: 00C76060
Part of subcall function 00C7600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C7606A

GetWindowRect.USER32(00000000,?), ref: 00D0377A
GetSysColor.USER32(00000012), ref: 00D03794

Strings

static, xrefs: 00D03757

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: d287d58f933bf9c8f8e62ff5fb010173df5795218fd922f4d2fbbe878e0a0fbb
Instruction ID: 8dab4bdb3aa5f60dd11408ce1e8c2658c5f3925d25a27e5e42b8f9067fd05866
Opcode Fuzzy Hash: d287d58f933bf9c8f8e62ff5fb010173df5795218fd922f4d2fbbe878e0a0fbb
Instruction Fuzzy Hash: EA1129B2610209AFDB00DFA8CC45AEA7BB8EB48314F005A15F959E2290D775E8519B60

Function 00CECD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00CECD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00CECDA6

Strings

<local>, xrefs: 00CECD66

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 0af2564479b6be484686f59ca40c42035bc486cb8fd746dcdf280279fa354ed2
Instruction ID: d9b89a49f279f89808793c111242c6db909bfaba8264d591521305a0a085b650
Opcode Fuzzy Hash: 0af2564479b6be484686f59ca40c42035bc486cb8fd746dcdf280279fa354ed2
Instruction Fuzzy Hash: 3A11E071201671BAD7284B678C88FE7BEACEB127A4F00422AF11982180D2669A42D6F0

Function 00D03429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00D034AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00D034BA

Strings

edit, xrefs: 00D0348F

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 832eba4b75bf503565fb9cede89bd3758c6cba36e1b3b7d7d8678c5d8a242218
Instruction ID: 0e0ed40ba7a0eaeeccc174561fbd710a24c8a76d17441f6adac2b0b4518cfea3
Opcode Fuzzy Hash: 832eba4b75bf503565fb9cede89bd3758c6cba36e1b3b7d7d8678c5d8a242218
Instruction Fuzzy Hash: 77116A71500208ABEB228F64DC84BEA376EEB05374F544724F9A99B2E0C771DC919B71

Function 00CD6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

CharUpperBuffW.USER32(?,?,?), ref: 00CD6CB6
_wcslen.LIBCMT ref: 00CD6CC2

Strings

STOP, xrefs: 00CD6CBC, 00CD6CC1

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 67dd00bd641c5499fbe0eb169fecc3ce3745a6076c6c486990ecbd3513f98092
Instruction ID: 0eeca4b85dff9f357872b3b9154aedf4c651514c8258411bd3fc490bb3a820a5
Opcode Fuzzy Hash: 67dd00bd641c5499fbe0eb169fecc3ce3745a6076c6c486990ecbd3513f98092
Instruction Fuzzy Hash: F701D6326245278BCB219FBDDC819BF77B5EFA1710B500526E96297395EB31DA00C750

Function 00CD1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

Part of subcall function 00CD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00CD3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00CD1D4C

Strings

ListBox, xrefs: 00CD1D16
ComboBox, xrefs: 00CD1CEB

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 46a86ce4ddef1a83792167b42d1015a315ef2f9a27e220d805700a22d1e73ffe
Instruction ID: f2df4b0dba9c6864c94af7b0d2d1257d58d6438516df618dc92241ea78975833
Opcode Fuzzy Hash: 46a86ce4ddef1a83792167b42d1015a315ef2f9a27e220d805700a22d1e73ffe
Instruction Fuzzy Hash: 3301F131610218ABCB09EBA0CC51DFE73A9EB52390B08060AE936673C1EB3059089661

Function 00CD1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

Part of subcall function 00CD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00CD3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00CD1C46

Strings

ListBox, xrefs: 00CD1C10
ComboBox, xrefs: 00CD1BE5

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7af46fb375d973c681bf1aacfb1da22f24d0dc09f4f4531d7243db7424f3ce57
Instruction ID: dbffd24abf2db459f00658b4010e704281020f8d683e4f0368d9576b9cbaed97
Opcode Fuzzy Hash: 7af46fb375d973c681bf1aacfb1da22f24d0dc09f4f4531d7243db7424f3ce57
Instruction Fuzzy Hash: FE01A7757911047ADF14EB90DD52EFF77A8DB52380F14001AA91A673C2EA209F0C96B2

Function 00CD1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

Part of subcall function 00CD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00CD3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00CD1CC8

Strings

ListBox, xrefs: 00CD1C94
ComboBox, xrefs: 00CD1C69

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 558ddff42d92ada49bed7026088485a492753889d5eea1820f3981dcbbec8d71
Instruction ID: ce45feb7387d410c75e1d03555cfc91417fb588a4cdea8cf81a2c572e6c9b84b
Opcode Fuzzy Hash: 558ddff42d92ada49bed7026088485a492753889d5eea1820f3981dcbbec8d71
Instruction Fuzzy Hash: 1D01A2717A01187ACB14EBA5CA42EFE73A89B52380F180016BD1673381EA619F089672

Function 00CF747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CF7493
_wcslen.LIBCMT ref: 00CF74B9

Strings

3, 3, 16, 1, xrefs: 00CF7483

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: b3812cb6be1ae1b5d45035285e796ffc5a97847a5b0dc866f0a2fa2c17be4159
Instruction ID: 65ce8ae0497d32e7db8760666de903048fe8d155b794004fed2f9206cb7f47a9
Opcode Fuzzy Hash: b3812cb6be1ae1b5d45035285e796ffc5a97847a5b0dc866f0a2fa2c17be4159
Instruction Fuzzy Hash: 3FE02B0220422410927523799CC5D7F5A8DCFC9750710182BFA91C2266EA948E92A3A2

Function 00CD0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00CD0B23

Strings

Error allocating memory., xrefs: 00CD0B1C
AutoIt, xrefs: 00CD0B17

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: ac32f4d234e86550037085a1750174a384009eafcfb50eb6cd3956a73fd805e9
Instruction ID: 3053a992c27a5ed4bfd130763dcddc12860aee6dc2b1fbf18deb8cc7156eea2c
Opcode Fuzzy Hash: ac32f4d234e86550037085a1750174a384009eafcfb50eb6cd3956a73fd805e9
Instruction Fuzzy Hash: 96E0D8312443087AD21437547C07F897B848F05B55F20042BF75C956C38AD164901ABD

Function 00C90D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00C8F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00C90D71,?,?,?,00C7100A), ref: 00C8F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00C7100A), ref: 00C90D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00C7100A), ref: 00C90D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C90D7F

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: d8676f0c8e7f568a9b2d2688ee40a434e77674bef7eeff415d56b68b04252c56
Instruction ID: a19e9c4a7f024b8db7b1a2be5c35ef9db0c71be8515d803989d7fac2b9439462
Opcode Fuzzy Hash: d8676f0c8e7f568a9b2d2688ee40a434e77674bef7eeff415d56b68b04252c56
Instruction Fuzzy Hash: 68E06D742007118FE7309FB8D40C3427BE4BB00744F208A2DE89AC6B91DBB0E4848BA1

Function 00CCD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00CCD220

Strings

X64, xrefs: 00CCD2A8
%.3d, xrefs: 00CCD22B

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 0652b552c908097a3f453e33d8ce561f1517eed14ac76dff0a28c0680f9a39ac
Instruction ID: 0974c49b2a59550d66fa415a4a013970b09ebd2991ce392f10df25f1acb53214
Opcode Fuzzy Hash: 0652b552c908097a3f453e33d8ce561f1517eed14ac76dff0a28c0680f9a39ac
Instruction Fuzzy Hash: F3D012A1C08108EACB50A7E1CC45EBAB3BCEB09301F50847AF80BD2040D634C9496B65

Function 00D02356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D0236C
PostMessageW.USER32(00000000), ref: 00D02373

Part of subcall function 00CDE97B: Sleep.KERNEL32 ref: 00CDE9F3

Strings

Shell_TrayWnd, xrefs: 00D02365

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: dfa54f690b85a5a539e1cfefd3dbb07a5939eff1b542ba23c73ceebfc3968e10
Instruction ID: 80bf253b4c3455907083142ec79ead93e10b877c8fc41e2aaae2c84f0ac04668
Opcode Fuzzy Hash: dfa54f690b85a5a539e1cfefd3dbb07a5939eff1b542ba23c73ceebfc3968e10
Instruction Fuzzy Hash: C6D0C9763913107AE668B771AC0FFC666189B04B14F505A167749EA2E0C9E0A8058A64

Function 00D02322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D0232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00D0233F

Part of subcall function 00CDE97B: Sleep.KERNEL32 ref: 00CDE9F3

Strings

Shell_TrayWnd, xrefs: 00D02325

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: eb3d16f9fc383db51a46fea8db45ed5dbb28c25257aa41a2d2bdd66462ba28ab
Instruction ID: 3973163d4ebb464bacde9e74db7afced686f3f673957dcc301a4f898c863ef01
Opcode Fuzzy Hash: eb3d16f9fc383db51a46fea8db45ed5dbb28c25257aa41a2d2bdd66462ba28ab
Instruction Fuzzy Hash: CED012763A5310BBE678B771EC1FFC67A189B00B14F505A167749EA2E0C9F0E805CA74

Function 00CABDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00CABE93
GetLastError.KERNEL32 ref: 00CABEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CABEFC

Memory Dump Source

Source File: 00000000.00000002.1286495554.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1286481772.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286596476.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286650042.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1286673817.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_Shipping Documents_pdf.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: e34d2b809c4c134d6921cd993f81b9959574fec61115f82db0ee271e535d9133
Instruction ID: 51c5372ae34afb2c7ee1b8ccfc56c37c51c800daf52ab07de5b2e9ce7876075a
Opcode Fuzzy Hash: e34d2b809c4c134d6921cd993f81b9959574fec61115f82db0ee271e535d9133
Instruction Fuzzy Hash: B041E938605247AFCF21CFA5CC54BBA7BA5EF43314F184169F969971A2DB308E01DB61

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Shipping Documents_pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Aaberg

C:\Users\user\AppData\Local\Temp\aut320.tmp

C:\Users\user\AppData\Local\Temp\aut38E.tmp

C:\Users\user\AppData\Local\Temp\obtenebrate

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
Shipping Documents_pdf.exe

Function 00C742DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 00C742A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00CB2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00C72CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00CB065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00C7344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00C72B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00C73170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 00CA8D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 01D525F0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00C72C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01D523B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146
fileCOMMON

Function 00CE2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Function 00C73B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre