Edit tour

Windows Analysis Report
shipping advice.exe

Overview

General Information

Sample name:	shipping advice.exe
Analysis ID:	1496592
MD5:	1e158beaa852a13274b19effe4a010d9
SHA1:	1d86155b0195a451e36a3d49cd098fba4bf6da23
SHA256:	d54abd6ac9348ed05c33f77ae723cb262bd89fcce7d4d449f16b31ed01f401f4
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

shipping advice.exe (PID: 2668 cmdline: "C:\Users\user\Desktop\shipping advice.exe" MD5: 1E158BEAA852A13274B19EFFE4A010D9)

RegSvcs.exe (PID: 4196 cmdline: "C:\Users\user\Desktop\shipping advice.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.thelamalab.com", "Username": "billing@thelamalab.com", "Password": "Thel@malab@20!9"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.3424070590.0000000002466000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3424070590.000000000245E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3423328279.00000000001B2000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3423328279.00000000001B2000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2200845416.0000000001BF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2200845416.0000000001BF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2200845416.0000000001BF0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334a1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33513:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3359d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3362f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33699:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3370b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337a1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33831:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000002.00000002.3424070590.0000000002411000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3424070590.0000000002411000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: shipping advice.exe PID: 2668	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: shipping advice.exe PID: 2668	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 4196	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 4196	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegSvcs.exe.1b0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.1b0000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.1b0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334a1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33513:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3359d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3362f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33699:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3370b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337a1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33831:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.shipping advice.exe.1bf0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.shipping advice.exe.1bf0000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.shipping advice.exe.1bf0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334a1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33513:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3359d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3362f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33699:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3370b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337a1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33831:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.shipping advice.exe.1bf0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.shipping advice.exe.1bf0000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.shipping advice.exe.1bf0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316a1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31713:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3179d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3182f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31899:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3190b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319a1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a31:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 162.251.80.30, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 4196, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49725

Suricata Signatures

ET MALWARE AgentTesla Exfil Via SMTP - Source IP: 192.168.2.5 - Destination IP: 162.251.80.30

Timestamp:	2024-08-21T14:36:09.545560+0200
SID:	2030171
Severity:	1
Source Port:	49725
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Win32/Agent Tesla SMTP Activity - Source IP: 192.168.2.5 - Destination IP: 162.251.80.30

Timestamp:	2024-08-21T14:36:09.545560+0200
SID:	2839723
Severity:	1
Source Port:	49725
Destination Port:	587
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.5 - Destination IP: 162.251.80.30

Timestamp:	2024-08-21T14:36:09.545560+0200
SID:	2840032
Severity:	1
Source Port:	49725
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Agent Tesla Exfil via SMTP - Source IP: 192.168.2.5 - Destination IP: 162.251.80.30

Timestamp:	2024-08-21T14:36:19.603509+0200
SID:	2855245
Severity:	1
Source Port:	49725
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.5 - Destination IP: 162.251.80.30

Timestamp:	2024-08-21T14:36:19.603509+0200
SID:	2855542
Severity:	1
Source Port:	49725
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.RegSvcs.exe.1b0000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.thelamalab.com", "Username": "billing@thelamalab.com", "Password": "Thel@malab@20!9"}

Multi AV Scanner detection for submitted file

Source: shipping advice.exe

ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: shipping advice.exe

Joe Sandbox ML: detected

Source: shipping advice.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: shipping advice.exe, 00000000.00000003.2191898786.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, shipping advice.exe, 00000000.00000003.2194836820.0000000003A90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: shipping advice.exe, 00000000.00000003.2191898786.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, shipping advice.exe, 00000000.00000003.2194836820.0000000003A90000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_008BDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_008BDBBE
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_0088C2A2 FindFirstFileExW,	0_2_0088C2A2
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_008C68EE FindFirstFileW,FindClose,	0_2_008C68EE
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_008C698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_008C698F
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_008BD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008BD076
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_008BD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008BD3A9
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_008C9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008C9642
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_008C979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008C979D
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_008C9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_008C9B2B
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_008C5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_008C5C97

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.5:49725 -> 162.251.80.30:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.5:49725 -> 162.251.80.30:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.5:49725 -> 162.251.80.30:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.5:49725 -> 162.251.80.30:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.5:49725 -> 162.251.80.30:587

Source: global traffic

TCP traffic: 192.168.2.5:49725 -> 162.251.80.30:587

Source: Joe Sandbox View

ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS

Source: global traffic

TCP traffic: 192.168.2.5:49725 -> 162.251.80.30:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\shipping advice.exe

Code function: 0_2_008CCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_008CCE44

Source: global traffic

DNS traffic detected: DNS query: mail.thelamalab.com

Source: RegSvcs.exe, 00000002.00000002.3424070590.0000000002466000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.thelamalab.com
Source: shipping advice.exe, 00000000.00000002.2200845416.0000000001BF0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3423328279.00000000001B2000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.shipping advice.exe.1bf0000.1.raw.unpack, abAX9N.cs

.Net Code: K8VU1S

Source: C:\Users\user\Desktop\shipping advice.exe

Code function: 0_2_008CEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_008CEAFF

Source: C:\Users\user\Desktop\shipping advice.exe

Code function: 0_2_008CED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_008CED6A

Source: C:\Users\user\Desktop\shipping advice.exe

0_2_008CEAFF

Source: C:\Users\user\Desktop\shipping advice.exe

Code function: 0_2_008BAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_008BAA57

Source: C:\Users\user\Desktop\shipping advice.exe

Code function: 0_2_008E9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_008E9576

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegSvcs.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.shipping advice.exe.1bf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.shipping advice.exe.1bf0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.2200845416.0000000001BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: shipping advice.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: shipping advice.exe, 00000000.00000000.2181110057.0000000000912000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_719fbda2-2
Source: shipping advice.exe, 00000000.00000000.2181110057.0000000000912000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_1258c0ce-3
Source: shipping advice.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_64cc1775-4
Source: shipping advice.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_903bc66f-b

Source: C:\Users\user\Desktop\shipping advice.exe

Code function: 0_2_008BD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_008BD5EB

Source: C:\Users\user\Desktop\shipping advice.exe

Code function: 0_2_008B1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_008B1201

Source: C:\Users\user\Desktop\shipping advice.exe

Code function: 0_2_008BE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_008BE8F6

Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_008C2046	0_2_008C2046
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_00858060	0_2_00858060
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_008B8298	0_2_008B8298
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_0088E4FF	0_2_0088E4FF
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_0088676B	0_2_0088676B
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_008E4873	0_2_008E4873
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_0087CAA0	0_2_0087CAA0
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_0085CAF0	0_2_0085CAF0
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_0086CC39	0_2_0086CC39
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_00886DD9	0_2_00886DD9
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_008591C0	0_2_008591C0
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_0086B119	0_2_0086B119
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_00871394	0_2_00871394
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_00871706	0_2_00871706
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_0087781B	0_2_0087781B
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_008719B0	0_2_008719B0
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_00857920	0_2_00857920
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_0086997D	0_2_0086997D
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_00877A4A	0_2_00877A4A
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_00877CA7	0_2_00877CA7
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_00871C77	0_2_00871C77
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_00889EEE	0_2_00889EEE
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_008DBE44	0_2_008DBE44
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_00871F32	0_2_00871F32
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_01BE3620	0_2_01BE3620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00964A98	2_2_00964A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00969BE8	2_2_00969BE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0096CDA0	2_2_0096CDA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00963E80	2_2_00963E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_009641C8	2_2_009641C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00969BE2	2_2_00969BE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05928778	2_2_05928778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_059226E0	2_2_059226E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05920040	2_2_05920040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_059252C8	2_2_059252C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0592D900	2_2_0592D900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0592B8F8	2_2_0592B8F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05923B38	2_2_05923B38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05922E30	2_2_05922E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05924BE8	2_2_05924BE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0096DACA	2_2_0096DACA

Source: C:\Users\user\Desktop\shipping advice.exe	Code function: String function: 0086F9F2 appears 40 times
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: String function: 00859CB3 appears 31 times
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: String function: 00870A30 appears 46 times

Source: shipping advice.exe, 00000000.00000003.2192844802.0000000003A13000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs shipping advice.exe
Source: shipping advice.exe, 00000000.00000003.2193321638.0000000003BBD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs shipping advice.exe
Source: shipping advice.exe, 00000000.00000002.2200845416.0000000001BF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename9d02a015-5a5b-4340-adbb-c530e02a0bc4.exe4 vs shipping advice.exe

Source: shipping advice.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.RegSvcs.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.shipping advice.exe.1bf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.shipping advice.exe.1bf0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.2200845416.0000000001BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 0.2.shipping advice.exe.1bf0000.1.raw.unpack, RsYAkkzVoy.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.shipping advice.exe.1bf0000.1.raw.unpack, Kqqzixk.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.shipping advice.exe.1bf0000.1.raw.unpack, xROdzGigX.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.shipping advice.exe.1bf0000.1.raw.unpack, ywes.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.shipping advice.exe.1bf0000.1.raw.unpack, iPVW0zV.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.shipping advice.exe.1bf0000.1.raw.unpack, 1Pi9sgbHwoV.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.shipping advice.exe.1bf0000.1.raw.unpack, YUgDfWK2g4.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.shipping advice.exe.1bf0000.1.raw.unpack, YUgDfWK2g4.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.shipping advice.exe.1bf0000.1.raw.unpack, MarWtcu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.shipping advice.exe.1bf0000.1.raw.unpack, MarWtcu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.shipping advice.exe.1bf0000.1.raw.unpack, MarWtcu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.shipping advice.exe.1bf0000.1.raw.unpack, MarWtcu.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@1/1

Source: C:\Users\user\Desktop\shipping advice.exe

Code function: 0_2_008C37B5 GetLastError,FormatMessageW,

0_2_008C37B5

Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_008B10BF AdjustTokenPrivileges,CloseHandle,		0_2_008B10BF
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_008B16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_008B16C3

Source: C:\Users\user\Desktop\shipping advice.exe

Code function: 0_2_008C51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_008C51CD

Source: C:\Users\user\Desktop\shipping advice.exe

Code function: 0_2_008DA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_008DA67C

Source: C:\Users\user\Desktop\shipping advice.exe

Code function: 0_2_008C648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_008C648E

Source: C:\Users\user\Desktop\shipping advice.exe

Code function: 0_2_008542A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_008542A2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\shipping advice.exe

File created: C:\Users\user\AppData\Local\Temp\aut9A2F.tmp

Jump to behavior

Source: shipping advice.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\shipping advice.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: shipping advice.exe

ReversingLabs: Detection: 50%

Source: unknown	Process created: C:\Users\user\Desktop\shipping advice.exe "C:\Users\user\Desktop\shipping advice.exe"
Source: C:\Users\user\Desktop\shipping advice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\shipping advice.exe"
Source: C:\Users\user\Desktop\shipping advice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\shipping advice.exe"	Jump to behavior

Source: C:\Users\user\Desktop\shipping advice.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping advice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping advice.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping advice.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping advice.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping advice.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping advice.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping advice.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping advice.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping advice.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping advice.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: shipping advice.exe

Static file information: File size 1180160 > 1048576

Source: shipping advice.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: shipping advice.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: shipping advice.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: shipping advice.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: shipping advice.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: shipping advice.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: shipping advice.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: shipping advice.exe, 00000000.00000003.2191898786.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, shipping advice.exe, 00000000.00000003.2194836820.0000000003A90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: shipping advice.exe, 00000000.00000003.2191898786.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, shipping advice.exe, 00000000.00000003.2194836820.0000000003A90000.00000004.00001000.00020000.00000000.sdmp

Source: shipping advice.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: shipping advice.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: shipping advice.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: shipping advice.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: shipping advice.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\shipping advice.exe

Code function: 0_2_008542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008542DE

Source: C:\Users\user\Desktop\shipping advice.exe

Code function: 0_2_00870A76 push ecx; ret

0_2_00870A89

Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_0086F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0086F98E
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_008E1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_008E1C41

Source: C:\Users\user\Desktop\shipping advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\shipping advice.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-98152

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\shipping advice.exe

API/Special instruction interceptor: Address: 1BE3244

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 3694			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 850			Jump to behavior

Source: C:\Users\user\Desktop\shipping advice.exe

API coverage: 3.7 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_008BDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_008BDBBE
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_0088C2A2 FindFirstFileExW,	0_2_0088C2A2
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_008C68EE FindFirstFileW,FindClose,	0_2_008C68EE
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_008C698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_008C698F
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_008BD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008BD076
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_008BD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008BD3A9
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_008C9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008C9642
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_008C979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008C979D
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_008C9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_008C9B2B
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_008C5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_008C5C97

Source: C:\Users\user\Desktop\shipping advice.exe

Code function: 0_2_008542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008542DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98166	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97929	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: shipping advice.exe, 00000000.00000002.2197680755.0000000001050000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ewxQemUiEk5ZDVeUr
Source: RegSvcs.exe, 00000002.00000002.3425636515.0000000005820000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\shipping advice.exe

Code function: 0_2_008CEAA2 BlockInput,

0_2_008CEAA2

Source: C:\Users\user\Desktop\shipping advice.exe

Code function: 0_2_00882622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00882622

Source: C:\Users\user\Desktop\shipping advice.exe

Code function: 0_2_008542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008542DE

Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_00874CE8 mov eax, dword ptr fs:[00000030h]	0_2_00874CE8
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_01BE3510 mov eax, dword ptr fs:[00000030h]	0_2_01BE3510
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_01BE34B0 mov eax, dword ptr fs:[00000030h]	0_2_01BE34B0
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_01BE1E70 mov eax, dword ptr fs:[00000030h]	0_2_01BE1E70

Source: C:\Users\user\Desktop\shipping advice.exe

Code function: 0_2_008B0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_008B0B62

Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_00882622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00882622
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_0087083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0087083F
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_008709D5 SetUnhandledExceptionFilter,	0_2_008709D5
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_00870C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00870C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\shipping advice.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\shipping advice.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 2B3008

Jump to behavior

Source: C:\Users\user\Desktop\shipping advice.exe

0_2_008B1201

Source: C:\Users\user\Desktop\shipping advice.exe

Code function: 0_2_00892BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00892BA5

Source: C:\Users\user\Desktop\shipping advice.exe

Code function: 0_2_008BB226 SendInput,keybd_event,

0_2_008BB226

Source: C:\Users\user\Desktop\shipping advice.exe

Code function: 0_2_008D22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_008D22DA

Source: C:\Users\user\Desktop\shipping advice.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\shipping advice.exe"

Jump to behavior

Source: C:\Users\user\Desktop\shipping advice.exe

0_2_008B0B62

Source: C:\Users\user\Desktop\shipping advice.exe

Code function: 0_2_008B1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_008B1663

Source: shipping advice.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: shipping advice.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\shipping advice.exe

Code function: 0_2_00870698 cpuid

0_2_00870698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\shipping advice.exe

Code function: 0_2_008C8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_008C8195

Source: C:\Users\user\Desktop\shipping advice.exe

Code function: 0_2_008AD27A GetUserNameW,

0_2_008AD27A

Source: C:\Users\user\Desktop\shipping advice.exe

Code function: 0_2_0088B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0088B952

Source: C:\Users\user\Desktop\shipping advice.exe

Code function: 0_2_008542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008542DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 2.2.RegSvcs.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipping advice.exe.1bf0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipping advice.exe.1bf0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3424070590.0000000002466000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3424070590.000000000245E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3423328279.00000000001B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2200845416.0000000001BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3424070590.0000000002411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: shipping advice.exe PID: 2668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4196, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: shipping advice.exe	Binary or memory string: WIN_81
Source: shipping advice.exe	Binary or memory string: WIN_XP
Source: shipping advice.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: shipping advice.exe	Binary or memory string: WIN_XPe
Source: shipping advice.exe	Binary or memory string: WIN_VISTA
Source: shipping advice.exe	Binary or memory string: WIN_7
Source: shipping advice.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 2.2.RegSvcs.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipping advice.exe.1bf0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipping advice.exe.1bf0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3423328279.00000000001B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2200845416.0000000001BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3424070590.0000000002411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: shipping advice.exe PID: 2668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4196, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 2.2.RegSvcs.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipping advice.exe.1bf0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipping advice.exe.1bf0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3424070590.0000000002466000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3424070590.000000000245E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3423328279.00000000001B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2200845416.0000000001BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3424070590.0000000002411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: shipping advice.exe PID: 2668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4196, type: MEMORYSTR

Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_008D1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_008D1204
Source: C:\Users\user\Desktop\shipping advice.exe	Code function: 0_2_008D1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_008D1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	138 System Information Discovery	Distributed Component Object Model	121 Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	331 Security Software Discovery	SSH	3 Clipboard Data	11 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	221 Virtualization/Sandbox Evasion	Cached Domain Credentials	221 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
shipping advice.exe	50%	ReversingLabs	Win32.Hacktool.Mimikatz
shipping advice.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://account.dyn.com/	0%	URL Reputation	safe
http://mail.thelamalab.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false		unknown
mail.thelamalab.com	162.251.80.30	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://mail.thelamalab.com	RegSvcs.exe, 00000002.00000002.3424070590.0000000002466000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.dyn.com/	shipping advice.exe, 00000000.00000002.2200845416.0000000001BF0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3423328279.00000000001B2000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.251.80.30	mail.thelamalab.com	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1496592
Start date and time:	2024-08-21 14:35:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	shipping advice.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 46 Number of non-executed functions: 295
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: shipping advice.exe

Simulations

Behavior and APIs

Time	Type	Description
08:36:16	API Interceptor	22x Sleep call for process: RegSvcs.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	https://filegen.fortinet.com/v1/sandbox-file?file_name=windows.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://www.pro-pharma.co.uk	Get hash	malicious	Unknown	Browse	199.232.210.172
	MTWE UNTITLED.xls	Get hash	malicious	Unknown	Browse	199.232.210.172
	Purchase Inquiry.xla.xlsx	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://mantraonlittlebourke.guestreservations.com/35061/booking?gad_source=1&gclid=EAIaIQobChMIl-2ym7yFiAMV19QWBR2tTADfEAAYAiAFEgIBzPD_BwE	Get hash	malicious	Unknown	Browse	199.232.210.172
	1724226659ad3c86adf90ead8e85be00ee17653b242dddaf7b133397ec2c8c708c9397b763517.dat-decoded.exe	Get hash	malicious	Remcos	Browse	199.232.210.172
	http://qemailserver.com	Get hash	malicious	Unknown	Browse	199.232.210.172
	4oaZbWLah0.exe	Get hash	malicious	AsyncRAT, MicroClip, PureLog Stealer, RedLine	Browse	199.232.210.172
	air_way_bill_Dhl_invoice_bl_pl_21_08_2024_00000000.xls	Get hash	malicious	Unknown	Browse	199.232.210.172
	Tracking_Invoice_Awb_BL_00340434757340073972.vbs	Get hash	malicious	Remcos, GuLoader	Browse	199.232.214.172
mail.thelamalab.com	new p o.exe	Get hash	malicious	AgentTesla	Browse	162.222.226.100
	SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe	Get hash	malicious	AgentTesla	Browse	162.222.226.100
	DOCUMENTS.exe	Get hash	malicious	AgentTesla	Browse	162.222.226.100
	SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe	Get hash	malicious	AgentTesla	Browse	162.222.226.100
	SHIPPING ORDER.exe	Get hash	malicious	AgentTesla	Browse	162.222.226.100
	receipt-73633T36X90N.exe	Get hash	malicious	AgentTesla	Browse	162.222.226.100
	AQQ-T7630-CVE8.exe	Get hash	malicious	AgentTesla	Browse	162.222.226.100
	SecuriteInfo.com.Win32.CrypterX-gen.1573.32091.exe	Get hash	malicious	AgentTesla	Browse	162.222.226.100
	SCAN_INCORRECT_DETAILS.exe	Get hash	malicious	AgentTesla	Browse	162.222.226.100
	SecuriteInfo.com.Heur.26171.30744.exe	Get hash	malicious	AgentTesla	Browse	162.222.226.100

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	rShippingDocuments.exe	Get hash	malicious	AgentTesla	Browse	207.174.215.249
	rShippingDocuments.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	207.174.215.249
	New PO pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.224
	https://vagvn.remmipyservice.org/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&redirect_uri=https%3a%2f%2foutlook.office.com%2fowa%2f&resource=00000002-0000-0ff1-ce00-000000000000&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=1&msaredir=1&client-request-id=7f545595-f5d6-deb9-f7f9-d2b50e22cac0&protectedtoken=true&claims=%7b%22id_token%22%3a%7b%22xms_cc%22%3a%7b%22values%22%3a%5b%22CP1%22%5d%7d%7d%7d&nonce=638594191528303546.52bdeb30-750b-42d2-83a1-0b37c2fd3e58&state=DctBFoAgCABRrNdxSARJPI6kbVt2_Vj82U0CgD1sIVEE2iWmvZZelE1ItF6nss_lQtiUHCtPRpNRkFzazc-UpZbiPfL7jfwD&sso_reload=tru	Get hash	malicious	HTMLPhisher	Browse	199.79.63.24
	http://sapr.co.in	Get hash	malicious	Unknown	Browse	103.53.42.238
	http://payment1-payu.maklifedairy.in/	Get hash	malicious	Unknown	Browse	45.113.122.245
	Shipping Documents.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	207.174.215.249
	https://professionalprojectmanagementpro.benchurl.com/c/l?u=116E33D3&e=188D7F3&c=167E3A&t=0&l=108F0FCB5&email=kVZdtuK%2FWFCzmtjGcu30tMObv%2BTy5rLraMk9iWbyXew%3D&seq=1	Get hash	malicious	Unknown	Browse	162.215.241.39
	QUOTE-4K748388-A-CCC2.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	199.79.62.115
	SecuriteInfo.com.PDF.Phishing.7B6B.tr.8047.20915.xlsx	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.199.224

Process:	C:\Users\user\Desktop\shipping advice.exe
File Type:	data
Category:	dropped
Size (bytes):	155250
Entropy (8bit):	7.944538058202758
Encrypted:	false
SSDEEP:	3072:Dd1HSbvETM58njvOcXtnLHy0ske90SZeKn70mfGY2Huvy:DbWvETMCTOc9LHYto6uNOK
MD5:	B31AA4F091115E14A5C45B0302AD1152
SHA1:	FF5C09EC199A2EE10C85B0312EB28237133CF8C8
SHA-256:	2264FA7FA732BDA5B2C568D2B4A6EE34B2D23B1289D37788AA5569C7083BF502
SHA-512:	CC9CC835DD659B44267F622357F3666CA2D862CD14189956A34C66AA6EAAE97D2130103EAB8756A9480D5FA8DAB558A598F97FD6D7C5DD30F8D59B141289A3DA
Malicious:	false
Reputation:	low
Preview:	EA06.....B{..=VsT......1.Li.9..K..f4@.r...Q..9.X._50..t....3.?...X...u....<..#..j..b#6.Odu..1..$R.4.{.._..:.zc...'....c.i.Z.O.Mi.....s[zu..X.Wf4..cU..9.u.....`..-2...5Z]..\..\`....P.kD....1M..zs.u.k1..\5J...q....r?...>...;.L.....&5....S.....M....sv..`...Si..q...jsX.....\l..@....C...@..F...\|j..uT.........Zc....$.1.......1.fi..?.J.N..\\|~.U.........c..Ti.[.RsW.\).j}T......%./.7...`...~.S.]62.=3i...?......h)U..r?.......-#..cS_mj....)..Fs.'.Q.sj.O........%.L.Si..........L......Y..-..g.z..{.3A...1X^.A0.j&...._6.....kT..>U......h.......`....U...1/..w..Qf..'.....g.P..~..V.3..y<..$.......". .b...A.?K...&..,............M:.g.@".....']./f...3.....5.K.9.w.a..".8..}>..b....E]..e..#9..a.z..5..fSZ...C.n.....S..).y.j.@.r...V...[7.......G%:IP.>6.:n....p.Z.9..1.t...^..\.....nQ...fq...+C.N'..<..q.E.Wy..A+....H...4...U.Ui.9..g1..f5......Q..:.Na.....:...C.u:Lo.W..(u..@..U#5..wW..iq.%V.'.....`..4.UV.W....j$....C,.i.Zwn.s*.J..aR../....F...5i.:.#

C:\Users\user\AppData\Local\Temp\aut9A5F.tmp

Download File

Process:	C:\Users\user\Desktop\shipping advice.exe
File Type:	data
Category:	dropped
Size (bytes):	43604
Entropy (8bit):	7.8266678081588195
Encrypted:	false
SSDEEP:	768:RvPvvqR1vkp9mA4hyLm/mmpvX5b0G8dJSG05M6UMD5oQEuldNI6J2RVYL:RX3EJhei/mmfVJ0Z57uNIxVY
MD5:	597857FF440CDEBF01F5AD06A9F0281B
SHA1:	CF9E5565268446C243E2020407C3B67D866BF39B
SHA-256:	35EE8009679D11575045DB91A94FA8332D1097026E8A1FB3D64EF8CDAFB98540
SHA-512:	19856837084F90F1524CAAFA98AC9E19FC0FDB0B102A6784488F793F0744E5801686A6B3BF235E038B25BCA4B1455C803E1D136D9DFBA23582E0733C5663A158
Malicious:	false
Reputation:	low
Preview:	EA06..P....y.^g5......6.U..Z..gM..(.9.jm5..u.....L..9..3.Sfs...aV..39.g6.L.i.....?.9..m2.L....3.T...\.`.NV&sj..qQ..i.9..g5..6.9..m2.L.5Y..3..@..L.v....J$.mD.6.s9.bg4...)....Rf....oJ.....\.5.P@.s6.o)39..g9.L.0.....M.UI..Q6..;I.Rg0.L........L.. ..qG..h.9..g5.......6.c' ...g5..1.......F.........)....M.u...6...sj4.gC.f. !.8.U..&....E....d...!.fg8.L.t....gV..`...B....3.P.s.8.a3..s......i.9..qW.`...P.......2.....M+Si.>g9....i.m1...T...aQ@...<V.B.D.:..`.L.3.Q..X....M.x.O............U`.fh......Fm2.L.5I...$.7(.<u`.....y......L....`......b..P..:8.....8.}A...S9.Vg9...P......4I...d....@.......-..yK.L.si.`.!.Rf.Z`..Z....O0.P.j...@.4...2&....6.Pf.jd.mB....i.T..Li.9...X....".......D...`.N......4...m6...........@..F)`#U`....@Q..k8...r. ..6.R......6.\...@..T....@50./T0 ........g4..(............ '.$.!..h........h.4.......0....&.`........3.P..ZH.D.K..5P-.....M@...f..M(3i.4....F...J..a. 0..d.....R...y.#r.3.Q..@I*`.@.m.I...[...d..T.B....5P..j..t

C:\Users\user\AppData\Local\Temp\orographically

Download File

Process:	C:\Users\user\Desktop\shipping advice.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	86022
Entropy (8bit):	4.179408874405051
Encrypted:	false
SSDEEP:	1536:19WzryPvDc9t83Syq5bA5tY9oxboaxTkxbQ5XPjnTlIm6LPI97d:10zr9t75SrkE5fim6LPA
MD5:	9144273E790C6157A2EE262330EF44FB
SHA1:	7F04CC15DAEFE1620B4624FE020DD536E482EA7B
SHA-256:	7A4DA087C866098C7CD21F6E8DF4A077AF7127D50B48F62D963A030BF457F62C
SHA-512:	51810807D20C8D98B9FE4BB1CD9FE79A38EEA3944EAD1BB9A00F253D2D976792E91B3402FE9A192BE67BD7CC11DA8915E03F98FD44D04CC9577DBA28A2E1FB1C
Malicious:	false
Reputation:	low
Preview:	30W78W35O35Q38T62W65B63M38E31Z65U63Z63E63Z30C32H30M30R30V30Q35J36H35F37T62Q38V36C62D30L30B30P30B30K30J36X36S38Q39M34K35W38T34F62N39U36T35Y30J30S30R30S30H30D36D36S38C39X34Y64R38M36C62I61R37J32F30J30W30Q30A30W30Q36J36I38A39D35C35Q38S38V62T38W36E65O30T30X30Z30T30H30N36B36H38G39E34E35E38K61B62F39V36G35G30A30O30Q30B30W30M36L36C38A39Y34R64M38T63Y62E61G36F63C30Z30I30K30N30D30R36Y36R38A39D35T35T38C65F62Y38J33I33Y30I30X30B30B30W30V36O36N38B39G34R35Z39O30H62T39H33J32W30D30X30Q30T30C30U36V36C38S39U34Z64O39Q32H62J61A32N65A30Q30E30Q30P30B30Z36H36Q38G39H35S35T39B34G62K38A36X34L30B30O30I30P30Y30C36F36S38V39H34C35N39A36Q62R39T36Z63V30F30R30X30E30F30R36D36Q38R39F34N64Z39G38K62Y61J36C63G30L30B30Y30G30P30A36H36B38U39N35Q35R39D61A33I33D63O30W36R36G38T39I34T35G39K63S62X39M36I65L30I30Z30E30D30S30N36U36E38D39B38K64O34P34H66A66L66B66L66M66U62T61M37B34X30W30G30B30O30X30P36R36M38E39D39X35O34F36W66C66G66N66N66I66Y62F38V36X34I30K30K30F30X30Y30B36F36E38K39A38O35U34D38U66J66J66B66E66Z66C62H39M36T63O30H30C30L30F30X3

C:\Users\user\AppData\Local\Temp\starbright

Download File

Process:	C:\Users\user\Desktop\shipping advice.exe
File Type:	data
Category:	dropped
Size (bytes):	240128
Entropy (8bit):	6.655471882086101
Encrypted:	false
SSDEEP:	6144:8kLkGxWalf8qACzc4w/q39h/8/UV9RJ9h:5LkGFlf8qPc4w/qz/8/4nJb
MD5:	963BF1B51D3853A2775F6212B97E670A
SHA1:	CFCB7AC8604428C980E46D6B39A0027A8FD604A4
SHA-256:	DFF02045F7ABC1FE81729B19110CE093E99B624D8A66DEC0D935BB98E45725F8
SHA-512:	0BD21EB84DEE6DA8E14B198B6360F586FF832A8C3FF25FDA0D117CFE22CC653FF81C577CE9638A4F0B38F251BD0EA29C61AFCF43CC4CE0224A8F06330C3C99A7
Malicious:	false
Reputation:	low
Preview:	...1GU9TGRWN..S1.1NS51UK.M1DU9TCRWNFOS1V1NS51UKSM1DU9TCRWNFO.1V1@L.?U.Z...Tu.b.?'5o#C9V<2X.6=#^0u[1c " f&=..~.sX^1.}@<Nq9TCRWNF..1V}OP5O.S5M1DU9TCR.NDNX0]1N.61UCSM1DU9..QWNfOS1.2NS5qUKsM1DW9TGRWNFOS1R1NS51UKSM5DU;TCRWNFMSq.1NC51EKSM1TU9DCRWNFOC1V1NS51UKSM..V9.CRWN.LSwS1NS51UKSM1DU9TCRWNF.P1Z1NS51UKSM1DU9TCRWNFOS1V1NS51UKSM1DU9TCRWNFOS1V1NS51UkSM9DU9TCRWNFOS9v1N.51UKSM1DU9Tm&262OS1..MS5.UKS.2DU;TCRWNFOS1V1NS5.UK3cC7'ZTCR.KFOS.U1NU51U.PM1DU9TCRWNFOSqV1.}GT9$0M1HU9TC.TNFMS1V.MS51UKSM1DU9TC.WN.OS1V1NS51UKSM1DU..@RWNFO.1V1LS01..QM.tT9WCRWOFOU1V1NS51UKSM1DU9TCRWNFOS1V1NS51UKSM1DU9TCRWNFOS1V,......m.Lz_[S.t.).L..E...~Z.F.JP...._......#7..5.Z{...M...'.FC6R......Q^:]%b3z65.O....n."q..3_.1..:g.:Ev.g....u..y>!....0..7,?y/6??Txb/5TC<.Q.0DU9T.......?I...2ZUg_I.....fE6....ONS5UUKS?1DUXTCR.NFO<1V1 S51+KSMODU9.CRW.FOS.V1Nv51U&SM1`U9T=RWN.2\>..:F..KSM1D`..s.:.....a....@.5./....0....C..>>.9.yv..]../..C.9Qm..T0P5KQ25VGnCz...uAVSKDHW2Z.@...j.k..l...#....).*1NS51U.SM.DU9..R.NFO.1.1..51U.M.D.9...W

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.052376708527746
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	shipping advice.exe
File size:	1'180'160 bytes
MD5:	1e158beaa852a13274b19effe4a010d9
SHA1:	1d86155b0195a451e36a3d49cd098fba4bf6da23
SHA256:	d54abd6ac9348ed05c33f77ae723cb262bd89fcce7d4d449f16b31ed01f401f4
SHA512:	908087959e31b423b1cc235482931cab5dc8c561b8192e1fca08440af95d12c7bd7db943e3ed3df19e79937ed0e8d347949c23eeb50a3d155357076eee5701ea
SSDEEP:	24576:dqDEvCTbMWu7rQYlBQcBiT6rprG8aKsYyfETeX1oN:dTvC/MTQYxsWR7aKsYyfRX
TLSH:	AD45BF0273D1D022FFAB92334B5AF6515BBC69260123E62F13981D79BD701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66C51667 [Tue Aug 20 22:19:19 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F0F94C1ADE3h
jmp 00007F0F94C1A6EFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F0F94C1A8CDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F0F94C1A89Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F0F94C1D48Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F0F94C1D4D8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F0F94C1D4C1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x49798	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11e000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x49798	0x49800	489832914461dee0cb9d401d837fe2ec	False	0.9110265199829932	data	7.853765676421722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11e000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x40a60	data			1.0003436555891239
RT_GROUP_ICON	0x11d218	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x11d290	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x11d2a4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x11d2b8	0x14	data	English	Great Britain	1.25
RT_VERSION	0x11d2cc	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x11d3a8	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-21T14:36:09.545560+0200	TCP	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	49725	587	192.168.2.5	162.251.80.30
2024-08-21T14:36:09.545560+0200	TCP	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	49725	587	192.168.2.5	162.251.80.30
2024-08-21T14:36:09.545560+0200	TCP	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	49725	587	192.168.2.5	162.251.80.30
2024-08-21T14:36:19.603509+0200	TCP	2855245	ETPRO MALWARE Agent Tesla Exfil via SMTP	1	49725	587	192.168.2.5	162.251.80.30
2024-08-21T14:36:19.603509+0200	TCP	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	49725	587	192.168.2.5	162.251.80.30

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 21, 2024 14:36:17.696584940 CEST	49725	587	192.168.2.5	162.251.80.30
Aug 21, 2024 14:36:17.702056885 CEST	587	49725	162.251.80.30	192.168.2.5
Aug 21, 2024 14:36:17.702146053 CEST	49725	587	192.168.2.5	162.251.80.30
Aug 21, 2024 14:36:18.379688978 CEST	587	49725	162.251.80.30	192.168.2.5
Aug 21, 2024 14:36:18.380633116 CEST	49725	587	192.168.2.5	162.251.80.30
Aug 21, 2024 14:36:18.386451960 CEST	587	49725	162.251.80.30	192.168.2.5
Aug 21, 2024 14:36:18.544015884 CEST	587	49725	162.251.80.30	192.168.2.5
Aug 21, 2024 14:36:18.545090914 CEST	49725	587	192.168.2.5	162.251.80.30
Aug 21, 2024 14:36:18.557373047 CEST	587	49725	162.251.80.30	192.168.2.5
Aug 21, 2024 14:36:18.740688086 CEST	587	49725	162.251.80.30	192.168.2.5
Aug 21, 2024 14:36:18.741746902 CEST	49725	587	192.168.2.5	162.251.80.30
Aug 21, 2024 14:36:18.747117996 CEST	587	49725	162.251.80.30	192.168.2.5
Aug 21, 2024 14:36:18.924937963 CEST	587	49725	162.251.80.30	192.168.2.5
Aug 21, 2024 14:36:18.925688982 CEST	49725	587	192.168.2.5	162.251.80.30
Aug 21, 2024 14:36:18.930633068 CEST	587	49725	162.251.80.30	192.168.2.5
Aug 21, 2024 14:36:19.091636896 CEST	587	49725	162.251.80.30	192.168.2.5
Aug 21, 2024 14:36:19.091849089 CEST	49725	587	192.168.2.5	162.251.80.30
Aug 21, 2024 14:36:19.096683979 CEST	587	49725	162.251.80.30	192.168.2.5
Aug 21, 2024 14:36:19.431991100 CEST	587	49725	162.251.80.30	192.168.2.5
Aug 21, 2024 14:36:19.432231903 CEST	49725	587	192.168.2.5	162.251.80.30
Aug 21, 2024 14:36:19.437509060 CEST	587	49725	162.251.80.30	192.168.2.5
Aug 21, 2024 14:36:19.602669954 CEST	587	49725	162.251.80.30	192.168.2.5
Aug 21, 2024 14:36:19.603393078 CEST	49725	587	192.168.2.5	162.251.80.30
Aug 21, 2024 14:36:19.603508949 CEST	49725	587	192.168.2.5	162.251.80.30
Aug 21, 2024 14:36:19.603508949 CEST	49725	587	192.168.2.5	162.251.80.30
Aug 21, 2024 14:36:19.603508949 CEST	49725	587	192.168.2.5	162.251.80.30
Aug 21, 2024 14:36:19.608385086 CEST	587	49725	162.251.80.30	192.168.2.5
Aug 21, 2024 14:36:19.608403921 CEST	587	49725	162.251.80.30	192.168.2.5
Aug 21, 2024 14:36:19.608632088 CEST	587	49725	162.251.80.30	192.168.2.5
Aug 21, 2024 14:36:19.609667063 CEST	587	49725	162.251.80.30	192.168.2.5
Aug 21, 2024 14:36:19.880498886 CEST	587	49725	162.251.80.30	192.168.2.5
Aug 21, 2024 14:36:19.924702883 CEST	49725	587	192.168.2.5	162.251.80.30
Aug 21, 2024 14:37:57.393364906 CEST	49725	587	192.168.2.5	162.251.80.30
Aug 21, 2024 14:37:57.401278973 CEST	587	49725	162.251.80.30	192.168.2.5
Aug 21, 2024 14:37:57.762455940 CEST	587	49725	162.251.80.30	192.168.2.5
Aug 21, 2024 14:37:57.762653112 CEST	587	49725	162.251.80.30	192.168.2.5
Aug 21, 2024 14:37:57.762725115 CEST	49725	587	192.168.2.5	162.251.80.30
Aug 21, 2024 14:37:57.762809038 CEST	49725	587	192.168.2.5	162.251.80.30
Aug 21, 2024 14:37:57.769684076 CEST	587	49725	162.251.80.30	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 21, 2024 14:36:17.373006105 CEST	59090	53	192.168.2.5	1.1.1.1
Aug 21, 2024 14:36:17.688966990 CEST	53	59090	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 21, 2024 14:36:17.373006105 CEST	192.168.2.5	1.1.1.1	0x23cc	Standard query (0)	mail.thelamalab.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Aug 21, 2024 14:36:11.177289963 CEST	1.1.1.1	192.168.2.5	0x579d	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Aug 21, 2024 14:36:11.177289963 CEST	1.1.1.1	192.168.2.5	0x579d	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Aug 21, 2024 14:36:17.688966990 CEST	1.1.1.1	192.168.2.5	0x23cc	No error (0)	mail.thelamalab.com	162.251.80.30	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Aug 21, 2024 14:36:18.379688978 CEST	587	49725	162.251.80.30	192.168.2.5	220-md-114.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 21 Aug 2024 18:06:18 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Aug 21, 2024 14:36:18.380633116 CEST	49725	587	192.168.2.5	162.251.80.30	EHLO 813848
Aug 21, 2024 14:36:18.544015884 CEST	587	49725	162.251.80.30	192.168.2.5	250-md-114.webhostbox.net Hello 813848 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Aug 21, 2024 14:36:18.545090914 CEST	49725	587	192.168.2.5	162.251.80.30	AUTH login YmlsbGluZ0B0aGVsYW1hbGFiLmNvbQ==
Aug 21, 2024 14:36:18.740688086 CEST	587	49725	162.251.80.30	192.168.2.5	334 UGFzc3dvcmQ6
Aug 21, 2024 14:36:18.924937963 CEST	587	49725	162.251.80.30	192.168.2.5	235 Authentication succeeded
Aug 21, 2024 14:36:18.925688982 CEST	49725	587	192.168.2.5	162.251.80.30	MAIL FROM:<billing@thelamalab.com>
Aug 21, 2024 14:36:19.091636896 CEST	587	49725	162.251.80.30	192.168.2.5	250 OK
Aug 21, 2024 14:36:19.091849089 CEST	49725	587	192.168.2.5	162.251.80.30	RCPT TO:<jinhux31@gmail.com>
Aug 21, 2024 14:36:19.431991100 CEST	587	49725	162.251.80.30	192.168.2.5	250 Accepted
Aug 21, 2024 14:36:19.432231903 CEST	49725	587	192.168.2.5	162.251.80.30	DATA
Aug 21, 2024 14:36:19.602669954 CEST	587	49725	162.251.80.30	192.168.2.5	354 Enter message, ending with "." on a line by itself
Aug 21, 2024 14:36:19.603508949 CEST	49725	587	192.168.2.5	162.251.80.30	.
Aug 21, 2024 14:36:19.880498886 CEST	587	49725	162.251.80.30	192.168.2.5	250 OK id=1sgkZX-00262b-1g
Aug 21, 2024 14:37:57.393364906 CEST	49725	587	192.168.2.5	162.251.80.30	QUIT
Aug 21, 2024 14:37:57.762455940 CEST	587	49725	162.251.80.30	192.168.2.5	221 md-114.webhostbox.net closing connection

Target ID:	0
Start time:	08:36:13
Start date:	21/08/2024
Path:	C:\Users\user\Desktop\shipping advice.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\shipping advice.exe"
Imagebase:	0x850000
File size:	1'180'160 bytes
MD5 hash:	1E158BEAA852A13274B19EFFE4A010D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2200845416.0000000001BF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2200845416.0000000001BF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.2200845416.0000000001BF0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:36:14
Start date:	21/08/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\shipping advice.exe"
Imagebase:	0xe0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3424070590.0000000002466000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3424070590.000000000245E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3423328279.00000000001B2000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3423328279.00000000001B2000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3424070590.0000000002411000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3424070590.0000000002411000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0.9%
Signature Coverage:	3.1%
Total number of Nodes:	1921
Total number of Limit Nodes:	54

Executed Functions

Function 008542DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0085430D

Part of subcall function 00856B57: _wcslen.LIBCMT ref: 00856B6A

GetCurrentProcess.KERNEL32(?,008ECB64,00000000,?,?), ref: 00854422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00854429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00854454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00854466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00854474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0085447B
GetSystemInfo.KERNEL32(?,?,?), ref: 008544A0

Strings

GetNativeSystemInfo, xrefs: 00854460
kernel32.dll, xrefs: 0085444F
|O, xrefs: 008936F8

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: acc6d444da886e29d4bbfe284eaf146054c415f6099555fcad4ff374cde19a5e
Instruction ID: b6d9b136c7d0ebf8fdc80891d20c188211884e1b330edbf6e0075021ae5bb6d4
Opcode Fuzzy Hash: acc6d444da886e29d4bbfe284eaf146054c415f6099555fcad4ff374cde19a5e
Instruction Fuzzy Hash: 71A1F86292E3C4DFCB32E7697C841D53FE6FB76345B0854A8E441D3A21D230466BEB25

Function 008542A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,008550AA,?,?,00000000,00000000), ref: 008542B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008550AA,?,?,00000000,00000000), ref: 008542C9
LoadResource.KERNEL32(?,00000000,?,?,008550AA,?,?,00000000,00000000,?,?,?,?,?,?,00854F20), ref: 008935BE
SizeofResource.KERNEL32(?,00000000,?,?,008550AA,?,?,00000000,00000000,?,?,?,?,?,?,00854F20), ref: 008935D3
LockResource.KERNEL32(008550AA,?,?,008550AA,?,?,00000000,00000000,?,?,?,?,?,?,00854F20,?), ref: 008935E6

Strings

SCRIPT, xrefs: 008542BF

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 9f81cbab77500ff95792ea28116be26f0896e4e70600caabdef4af4e10b9df17
Instruction ID: 9c15060ed2aa809aa25d53d72e2d2ac91b2919176e46d743ff2ee47c0c657e5e
Opcode Fuzzy Hash: 9f81cbab77500ff95792ea28116be26f0896e4e70600caabdef4af4e10b9df17
Instruction Fuzzy Hash: E511CE70600301BFDB218B65DC88F277BB9FBC5B56F1441A9F913CA250DBB2DC068620

Function 00892BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00852B6B

Part of subcall function 00853A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00921418,?,00852E7F,?,?,?,00000000), ref: 00853A78

Part of subcall function 00859CB3: _wcslen.LIBCMT ref: 00859CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00912224), ref: 00892C10
ShellExecuteW.SHELL32(00000000,?,?,00912224), ref: 00892C17

Strings

runas, xrefs: 00892C0B

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: f893856325856e8b6f3d28c89de46c9631dc9d22cdfe88606d621e2c942d033a
Instruction ID: 78887c82d3c60abe00f7dce8ed6b31a7aaf5d1c79281b0529945fb68fa754d5b
Opcode Fuzzy Hash: f893856325856e8b6f3d28c89de46c9631dc9d22cdfe88606d621e2c942d033a
Instruction Fuzzy Hash: 4E11D531608345AAC718FF68E8519AE7BA4FFA5352F44042CF886C21A2DF208A4E8713

Function 008BDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00895222), ref: 008BDBCE
GetFileAttributesW.KERNELBASE(?), ref: 008BDBDD
FindFirstFileW.KERNELBASE(?,?), ref: 008BDBEE
FindClose.KERNEL32(00000000), ref: 008BDBFA

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: fe57b0d95bc8bb49705b739e949b91e2a658fab42d4dbb73f46236b97da1dd37
Instruction ID: 2b5515c4af1f67548d9b5fc520a89f7e1e1cec80a2d9f488be09ea71328c2f43
Opcode Fuzzy Hash: fe57b0d95bc8bb49705b739e949b91e2a658fab42d4dbb73f46236b97da1dd37
Instruction Fuzzy Hash: 66F0A030C10A146782206B78AC4E8AA3B6CFF02334B104702F936C22F0FBB05D568695

Function 0085D730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0085D807
timeGetTime.WINMM ref: 0085DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0085DB28
TranslateMessage.USER32(?), ref: 0085DB7B
DispatchMessageW.USER32(?), ref: 0085DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0085DB9F
Sleep.KERNEL32(0000000A), ref: 0085DBB1

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: afb089a63c6c17bd580a7c6ba9c8e3306064393be0de4ca4819051e18dd76149
Instruction ID: e44ec454b107d5bc6e0042e0333f2c3a2e5d7a36acac9ff4d14ceb9c630e43de
Opcode Fuzzy Hash: afb089a63c6c17bd580a7c6ba9c8e3306064393be0de4ca4819051e18dd76149
Instruction Fuzzy Hash: 6142CD30608345DFE739CF28C884BAABBE1FF46315F148559EC56CB2A1D770A849DB92

Function 00852CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00852D07
RegisterClassExW.USER32(00000030), ref: 00852D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00852D42
InitCommonControlsEx.COMCTL32(?), ref: 00852D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00852D6F
LoadIconW.USER32(000000A9), ref: 00852D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00852D94

Strings

0, xrefs: 00852CE9
AutoIt v3 GUI, xrefs: 00852D23
TaskbarCreated, xrefs: 00852D37
+, xrefs: 00852CF0

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 41cc9688ee415ccbb4dafeafc80c57c466cea72e05096a09ce94eaff3a08de37
Instruction ID: 70331c882603278a7805e764956671e4a0ecd2ea5f3ddfefe323dbefdc54a77a
Opcode Fuzzy Hash: 41cc9688ee415ccbb4dafeafc80c57c466cea72e05096a09ce94eaff3a08de37
Instruction Fuzzy Hash: A221F7B5D15358AFDB10DFA8EC89BDDBBB4FB08700F00811AF611AA2A0D7B14556DF91

Function 0089065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0089039A: CreateFileW.KERNELBASE(00000000,00000000,?,00890704,?,?,00000000,?,00890704,00000000,0000000C), ref: 008903B7

GetLastError.KERNEL32 ref: 0089076F
__dosmaperr.LIBCMT ref: 00890776
GetFileType.KERNELBASE(00000000), ref: 00890782
GetLastError.KERNEL32 ref: 0089078C
__dosmaperr.LIBCMT ref: 00890795
CloseHandle.KERNEL32(00000000), ref: 008907B5
CloseHandle.KERNEL32(?), ref: 008908FF
GetLastError.KERNEL32 ref: 00890931
__dosmaperr.LIBCMT ref: 00890938

Strings

H, xrefs: 008908BD

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 13f4c84d626d459131768b51ef78edae63a04bf2cdfc31235b97a46112b72c30
Instruction ID: e7d95d53702f81519875fcdc9cf57040269fe8e7d746a68cd7152a41aafa4abe
Opcode Fuzzy Hash: 13f4c84d626d459131768b51ef78edae63a04bf2cdfc31235b97a46112b72c30
Instruction Fuzzy Hash: 0DA10532A141089FDF19AF68D851BAE7BA0FB46324F184159F815DF392DB319813DF92

Function 0085344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00853A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00921418,?,00852E7F,?,?,?,00000000), ref: 00853A78

Part of subcall function 00853357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00853379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0085356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0089318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008931CE
RegCloseKey.ADVAPI32(?), ref: 00893210
_wcslen.LIBCMT ref: 00893277
_wcslen.LIBCMT ref: 00893286

Strings

\, xrefs: 0089328C
\Include\, xrefs: 00853527
Include, xrefs: 00893184, 008931C5
Software\AutoIt v3\AutoIt, xrefs: 00853560

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: ae9920372f84dbd780425eb49403bf0b7673dbd3fc8cfea39b0c208f536bb62b
Instruction ID: 592d0630a27dd73bfac487399e0e6ba0aef74c826471be43cdc99d007042823e
Opcode Fuzzy Hash: ae9920372f84dbd780425eb49403bf0b7673dbd3fc8cfea39b0c208f536bb62b
Instruction Fuzzy Hash: 8B71B371418301AFC724EF69EC8196BBBE8FF95B51F80042EF945C7161EB349A4ACB52

Function 00852B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00852B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00852B9D
LoadIconW.USER32(00000063), ref: 00852BB3
LoadIconW.USER32(000000A4), ref: 00852BC5
LoadIconW.USER32(000000A2), ref: 00852BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00852BEF
RegisterClassExW.USER32(?), ref: 00852C40

Part of subcall function 00852CD4: GetSysColorBrush.USER32(0000000F), ref: 00852D07
Part of subcall function 00852CD4: RegisterClassExW.USER32(00000030), ref: 00852D31
Part of subcall function 00852CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00852D42
Part of subcall function 00852CD4: InitCommonControlsEx.COMCTL32(?), ref: 00852D5F
Part of subcall function 00852CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00852D6F
Part of subcall function 00852CD4: LoadIconW.USER32(000000A9), ref: 00852D85
Part of subcall function 00852CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00852D94

Strings

AutoIt v3, xrefs: 00852C2F
0, xrefs: 00852C0F
#, xrefs: 00852C16

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: b68b35a38edfde2dfa44e9778bad5e532f9f7d83f1f28e8af3dac8b17ae57b1d
Instruction ID: f1a050d9eb0dc933d60f3cbecda8ed7181659fb2315f4b22954b96c95747eefe
Opcode Fuzzy Hash: b68b35a38edfde2dfa44e9778bad5e532f9f7d83f1f28e8af3dac8b17ae57b1d
Instruction Fuzzy Hash: 84214F70E24354ABDB20DFA9EC85B9D7FB6FB1CB50F00402AF500A66A0D7B10556EF90

Function 00853170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0085316A,?,?), ref: 008531D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0085316A,?,?), ref: 00853204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00853227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0085316A,?,?), ref: 00853232
CreatePopupMenu.USER32 ref: 00853246
PostQuitMessage.USER32(00000000), ref: 00853267

Strings

TaskbarCreated, xrefs: 0085322D

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: d34c8fe65c5371793c9a1db8fbaf56b928dbc97cde8d06d3eb8401b49ce005d4
Instruction ID: a055ba70ea2b8c2354705af2c8ea446051f4ea72d13f6460de0e1e3d0fb9af65
Opcode Fuzzy Hash: d34c8fe65c5371793c9a1db8fbaf56b928dbc97cde8d06d3eb8401b49ce005d4
Instruction Fuzzy Hash: 6A419A34654608BBDF356B3CAC4DB793A59F7153C7F040125FD02C62A1CB708E5AA7A2

Function 00888D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b69aa5d59d53e68da848490990df77c12e45d88b687c6636e29ca6389491c0f4
Instruction ID: f5d7b611e363d91aa6205e5c5d7fd7aab0db180afeadcf54163f5018ca9490e5
Opcode Fuzzy Hash: b69aa5d59d53e68da848490990df77c12e45d88b687c6636e29ca6389491c0f4
Instruction Fuzzy Hash: 79C1BF74A04249EFDB21AFA9D841BADBBB4FF49310F184199E954E7393CB309941CB61

Function 01BE2600 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01BE26D1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01BE28F7

Memory Dump Source

Source File: 00000000.00000002.2200794064.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1be0000_shipping advice.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction ID: a08856a27eac776749773de34e8a88db43d2ccac7f8ab13d1ca2c9502a0c2625
Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction Fuzzy Hash: FDA1FA74E00209EBDB18CFA4C958BEEBBB9FF48304F208599E501BB281D7759A41CF54

Function 00852C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00852C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00852CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00851CAD,?), ref: 00852CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00851CAD,?), ref: 00852CCF

Strings

AutoIt v3, xrefs: 00852C89, 00852C8E, 00852C8F
edit, xrefs: 00852CAC

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 18585488122220cee87f9920cb32da45846771caf557e91fe22d9c7059f947cb
Instruction ID: 02d8337cf3f98966230cc0343bfe6fb83b3dcb304eb4ab63a039227ae7eaff13
Opcode Fuzzy Hash: 18585488122220cee87f9920cb32da45846771caf557e91fe22d9c7059f947cb
Instruction Fuzzy Hash: 1FF03A759543D47AEB305717AC48E772EBEE7DBF50B01002AF900A61A0C2750862EAB0

Function 01BE23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01BE22A0: Sleep.KERNELBASE(000001F4), ref: 01BE22B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01BE24F6

Strings

KSM1DU9TCRWNFOS1V1NS51U, xrefs: 01BE2559, 01BE255C

Memory Dump Source

Source File: 00000000.00000002.2200794064.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1be0000_shipping advice.jbxd

Similarity

API ID: CreateFileSleep
String ID: KSM1DU9TCRWNFOS1V1NS51U
API String ID: 2694422964-2769987326
Opcode ID: 3d2a7c50e845602b69e563ea1e858f40d37a0e72d48e6a757646aeffd6a4b808
Instruction ID: a6924c4f0dbf6a3b38cab1cd612bbf823083b0749af7668b30cc1b915bd4663b
Opcode Fuzzy Hash: 3d2a7c50e845602b69e563ea1e858f40d37a0e72d48e6a757646aeffd6a4b808
Instruction Fuzzy Hash: 9961A370D04288DBEF15DBA4C858BEEBBB8AF19304F0041D9E649BB2C1D7B91B45CB65

Function 008C2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008C2C05
DeleteFileW.KERNEL32(?), ref: 008C2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 008C2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008C2CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008C2CC0

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 43bab5a235f0b6c4bfe7c9ca0cfebc0ed5714d76ef87e2e8e307b53c9fa07c83
Instruction ID: 3d2937c3a82f80c7fa9c55105d1e11c97c0e110d52f5c7cd74bb81bf592039cb
Opcode Fuzzy Hash: 43bab5a235f0b6c4bfe7c9ca0cfebc0ed5714d76ef87e2e8e307b53c9fa07c83
Instruction Fuzzy Hash: 11B12D72D0011DABDF11DBA8CC85EDEBB7DFF49354F1040AAFA09E6195EA30DA448B61

Function 008510F3 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00851BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00851BF4
Part of subcall function 00851BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00851BFC
Part of subcall function 00851BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00851C07
Part of subcall function 00851BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00851C12
Part of subcall function 00851BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00851C1A
Part of subcall function 00851BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00851C22

Part of subcall function 00851B4A: RegisterWindowMessageW.USER32(00000004,?,008512C4), ref: 00851BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0085136A
OleInitialize.OLE32 ref: 00851388
CloseHandle.KERNEL32(00000000,00000000), ref: 008924AB

Strings

0m, xrefs: 00851115

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: 0m
API String ID: 1986988660-3665595038
Opcode ID: 4d79e4c74cde1aba4bf3e95726a3874e2d55048bd4ed6e54176a71524aa50ee3
Instruction ID: abeeb323f6d0155a18d17686a55fb62ab4618503f3f1d7b86148422aac4b3ab8
Opcode Fuzzy Hash: 4d79e4c74cde1aba4bf3e95726a3874e2d55048bd4ed6e54176a71524aa50ee3
Instruction Fuzzy Hash: 6E71EEB4D293448FC7A4EF7DA885A543AE4FBA934035482BAE51AC7371EB304427EF41

Function 00853B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00853B0F,SwapMouseButtons,00000004,?), ref: 00853B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00853B0F,SwapMouseButtons,00000004,?), ref: 00853B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00853B0F,SwapMouseButtons,00000004,?), ref: 00853B83

Strings

Control Panel\Mouse, xrefs: 00853B3E

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 63ce7d71e8886ce38a11b0c00a44c628d2acf2f32b07a45e8c9a66993406c45e
Instruction ID: d2080c4487a8a472ca10c79ee9f15cfb9ea8ef32d590ae41a5400f9496ed500d
Opcode Fuzzy Hash: 63ce7d71e8886ce38a11b0c00a44c628d2acf2f32b07a45e8c9a66993406c45e
Instruction Fuzzy Hash: 0F112AB5510218FFDB20CFA5DC84AAEB7B9FF04795B104459F805D7110D2319F499761

Function 01BE12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01BE1ACD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01BE1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01BE1B13

Memory Dump Source

Source File: 00000000.00000002.2200794064.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1be0000_shipping advice.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
Instruction ID: b4c882f19c0121017c9bf938bf4afa0eb17e5f16cdd87a693cd54afe42d7eb7d
Opcode Fuzzy Hash: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
Instruction Fuzzy Hash: 1C621D30A14258DBEB24DFA4C854BDEB376EF58300F1091A9D20DEB390E7769E81CB59

Function 0085DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 008A32B7

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 8e828af1feea641e4d0b42d9fbcdee4e62fc1fb9cb19d77785dbd6fd340dce62
Instruction ID: f37229015da9b23a330402d1ab80b41137ce64fa1f19239154faed8d7654f736
Opcode Fuzzy Hash: 8e828af1feea641e4d0b42d9fbcdee4e62fc1fb9cb19d77785dbd6fd340dce62
Instruction Fuzzy Hash: F1C28871A00218CFDB28CF58C880AADB7B1FF19315F248169E956EB391D375EE49CB91

Function 00853923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008933A2

Part of subcall function 00856B57: _wcslen.LIBCMT ref: 00856B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00853A04

Strings

Line: , xrefs: 008933EB

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 23a424311eded4dec13ac8bf9159f4457cf47d3944a705691293ddc71bea6fb4
Instruction ID: 45a1a265111aad6eb0696b2a825a45f7505991a3d574f46a86e8f59176c1e9d2
Opcode Fuzzy Hash: 23a424311eded4dec13ac8bf9159f4457cf47d3944a705691293ddc71bea6fb4
Instruction Fuzzy Hash: 4F31E0B1408304AAC725EB24DC45BEBBBD8FB50355F00492AF999C3191EB709A5DC7C3

Function 0086FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00870668

Part of subcall function 008732A4: RaiseException.KERNEL32(?,?,?,0087068A,?,00921444,?,?,?,?,?,?,0087068A,00851129,00918738,00851129), ref: 00873304

__CxxThrowException@8.LIBVCRUNTIME ref: 00870685

Strings

Unknown exception, xrefs: 00870692

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: df60e9aa84ad16b1cf3a113adcfcdb7cb8ac55f2c866d6b14b670de34ff5fc8e
Instruction ID: 39ed7a02283fcb96772fb160510f62f3ed40305c7fc70e64d8de78ad9a514b5b
Opcode Fuzzy Hash: df60e9aa84ad16b1cf3a113adcfcdb7cb8ac55f2c866d6b14b670de34ff5fc8e
Instruction Fuzzy Hash: 92F0A424A0030DA78B00B6A8E856C9E776CFE50354B608131B92CD559AEF71EA659D82

Function 008C3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 008C302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 008C3044

Strings

aut, xrefs: 008C3038

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: b3d5e4294bfbb1fc3edf759f8a262df7cbac42925fcd17c932f3ea2ef5ebeeb0
Instruction ID: b38c620184b0240d84c07479449c2def330ea8ec19f54cf32dd8e20db7b3732f
Opcode Fuzzy Hash: b3d5e4294bfbb1fc3edf759f8a262df7cbac42925fcd17c932f3ea2ef5ebeeb0
Instruction Fuzzy Hash: 03D05E72D0032867DA20A7A4AC4EFCB3A6CEB04751F4002A1BB55E6091DAB09985CAD0

Function 008D7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 008D82F5
TerminateProcess.KERNEL32(00000000), ref: 008D82FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 008D84DD

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 8708d442075fb41bbda5f2be32b872c16a8f8dbda3bc75a33bd14d1d0e36b0ab
Instruction ID: 8b23faf97b8eda97dbbe4a7886343cff7283a7868abb162ccbe71b4dbe43a6cf
Opcode Fuzzy Hash: 8708d442075fb41bbda5f2be32b872c16a8f8dbda3bc75a33bd14d1d0e36b0ab
Instruction Fuzzy Hash: 43123971A08341DFC714DF28C484A6ABBE5FF85318F148A5EE899CB352DB31E945CB92

Function 00885AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa0e3f03a425eda1a09a0bb2e1c05cfeaabbec4af30bd76232baf23334fca652
Instruction ID: 1d09538e6e61b1533d75b371c2c5ea7e2e57e9d505d521f614e868eaa0fed096
Opcode Fuzzy Hash: fa0e3f03a425eda1a09a0bb2e1c05cfeaabbec4af30bd76232baf23334fca652
Instruction Fuzzy Hash: 2D51CC71D10609ABCB21BFA9C945AEEBBB9FF15324F14001AE405E7292D7309A01DB62

Function 008886AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,008885CC,?,00918CC8,0000000C), ref: 00888704
GetLastError.KERNEL32(?,008885CC,?,00918CC8,0000000C), ref: 0088870E
__dosmaperr.LIBCMT ref: 00888739

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: a6f6b420660046291b0d9144ace67d92cd5e7abdbdb2b7cc104c447ee11416b9
Instruction ID: 6c655b760bd768666a3a6df2e5cb6c40bd61a137715077ff694b5d8d5d1b6275
Opcode Fuzzy Hash: a6f6b420660046291b0d9144ace67d92cd5e7abdbdb2b7cc104c447ee11416b9
Instruction Fuzzy Hash: C7016B32A0426096C630B238684977E6B59FF92778F78011DF814CB2D3EEA0DC818351

Function 008C2FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,008C2CD4,?,?,?,00000004,00000001), ref: 008C2FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,008C2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 008C3006
CloseHandle.KERNEL32(00000000,?,008C2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 008C300D

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 8fbcfe7ed7f1b4665a268cd211bc0d98f1b40697bfccd56eb5aabc626f0cde07
Instruction ID: 023f82dc777caa2102df8eb7c5a4acbc587f053f72454f8662f1ec6384547418
Opcode Fuzzy Hash: 8fbcfe7ed7f1b4665a268cd211bc0d98f1b40697bfccd56eb5aabc626f0cde07
Instruction Fuzzy Hash: 4DE0863268025077D2311755BC4DF8B3E1CEB86B71F104214FB29B91D046A0550242A8

Function 00861310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 008617F6

Strings

CALL, xrefs: 008617C6

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 819497c4549f2451085c3a8c8f33fe78b5f4c21568234f66067d8c964f5ae12a
Instruction ID: d8300b722b8c5a82fde88f4f5824b2d036de67d34c68fcebfea986525934fd66
Opcode Fuzzy Hash: 819497c4549f2451085c3a8c8f33fe78b5f4c21568234f66067d8c964f5ae12a
Instruction Fuzzy Hash: 7F227A706082019FDB14DF18C488A2ABBF2FF85314F19892DF596CB762D771E855CB92

Function 008C6EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008C6F6B

Part of subcall function 00854ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00921418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00854EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 008C6F5A, 008C6F63

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 3e082f2729d7127b37d3f9cc95bae27ca8c15a56fd376bf11b496042d64eaa5c
Instruction ID: 66392d1a08c48c9058aba51dc9eddb93c0143d96b1f21486a549609ebce5bfca
Opcode Fuzzy Hash: 3e082f2729d7127b37d3f9cc95bae27ca8c15a56fd376bf11b496042d64eaa5c
Instruction Fuzzy Hash: 4FB14D311086019FCB14EF28C491DAAB7E5FF94315F44896DF896D7262EB30ED49CB92

Function 00852DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00892C8C

Part of subcall function 00853AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00853A97,?,?,00852E7F,?,?,?,00000000), ref: 00853AC2

Part of subcall function 00852DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00852DC4

Strings

X, xrefs: 00892C5A

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 3711821723c891998a644ee13a92444aa71bdae12c5b4029033d37db954721f0
Instruction ID: 68b6ddda2dfe916eb169d9834f990d830271b5ac9ce1b44b38c146b878ee4b7d
Opcode Fuzzy Hash: 3711821723c891998a644ee13a92444aa71bdae12c5b4029033d37db954721f0
Instruction Fuzzy Hash: 93216271A0025C9ADB11AB98C8457EE7BF9FF49315F004059E805E7241DBB4558D8B62

Function 008C2557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 008C2587

Strings

EA06, xrefs: 008C25B9

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 761ce3d1cb2d8fe165e29a8eeaa8fd179b679c3923e9d21f498fcdc2644f74e4
Instruction ID: 7a36ba100591b9a3580f3a794e00fbe8403a6001eb871f615a428a9480ad0390
Opcode Fuzzy Hash: 761ce3d1cb2d8fe165e29a8eeaa8fd179b679c3923e9d21f498fcdc2644f74e4
Instruction Fuzzy Hash: A601B5729442587EDF58C7A8C856FEEBBF8EB05305F00859EE156D21C1E5B4E6088B61

Function 00853837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00853908

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: a7c0913baed1770d1c3741e099c7cf2b42c6fbed10804a97f874aa14b21bd245
Instruction ID: b232c562efe947c2ae6712b78b9d9affc6cc28bab0f608f823058061b582a190
Opcode Fuzzy Hash: a7c0913baed1770d1c3741e099c7cf2b42c6fbed10804a97f874aa14b21bd245
Instruction Fuzzy Hash: 473191B09043019FD721DF24D884797BBE8FB49749F00092EF99AC7350E771AA58DB52

Function 0085B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0085BB4E

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 2de453db963224dbdd249c6fa7ee2cc5885a545bad25d8c2d3cd201a21f10397
Instruction ID: 33f2cb907f27c91dac4bb8be807744413c1fb256459f3f108d2f1e013a012c06
Opcode Fuzzy Hash: 2de453db963224dbdd249c6fa7ee2cc5885a545bad25d8c2d3cd201a21f10397
Instruction Fuzzy Hash: 2532CA30A00209AFEB20CF58C894BBABBB9FF55315F148069ED05EB351D774AD49CB92

Function 01BE129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01BE1ACD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01BE1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01BE1B13

Memory Dump Source

Source File: 00000000.00000002.2200794064.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1be0000_shipping advice.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction ID: 3bb2e1bf0e592a33df961d931138d7e8f4d3d5b4f9d883edfafbef8dd510608d
Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction Fuzzy Hash: D712EE24E14658C6EB24DF64D8547DEB272FF68300F10A0E9910DEB7A4E77A4F81CB5A

Function 00854ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00854E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00854EDD,?,00921418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00854E9C
Part of subcall function 00854E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00854EAE
Part of subcall function 00854E90: FreeLibrary.KERNEL32(00000000,?,?,00854EDD,?,00921418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00854EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00921418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00854EFD

Part of subcall function 00854E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00893CDE,?,00921418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00854E62
Part of subcall function 00854E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00854E74
Part of subcall function 00854E59: FreeLibrary.KERNEL32(00000000,?,?,00893CDE,?,00921418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00854E87

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: cd2cf7f163b6e9abd87c4e88a9a70924728d590326450ee87ef305ed4fc9c011
Instruction ID: bd3f4df313ddc7a0323ad5c46c9fae11bb82508a6123ffbf5389352d12783fb4
Opcode Fuzzy Hash: cd2cf7f163b6e9abd87c4e88a9a70924728d590326450ee87ef305ed4fc9c011
Instruction Fuzzy Hash: C911E332600605ABCF24BB6CDC13FAD77A5FF4071AF10842DF942EA1D1EE709A899B51

Function 00888402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00888440

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 02bf802346df548a213740354bd61189b257815e0dbd3c41a9a0867d54eb39a0
Instruction ID: b5e10d4b45744550812fa8d3de41af8f84080d82c578e6552d7f3f1a7a5c5cec
Opcode Fuzzy Hash: 02bf802346df548a213740354bd61189b257815e0dbd3c41a9a0867d54eb39a0
Instruction Fuzzy Hash: EB11067690410AEFCF15DF58E94199A7BF9FF48314F144059F808EB312DB31DA118BA5

Function 0087E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
Instruction ID: 3b00d03922d8b7820e6551b3498ed32fffb00aaf40665c03673758422cc00cf7
Opcode Fuzzy Hash: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
Instruction Fuzzy Hash: 01F0F432510A14A6C6313E6E8C05B5A3798FF76334F208755F929D22D6DB74D801C6A7

Function 00883820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00921444,?,0086FDF5,?,?,0085A976,00000010,00921440,008513FC,?,008513C6,?,00851129), ref: 00883852

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4cad863c23c261653b21aef8fbf53778da00eab7eca272898e0b51c1e6b84a90
Instruction ID: e5904fa316d059f93e40a3773355a2e496399d3bcf7acdcbf3d6bda801eec92e
Opcode Fuzzy Hash: 4cad863c23c261653b21aef8fbf53778da00eab7eca272898e0b51c1e6b84a90
Instruction Fuzzy Hash: 7DE0E53120122457D631376B9C05B9A3649FB42FB0F150030BC18E6591DB60DE0193E1

Function 00884D7A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00884D9C

Part of subcall function 008829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0088D7D1,00000000,00000000,00000000,00000000,?,0088D7F8,00000000,00000007,00000000,?,0088DBF5,00000000), ref: 008829DE
Part of subcall function 008829C8: GetLastError.KERNEL32(00000000,?,0088D7D1,00000000,00000000,00000000,00000000,?,0088D7F8,00000000,00000007,00000000,?,0088DBF5,00000000,00000000), ref: 008829F0

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction ID: db13b32a872c9aee175a11ccb78428b5b8390af936c4890fa2b09c296da5c0f0
Opcode Fuzzy Hash: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction Fuzzy Hash: 3BE092371003059F8720DF6CD800A82BBF4FF843207208529E89DD3311D331E812CB80

Function 00854F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00921418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00854F6D

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 47740a7520f508f42649456980ca6edf7bd306bf88301786b2bb0b878e709e2e
Instruction ID: b035e12f0f3c71a1b4c942001cedcc2b1387863d1011a44d3e9073a945ac0ef3
Opcode Fuzzy Hash: 47740a7520f508f42649456980ca6edf7bd306bf88301786b2bb0b878e709e2e
Instruction Fuzzy Hash: 9CF01571505752CFDB349F68D490862BBE4FF1432E324996EE9EAC6621CB319888DF10

Function 00852DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00852DC4

Part of subcall function 00856B57: _wcslen.LIBCMT ref: 00856B6A

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: f1cd863b75efc649269626d1e705775f14000ace2cffa9feb4559280f18a4090
Instruction ID: 70a3539969695c3d0d0f9d06e384632118d54ab5880283fb6307f414d122d370
Opcode Fuzzy Hash: f1cd863b75efc649269626d1e705775f14000ace2cffa9feb4559280f18a4090
Instruction Fuzzy Hash: A1E0CD72A041245BCB10A25C9C06FEA77DDFFC9791F040071FD09D7248EA70AD848551

Function 008C2693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 008C26B5

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: 197f1f679c43fa535009023f031eeab65118fe2fbf3b4c33f51906c33c20be21
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: D7E048B06097005FDF395A28A851BB777E5EF49300F04446EF59FC2252E5726845875D

Function 00852B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00853837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00853908

Part of subcall function 0085D730: GetInputState.USER32 ref: 0085D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00852B6B

Part of subcall function 008530F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0085314E

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 3dc22def5ac45dd5a3aba1252e7d6ace440fbd0a16a6b6ce24b1c0005614ef20
Instruction ID: 32d31a8b48022a9102a27f192b8a12b18a2afa7eff89e75827f60b8d11c4e080
Opcode Fuzzy Hash: 3dc22def5ac45dd5a3aba1252e7d6ace440fbd0a16a6b6ce24b1c0005614ef20
Instruction Fuzzy Hash: FDE0262270434402C618BB3CA8524BDA759FBE5393F40043EF846C31B3CE20454E8213

Function 0089039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00890704,?,?,00000000,?,00890704,00000000,0000000C), ref: 008903B7

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5fc5336c3e8dbe993cde5b8fd61c6a61a793d21261a7c950aeff095034d058a6
Instruction ID: d1f0ecff9bd0d5901b372f9315e73752c718851f042c3388be659021a5942ea7
Opcode Fuzzy Hash: 5fc5336c3e8dbe993cde5b8fd61c6a61a793d21261a7c950aeff095034d058a6
Instruction Fuzzy Hash: E0D06C3204014DBBDF028F84DD46EDA3FAAFB48714F014000BE1856020C732E822AB91

Function 00851CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00851CBC

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 1db65e61a8db2c3ede4ab3c7e592d432ae4a9b8d9f010edd6a272afbfe418196
Instruction ID: e1dfc4f1f91586cc3e6a4e4dd193fef67979d819c10dc49ebb6685a75ac26704
Opcode Fuzzy Hash: 1db65e61a8db2c3ede4ab3c7e592d432ae4a9b8d9f010edd6a272afbfe418196
Instruction Fuzzy Hash: E7C09236298348BFF3248B80BC8AF107765B35CB00F048001F609A95E3C3A22822FA90

Function 0086FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0086FD1F

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: eba3f879eedb5d4158f411efb662bb6acdd9a5dd59ad1980f69b6af5ab155623
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 2131E275A00109DBD718CF59E480969FBA6FF49304B2686A5EA09CF656D731EEC1CBC0

Function 01BE22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01BE22B1

Memory Dump Source

Source File: 00000000.00000002.2200794064.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1be0000_shipping advice.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: f3177b767bb7d58cc0dbecb688d9ddf444cef38df2205391d62be48b9ae248fe
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: E9E0BF7494010E9FDB00EFA4D54969E7BB4EF04301F1001A1FD0192281D73199508A62

Non-executed Functions

Function 008E9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00869BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00869BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 008E961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008E965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 008E969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008E96C9
SendMessageW.USER32 ref: 008E96F2
GetKeyState.USER32(00000011), ref: 008E978B
GetKeyState.USER32(00000009), ref: 008E9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008E97AE
GetKeyState.USER32(00000010), ref: 008E97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008E97E9
SendMessageW.USER32 ref: 008E9810
SendMessageW.USER32(?,00001030,?,008E7E95), ref: 008E9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 008E992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 008E9941
SetCapture.USER32(?), ref: 008E994A
ClientToScreen.USER32(?,?), ref: 008E99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 008E99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008E99D6
ReleaseCapture.USER32 ref: 008E99E1
GetCursorPos.USER32(?), ref: 008E9A19
ScreenToClient.USER32(?,?), ref: 008E9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 008E9A80
SendMessageW.USER32 ref: 008E9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 008E9AEB
SendMessageW.USER32 ref: 008E9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 008E9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 008E9B4A
GetCursorPos.USER32(?), ref: 008E9B68
ScreenToClient.USER32(?,?), ref: 008E9B75
GetParent.USER32(?), ref: 008E9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 008E9BFA
SendMessageW.USER32 ref: 008E9C2B
ClientToScreen.USER32(?,?), ref: 008E9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 008E9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 008E9CDE
SendMessageW.USER32 ref: 008E9D01
ClientToScreen.USER32(?,?), ref: 008E9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 008E9D82

Part of subcall function 00869944: GetWindowLongW.USER32(?,000000EB), ref: 00869952

GetWindowLongW.USER32(?,000000F0), ref: 008E9E05

Strings

@GUI_DRAGID, xrefs: 008E997D
F, xrefs: 008E9D07

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: ec08ca33992053f4e1b4814160cdc2fca037201e985d66b7278969f319743adf
Instruction ID: ff3763fbea3df00a3b6d2774ec1e8c68e4c8c9f7a270b7ced949325e5df8fc88
Opcode Fuzzy Hash: ec08ca33992053f4e1b4814160cdc2fca037201e985d66b7278969f319743adf
Instruction Fuzzy Hash: F4428E34604281AFD724CF69CC84AAABBF5FF5A314F10061EF999C72B1D7B1A865CB41

Function 008E4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 008E48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 008E4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 008E4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 008E494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 008E495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 008E497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 008E49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 008E49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 008E4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 008E4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 008E4A7E
IsMenu.USER32(?), ref: 008E4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008E4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008E4B20
GetWindowLongW.USER32(?,000000F0), ref: 008E4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 008E4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 008E4C82
wsprintfW.USER32 ref: 008E4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 008E4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 008E4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 008E4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 008E4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 008E4D5A

Strings

%d/%02d/%02d, xrefs: 008E4CA8

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 731eba08a4a07c660d4b6858a27c134295e4ca0d0cbb876a40a8c6b80dfcfc93
Instruction ID: 31626675e3910b8d3306146c13378090bfb15709f5ca6377eca5a1db4681ffe0
Opcode Fuzzy Hash: 731eba08a4a07c660d4b6858a27c134295e4ca0d0cbb876a40a8c6b80dfcfc93
Instruction Fuzzy Hash: 0012E271A00298ABEB248F29CC49FAE7BF8FF46714F105129F919DB2E1DB749941CB50

Function 0086F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0086F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008AF474
IsIconic.USER32(00000000), ref: 008AF47D
ShowWindow.USER32(00000000,00000009), ref: 008AF48A
SetForegroundWindow.USER32(00000000), ref: 008AF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008AF4AA
GetCurrentThreadId.KERNEL32 ref: 008AF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008AF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 008AF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 008AF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 008AF4DE
SetForegroundWindow.USER32(00000000), ref: 008AF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 008AF4F6
keybd_event.USER32(00000012,00000000), ref: 008AF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 008AF50B
keybd_event.USER32(00000012,00000000), ref: 008AF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 008AF519
keybd_event.USER32(00000012,00000000), ref: 008AF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 008AF528
keybd_event.USER32(00000012,00000000), ref: 008AF52D
SetForegroundWindow.USER32(00000000), ref: 008AF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 008AF557

Strings

Shell_TrayWnd, xrefs: 008AF46F

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 6bdc06ef694f548b3ef5d0190fd91d18f2e80c1842b437e980a3ad02ae55ff9a
Instruction ID: b1a53b794d3929dedec59385fe937bc2912ed291837e71dbffada6afb0a84d6c
Opcode Fuzzy Hash: 6bdc06ef694f548b3ef5d0190fd91d18f2e80c1842b437e980a3ad02ae55ff9a
Instruction Fuzzy Hash: AC310D71E40258BFFB216BE55C8AFBF7E6DFB45B50F100069FA01EA1D1C6B15901AA60

Function 008B1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 008B16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008B170D
Part of subcall function 008B16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008B173A
Part of subcall function 008B16C3: GetLastError.KERNEL32 ref: 008B174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 008B1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 008B12A8
CloseHandle.KERNEL32(?), ref: 008B12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008B12D1
GetProcessWindowStation.USER32 ref: 008B12EA
SetProcessWindowStation.USER32(00000000), ref: 008B12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 008B1310

Part of subcall function 008B10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008B11FC), ref: 008B10D4
Part of subcall function 008B10BF: CloseHandle.KERNEL32(?,?,008B11FC), ref: 008B10E9

Strings

default, xrefs: 008B130B
winsta0, xrefs: 008B12CC
, xrefs: 008B125A

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: bbfe40be0e1ba64f655694819124454dc6ec9115a7a3062f55350c24ca74276c
Instruction ID: 9d04ecf43f788ac862503e00928fdefbf5ba17e9520d5ba50a7b2a3e6d82c527
Opcode Fuzzy Hash: bbfe40be0e1ba64f655694819124454dc6ec9115a7a3062f55350c24ca74276c
Instruction Fuzzy Hash: FC818B71900249AFDF219FA8DC99BEF7BBAFF04704F144129F910EA2A0DB318945CB25

Function 008B0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008B10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008B1114
Part of subcall function 008B10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,008B0B9B,?,?,?), ref: 008B1120
Part of subcall function 008B10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,008B0B9B,?,?,?), ref: 008B112F
Part of subcall function 008B10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,008B0B9B,?,?,?), ref: 008B1136
Part of subcall function 008B10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008B114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 008B0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 008B0C00
GetLengthSid.ADVAPI32(?), ref: 008B0C17
GetAce.ADVAPI32(?,00000000,?), ref: 008B0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008B0C6D
GetLengthSid.ADVAPI32(?), ref: 008B0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 008B0C8C
HeapAlloc.KERNEL32(00000000), ref: 008B0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 008B0CB4
CopySid.ADVAPI32(00000000), ref: 008B0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 008B0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008B0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 008B0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008B0D45
HeapFree.KERNEL32(00000000), ref: 008B0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008B0D55
HeapFree.KERNEL32(00000000), ref: 008B0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008B0D65
HeapFree.KERNEL32(00000000), ref: 008B0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 008B0D78
HeapFree.KERNEL32(00000000), ref: 008B0D7F

Part of subcall function 008B1193: GetProcessHeap.KERNEL32(00000008,008B0BB1,?,00000000,?,008B0BB1,?), ref: 008B11A1
Part of subcall function 008B1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,008B0BB1,?), ref: 008B11A8
Part of subcall function 008B1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,008B0BB1,?), ref: 008B11B7

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 63cee6cb4b80152fb10c4070d52d86505dc57974d6b76ce5befe1cf3e98fc000
Instruction ID: cdd5b1590030630495c92f8c976330debe363c9fe14196bf3f8e274c78be9790
Opcode Fuzzy Hash: 63cee6cb4b80152fb10c4070d52d86505dc57974d6b76ce5befe1cf3e98fc000
Instruction Fuzzy Hash: 8B713C7190024AABDF10DFA4DC84BEFBBB9FF05310F144615E915EA2A1D775AA06CF60

Function 008CEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(008ECC08), ref: 008CEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 008CEB37
GetClipboardData.USER32(0000000D), ref: 008CEB43
CloseClipboard.USER32 ref: 008CEB4F
GlobalLock.KERNEL32(00000000), ref: 008CEB87
CloseClipboard.USER32 ref: 008CEB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 008CEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 008CEBC9
GetClipboardData.USER32(00000001), ref: 008CEBD1
GlobalLock.KERNEL32(00000000), ref: 008CEBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 008CEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 008CEC38
GetClipboardData.USER32(0000000F), ref: 008CEC44
GlobalLock.KERNEL32(00000000), ref: 008CEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 008CEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 008CEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 008CECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 008CECF3
CountClipboardFormats.USER32 ref: 008CED14
CloseClipboard.USER32 ref: 008CED59

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 22bdb3081097f46e92f814774c817c52e52886ca115e75acdc165386b3f5bce9
Instruction ID: d5d415a22575aa8828287e2b1c726575ba4acb479a1e5fd1199e4b77de290a12
Opcode Fuzzy Hash: 22bdb3081097f46e92f814774c817c52e52886ca115e75acdc165386b3f5bce9
Instruction Fuzzy Hash: ED617734204245AFD310EF28D885F6ABBB8FB84714F14451DF956DB2A2DB31DD0ACBA2

Function 008C698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008C69BE
FindClose.KERNEL32(00000000), ref: 008C6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008C6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008C6A75

Part of subcall function 00859CB3: _wcslen.LIBCMT ref: 00859CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 008C6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 008C6ADF

Strings

%02d, xrefs: 008C6C00, 008C6C0A, 008C6C5A, 008C6CAA, 008C6CFA, 008C6D4A
%4d%02d%02d%02d%02d%02d, xrefs: 008C6B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 008C6B32
%4d, xrefs: 008C6BB1
%03d, xrefs: 008C6DA2

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: d3adf666ec808c9fbe3c85e8f0987638fcacff1e4e3e72d9a7f495b89f477911
Instruction ID: 927702f37b5fd42b8f7ea4532f135a67be9953250499426a784d5e3abb1cf7eb
Opcode Fuzzy Hash: d3adf666ec808c9fbe3c85e8f0987638fcacff1e4e3e72d9a7f495b89f477911
Instruction Fuzzy Hash: 6BD13071908340AEC714EBA4D882EABB7E8FF88705F44491DF985D7191EB74DA48CB63

Function 008C9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 008C9663
GetFileAttributesW.KERNEL32(?), ref: 008C96A1
SetFileAttributesW.KERNEL32(?,?), ref: 008C96BB
FindNextFileW.KERNEL32(00000000,?), ref: 008C96D3
FindClose.KERNEL32(00000000), ref: 008C96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 008C96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 008C974A
SetCurrentDirectoryW.KERNEL32(00916B7C), ref: 008C9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 008C9772
FindClose.KERNEL32(00000000), ref: 008C977F
FindClose.KERNEL32(00000000), ref: 008C978F

Strings

*.*, xrefs: 008C96F5

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 588bd3c81ad3df756ae4161515435b2a4961c048ec0d06ea9367d03ff590bb7e
Instruction ID: 169e640ccb46a3cabdc4c42c7929d156177b2551262ca4295ebd8207e81c4728
Opcode Fuzzy Hash: 588bd3c81ad3df756ae4161515435b2a4961c048ec0d06ea9367d03ff590bb7e
Instruction Fuzzy Hash: 3731DF32A462496ACB10AFB4DC4DEDE37BCFF49320F104099E955E21A0DB75DE818A14

Function 008C979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 008C97BE
FindNextFileW.KERNEL32(00000000,?), ref: 008C9819
FindClose.KERNEL32(00000000), ref: 008C9824
FindFirstFileW.KERNEL32(*.*,?), ref: 008C9840
SetCurrentDirectoryW.KERNEL32(?), ref: 008C9890
SetCurrentDirectoryW.KERNEL32(00916B7C), ref: 008C98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 008C98B8
FindClose.KERNEL32(00000000), ref: 008C98C5
FindClose.KERNEL32(00000000), ref: 008C98D5

Part of subcall function 008BDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 008BDB00

Strings

*.*, xrefs: 008C983B

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 62190b6de988c5a9a487d9ef3371d3d407c980a7879ce107149b30aafb4b4b3e
Instruction ID: b4641071cca53eb72ec154b071d01c7eb4d4938e18423bbfafb2a02dcbb9c265
Opcode Fuzzy Hash: 62190b6de988c5a9a487d9ef3371d3d407c980a7879ce107149b30aafb4b4b3e
Instruction Fuzzy Hash: B431D23294425D6ADB10AFA4DC49EDE37BCFF46324F1041A9E994E3190DB71DE858A24

Function 008C8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 008C8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 008C8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 008C8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008C8310
SetCurrentDirectoryW.KERNEL32(?), ref: 008C8324
SetCurrentDirectoryW.KERNEL32(?), ref: 008C8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008C838C
SetCurrentDirectoryW.KERNEL32(?), ref: 008C8395

Strings

*.*, xrefs: 008C839B

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 9e14c322f0f424443d611ea19852cd13854b7f617acec9709dac6268229a198a
Instruction ID: 2ca4a2d87d0c044793e79b4c2b96d9128d3aad2165d24a5072bc1a5f3aac4696
Opcode Fuzzy Hash: 9e14c322f0f424443d611ea19852cd13854b7f617acec9709dac6268229a198a
Instruction Fuzzy Hash: BA6138725043459FC710EF64C884A9EB3E8FF89315F04891EF999D7251EB31E949CB92

Function 008BD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00853AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00853A97,?,?,00852E7F,?,?,?,00000000), ref: 00853AC2

Part of subcall function 008BE199: GetFileAttributesW.KERNEL32(?,008BCF95), ref: 008BE19A

FindFirstFileW.KERNEL32(?,?), ref: 008BD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 008BD1DD
MoveFileW.KERNEL32(?,?), ref: 008BD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 008BD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 008BD237

Part of subcall function 008BD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,008BD21C,?,?), ref: 008BD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 008BD253
FindClose.KERNEL32(00000000), ref: 008BD264

Strings

\*.*, xrefs: 008BD0CD, 008BD0D6, 008BD0EB

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: d09a2b48feed48b2bf4296eaa748dfecb75319bbbafd47e957c1c72f8c817bae
Instruction ID: 2499c3df0fe0ccfac3c254f65b485a29011bcdb325db9560c1797a8de5e17bc7
Opcode Fuzzy Hash: d09a2b48feed48b2bf4296eaa748dfecb75319bbbafd47e957c1c72f8c817bae
Instruction Fuzzy Hash: 13615D31C0124DAACF05EBA8D9929EDB7B5FF15301F644165E841B7292EB31AF09CB62

Function 008CED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 008CED91
EmptyClipboard.USER32 ref: 008CED97
GlobalAlloc.KERNEL32(00000002,?), ref: 008CEDAC
CloseClipboard.USER32 ref: 008CEEA3

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: b07e4050c944674abb5dcf0727eb96aa1fd73668cd6d0709c4d92c4d21a6cd23
Instruction ID: 82cec62c12b928c9a5065ec72afc0e543696bcb9d2c999122cdee7a6d1edcc37
Opcode Fuzzy Hash: b07e4050c944674abb5dcf0727eb96aa1fd73668cd6d0709c4d92c4d21a6cd23
Instruction Fuzzy Hash: A1417531604251AFE720DF19D888F1ABBA1FB44368F14C09DE82A8B662C735EC42CB90

Function 008BE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 008B16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008B170D
Part of subcall function 008B16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008B173A
Part of subcall function 008B16C3: GetLastError.KERNEL32 ref: 008B174A

ExitWindowsEx.USER32(?,00000000), ref: 008BE932

Strings

, xrefs: 008BE920
SeShutdownPrivilege, xrefs: 008BE902
, xrefs: 008BE95C
@, xrefs: 008BE925

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 8c5e32ec0f2a1638288ed8958eecb72a9998610e566eb5c366c30700f292c745
Instruction ID: f68e46255ac69200538a12df899eb260f46a42d16084a596aa4685e440fb4e58
Opcode Fuzzy Hash: 8c5e32ec0f2a1638288ed8958eecb72a9998610e566eb5c366c30700f292c745
Instruction Fuzzy Hash: E201D673B10315AFEB5826B89C8ABFF769CF714754F150422F913E63D1D6A06C488190

Function 008D1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 008D1276
WSAGetLastError.WSOCK32 ref: 008D1283
bind.WSOCK32(00000000,?,00000010), ref: 008D12BA
WSAGetLastError.WSOCK32 ref: 008D12C5
closesocket.WSOCK32(00000000), ref: 008D12F4
listen.WSOCK32(00000000,00000005), ref: 008D1303
WSAGetLastError.WSOCK32 ref: 008D130D
closesocket.WSOCK32(00000000), ref: 008D133C

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 6c0af6c00e83897c8d8d7b2ede5681b72f20620246983c3c4146b586d3d3e100
Instruction ID: da40105d2fb1496729e739453fd84a773f0f52a3a7804b36308e0943d9b60423
Opcode Fuzzy Hash: 6c0af6c00e83897c8d8d7b2ede5681b72f20620246983c3c4146b586d3d3e100
Instruction Fuzzy Hash: 74417231A00150AFDB14DF68C588B29B7E5FF46318F188199D856CF396C771ED86CBA1

Function 0088B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0088B9D4
_free.LIBCMT ref: 0088B9F8
_free.LIBCMT ref: 0088BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,008F3700), ref: 0088BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0092121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0088BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00921270,000000FF,?,0000003F,00000000,?), ref: 0088BC36
_free.LIBCMT ref: 0088BD4B

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: a2e1be25ef99a43df7a58539c79f9278394dd3b7b655b630f300cba7efe978a3
Instruction ID: b33a8931ff0fdee02f8431dc650d573b92b2ec40265ed7e0808d1efc4b84db6d
Opcode Fuzzy Hash: a2e1be25ef99a43df7a58539c79f9278394dd3b7b655b630f300cba7efe978a3
Instruction Fuzzy Hash: 16C12771904219AFCB24FF789C41BAE7BB9FF91320F1441AAE494D7252EB309E42C751

Function 008BD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00853AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00853A97,?,?,00852E7F,?,?,?,00000000), ref: 00853AC2

Part of subcall function 008BE199: GetFileAttributesW.KERNEL32(?,008BCF95), ref: 008BE19A

FindFirstFileW.KERNEL32(?,?), ref: 008BD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 008BD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 008BD481
FindClose.KERNEL32(00000000), ref: 008BD498
FindClose.KERNEL32(00000000), ref: 008BD4A1

Strings

\*.*, xrefs: 008BD3F2

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: b0503d4dd6d33d9ae255d00f5a7d54e39913d19bb70f92d783bbc14258dee601
Instruction ID: f4f9e1e602e977bc54918b25d00f8494cfa7a71ba81583b58211eb7d9188a2ab
Opcode Fuzzy Hash: b0503d4dd6d33d9ae255d00f5a7d54e39913d19bb70f92d783bbc14258dee601
Instruction Fuzzy Hash: 45314F71408385ABC205EF68D8918EF7BE8FE91315F444A2DF8D5D3291EB20AA0D8767

Function 0088E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0088E645

Strings

1#INF, xrefs: 0088F852
1#QNAN, xrefs: 0088F84B
1#IND, xrefs: 0088F83D
1#SNAN, xrefs: 0088F844

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 3387205ad46ea6adc254d7d264048c182ad1b98762537a2ddbb3529923c8df13
Instruction ID: e5367761ed19d71be13cd84750643968a1cdffb596eeb403f6f9c387bb8704ad
Opcode Fuzzy Hash: 3387205ad46ea6adc254d7d264048c182ad1b98762537a2ddbb3529923c8df13
Instruction Fuzzy Hash: A3C23A71E086298FDB25EE28DD407EAB7B5FB48305F1441EAD94DE7241E778AE818F40

Function 008C648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008C64DC
CoInitialize.OLE32(00000000), ref: 008C6639
CoCreateInstance.OLE32(008EFCF8,00000000,00000001,008EFB68,?), ref: 008C6650
CoUninitialize.OLE32 ref: 008C68D4

Strings

.lnk, xrefs: 008C64BA, 008C6524, 008C65E0

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 441b5a77c24d0b7887f42bf30dfdeb6675273e24238c35a690085d53bdf676f0
Instruction ID: f83fbfd2ebf077dfdc87380247d646d9dc128b23115320e2930522e1eafbeabf
Opcode Fuzzy Hash: 441b5a77c24d0b7887f42bf30dfdeb6675273e24238c35a690085d53bdf676f0
Instruction Fuzzy Hash: 2BD12771508201AFC304EF28C881E6BB7E9FF94705F50496DF995CB291EB70E909CB92

Function 008D22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 008D22E8

Part of subcall function 008CE4EC: GetWindowRect.USER32(?,?), ref: 008CE504

GetDesktopWindow.USER32 ref: 008D2312
GetWindowRect.USER32(00000000), ref: 008D2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 008D2355
GetCursorPos.USER32(?), ref: 008D2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008D23DF

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: d4dfc5421607b7a6438de21a8600cb292931e92c68ebd8bd03e28279cfb70be2
Instruction ID: 5c3b3ae3f04c24056a1ad8613626f0832235391247ac2932a2642bbd0c127b7a
Opcode Fuzzy Hash: d4dfc5421607b7a6438de21a8600cb292931e92c68ebd8bd03e28279cfb70be2
Instruction Fuzzy Hash: 7631EF72504345AFC724DF18C844B9BBBA9FF94314F000A1AF884DB291DB34E909CB92

Function 008C9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00859CB3: _wcslen.LIBCMT ref: 00859CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 008C9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 008C9C8B

Part of subcall function 008C3874: GetInputState.USER32 ref: 008C38CB
Part of subcall function 008C3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008C3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 008C9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 008C9C75

Strings

*.*, xrefs: 008C9B5D

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: fbdfe1795e6e7539132ba64c1529ced1560338b468a8c69d9cf3bb4d692a6d71
Instruction ID: aeded637f8d62d8cf9953564aad7c9bc2aba1213738af659feb4bea88fd0633b
Opcode Fuzzy Hash: fbdfe1795e6e7539132ba64c1529ced1560338b468a8c69d9cf3bb4d692a6d71
Instruction Fuzzy Hash: 33414E7190420AABCF14DF68C889FEE7BB4FF05311F2441A9E855E6291EB31DE85CB61

Function 0086997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00869BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00869BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00869A4E
GetSysColor.USER32(0000000F), ref: 00869B23
SetBkColor.GDI32(?,00000000), ref: 00869B36

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: e0c7374d9412f3834f74478272ead402ab8b806963c1e0edb78322e0adba2f4f
Instruction ID: bcd89e9f75f5340c7504b94fdb8d4a7d44244c0e9f1e82511e8ceaa910ee6009
Opcode Fuzzy Hash: e0c7374d9412f3834f74478272ead402ab8b806963c1e0edb78322e0adba2f4f
Instruction Fuzzy Hash: 26A14970208468BEF7399A7D9C88E7B3ADDFB43315F16011AF582C6AD1CA359D01E672

Function 008D1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008D304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 008D307A
Part of subcall function 008D304E: _wcslen.LIBCMT ref: 008D309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 008D185D
WSAGetLastError.WSOCK32 ref: 008D1884
bind.WSOCK32(00000000,?,00000010), ref: 008D18DB
WSAGetLastError.WSOCK32 ref: 008D18E6
closesocket.WSOCK32(00000000), ref: 008D1915

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 421796f9ee9e85d35900e7780f4cd61fccd08db7d15c22e2e742072957ce392f
Instruction ID: 3355514b1d98be940bfe2299b908229983eb34499fd228f654bca243be630863
Opcode Fuzzy Hash: 421796f9ee9e85d35900e7780f4cd61fccd08db7d15c22e2e742072957ce392f
Instruction Fuzzy Hash: D0519171A00210AFDB10EF28C886F6A77A5FF44718F488159F9459F393DB71AD418BA2

Function 008E1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 008E1CC0
IsWindowEnabled.USER32 ref: 008E1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 008E1CDB
IsIconic.USER32 ref: 008E1CE9
IsZoomed.USER32 ref: 008E1CF7

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 88e0c36d78d323b2db396726a03967285c496545898170765db558c3fe9f2b10
Instruction ID: 2c0c4a35d1dbec4efed7ab83aa63c31aa730b5c33c24c9c9fbce9754c695b6ec
Opcode Fuzzy Hash: 88e0c36d78d323b2db396726a03967285c496545898170765db558c3fe9f2b10
Instruction Fuzzy Hash: 7521A6317402915FDB208F1BC888B6A7BE5FF96315B298068E845CB351CB71EC42CB91

Function 00858060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 008583E8
VUUU, xrefs: 008583FA
VUUU, xrefs: 00895DF0
ERCP, xrefs: 0085813C
VUUU, xrefs: 0085843C

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 73bdd8bba964870288a7d829a570875b07bf3e6959103f612ecb3743cb1d86f3
Instruction ID: e4210e6514604a9d44a58982d8d4ab69092a000309845687656892cdb1ded013
Opcode Fuzzy Hash: 73bdd8bba964870288a7d829a570875b07bf3e6959103f612ecb3743cb1d86f3
Instruction Fuzzy Hash: 55A26C70A0061ACBDF25DF58C8807AEB7B1FF54315F2881AAEC15E7285EB309D95CB90

Function 008DA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 008DA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 008DA6BA

Part of subcall function 00859CB3: _wcslen.LIBCMT ref: 00859CBD

Process32NextW.KERNEL32(00000000,?), ref: 008DA79C
CloseHandle.KERNEL32(00000000), ref: 008DA7AB

Part of subcall function 0086CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00893303,?), ref: 0086CE8A

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 8e3fb82b348e363b6d692bdda636f58db68fd283a481d980dc51263351958496
Instruction ID: 5616d0cc26c89432a798e14f4a4134579010f3176279294ef095393d74748a08
Opcode Fuzzy Hash: 8e3fb82b348e363b6d692bdda636f58db68fd283a481d980dc51263351958496
Instruction Fuzzy Hash: 48513971508300AFD714EF28C886A6BBBE8FF89754F40492DF995D7252EB30D908CB92

Function 008BAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 008BAAAC
SetKeyboardState.USER32(00000080), ref: 008BAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 008BAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 008BAB88

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: bc0f14ff5c7fb9fd52f1da1f1b9052927fdc5d2ebdfab34b344e29f2542d45f2
Instruction ID: c4e01f6c5f94ebf19002c9ca5a7b145df75d4b5984c0c640b571205d5b5a0424
Opcode Fuzzy Hash: bc0f14ff5c7fb9fd52f1da1f1b9052927fdc5d2ebdfab34b344e29f2542d45f2
Instruction Fuzzy Hash: 8031FC30A80258AEFF398B648C45BFA7BA6FB45330F04421AF5A1D63D1D3759985C763

Function 008CCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 008CCE89
GetLastError.KERNEL32(?,00000000), ref: 008CCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 008CCEFE

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 4efc25521b44e78b7610ea8b4352838a5533742af46412f77a3588fcf7192764
Instruction ID: ed702c78342ab675914a14bc6c44b342461fa26585c4444b26c5748efd3fc653
Opcode Fuzzy Hash: 4efc25521b44e78b7610ea8b4352838a5533742af46412f77a3588fcf7192764
Instruction Fuzzy Hash: 9521BDB19003059BDB20DF69D988FAA7BF8FB41318F10841EE64AD6151EB70EE458B60

Function 008B8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 008B82AA

Strings

|, xrefs: 008B82DA
(, xrefs: 008B82F0

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 201bdcaf8acf14aadc75bcb35363109867d3c8367fa86656fd934e815e44e157
Instruction ID: e8ed3d7b375d3efc6fe696d0d6b9aeb7ada8cd0f39007efbcf6afb06a05438be
Opcode Fuzzy Hash: 201bdcaf8acf14aadc75bcb35363109867d3c8367fa86656fd934e815e44e157
Instruction Fuzzy Hash: BA322374A00605DFCB28CF59C481AAAB7F4FF48710B15856EE59ADB3A1EB70E981CB44

Function 008C5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008C5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 008C5D17
FindClose.KERNEL32(?), ref: 008C5D5F

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 333d11c15a50df3bdc5a980e93b5f7d82cfe5092efb5402475f69ddbd5d412d1
Instruction ID: 6bdabe48068c16f1c44fa5cb08e13e6c132a9a87cf236881c03121ced7c0e308
Opcode Fuzzy Hash: 333d11c15a50df3bdc5a980e93b5f7d82cfe5092efb5402475f69ddbd5d412d1
Instruction Fuzzy Hash: 975134746047019FCB14CF28C494E96B7E4FB49314F14856DEA5ACB3A2DB30F945CB92

Function 00882622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0088271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00882724
UnhandledExceptionFilter.KERNEL32(?), ref: 00882731

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 24f5b9c3081ac9de13f2c5a98092b370c51546bb4c9d80320958cc63be0bd1ef
Instruction ID: 69536dbfdf1eb362b57aa0b28a71bba94607984cb553d2ce3aa139c5521fbf31
Opcode Fuzzy Hash: 24f5b9c3081ac9de13f2c5a98092b370c51546bb4c9d80320958cc63be0bd1ef
Instruction Fuzzy Hash: 6831B474951228ABCB21DF68DC89799B7B8FF08310F5081EAE41CA6261E7309F818F45

Function 008C51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008C51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 008C5238
SetErrorMode.KERNEL32(00000000), ref: 008C52A1

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 7706e981b8d22abbe34e792b4db3c05f1c27a9392499ac3a2005316f54ffb1c2
Instruction ID: a7d1921be01065303bb093da746da55cdc1e5791a400d3b441d2b82db8b4f460
Opcode Fuzzy Hash: 7706e981b8d22abbe34e792b4db3c05f1c27a9392499ac3a2005316f54ffb1c2
Instruction Fuzzy Hash: FA312B75A00618EFDB00DF54D884EADBBF5FF49314F048099E845AB362DB31E85ACB91

Function 008B16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0086FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00870668
Part of subcall function 0086FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00870685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008B170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008B173A
GetLastError.KERNEL32 ref: 008B174A

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 41171b82b07257459fb3cef301f31d3327dadfad93ddec120bfc93054566bdaa
Instruction ID: 16976320fea10b7356de8c3082a82c98e035a0877bb0f5ed73659cc5e199d06a
Opcode Fuzzy Hash: 41171b82b07257459fb3cef301f31d3327dadfad93ddec120bfc93054566bdaa
Instruction Fuzzy Hash: 9C11C4B1400304AFD7189F58ECC6DAAB7FDFB05714B20852EE05697241EB70FC418B64

Function 008BD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 008BD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 008BD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 008BD650

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: ee799be77767c123964fdb2d098fa6cf2a35d8e9d0f7d1c6910fb12f502d56ae
Instruction ID: 3e33697489d376b0d7eece4fdf634ec33fab5cce6d1ae0db413cd42480ab8f9e
Opcode Fuzzy Hash: ee799be77767c123964fdb2d098fa6cf2a35d8e9d0f7d1c6910fb12f502d56ae
Instruction Fuzzy Hash: CD113C75E05228BBDB108F959C85FEFBFBCFB45B50F108115F914E7290D6704A058BA1

Function 008B1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 008B168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008B16A1
FreeSid.ADVAPI32(?), ref: 008B16B1

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: d84875000c0757d7cddc3ec76066bbd1182cf84312770456c5de6d306ac8b976
Instruction ID: d43cd6c9c2bc043db2bd80ff6c2925a1e10fed602fd75a98f170505a06ca9a35
Opcode Fuzzy Hash: d84875000c0757d7cddc3ec76066bbd1182cf84312770456c5de6d306ac8b976
Instruction Fuzzy Hash: 01F0F471D50309FBDF00DFE49C89AAEBBBCFB08604F504565E501E6181E774AA448A50

Function 00874CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(008828E9,?,00874CBE,008828E9,009188B8,0000000C,00874E15,008828E9,00000002,00000000,?,008828E9), ref: 00874D09
TerminateProcess.KERNEL32(00000000,?,00874CBE,008828E9,009188B8,0000000C,00874E15,008828E9,00000002,00000000,?,008828E9), ref: 00874D10
ExitProcess.KERNEL32 ref: 00874D22

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5b95790a175858f5f8775c022e1d5d50c09498d1f04ce4c4fbecd05fffd57569
Instruction ID: b959eedf9a64113fefead0ded08059d2d7b34bfe9dfe53b756084a2ecb59ba9e
Opcode Fuzzy Hash: 5b95790a175858f5f8775c022e1d5d50c09498d1f04ce4c4fbecd05fffd57569
Instruction Fuzzy Hash: 1FE0B631400188AFCF21AF58DD59A583F69FB41781B118014FC59DA226DB35ED52DB81

Function 0088C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0088C36C

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 2e817205a83913820b0e00622ac1f69598cafdf863f9fd4b0c559abd1a199acc
Instruction ID: 95059a4d87327cdcbcb64ff77653a0a82f382afdcd141a7ae7475510143b8fab
Opcode Fuzzy Hash: 2e817205a83913820b0e00622ac1f69598cafdf863f9fd4b0c559abd1a199acc
Instruction Fuzzy Hash: B0413B72900219AFCB20AFB9DC49DBB7778FB84314F50426DF905D7284E6709D81CB60

Function 008AD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 008AD28C

Strings

X64, xrefs: 008AD2A8

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 78da82a85cd4f0588946cc355e1215e38897c60d8f55029830fa639df3ed6697
Instruction ID: 2841a95ad1c2f4db1ff8ae0988dee8d3e2f95c0a9d043c414fd11c686af2cabb
Opcode Fuzzy Hash: 78da82a85cd4f0588946cc355e1215e38897c60d8f55029830fa639df3ed6697
Instruction Fuzzy Hash: F6D0C9B580121DEACB90DB90DCC8DD9B37CFB14309F100151F506E2000D73095498F10

Function 0087CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: b8460770012bd0a3510b1e43b0b155baad007088cb1e45424a7de047a286b115
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 5F02FC72E011199BDF24CFA9D8806ADBBF1FF88314F25816DD919E7384D731AA418B94

Function 008C68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008C6918
FindClose.KERNEL32(00000000), ref: 008C6961

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 3f924097bba48940ee44b8e40ec677e2d5310eb56a4fe4f12731ad0f38d2a29a
Instruction ID: e695f6756e7413a5312a441fb845c307edbb1ffd7acf453b1d1889e3f838baaf
Opcode Fuzzy Hash: 3f924097bba48940ee44b8e40ec677e2d5310eb56a4fe4f12731ad0f38d2a29a
Instruction Fuzzy Hash: 261181716042009FC710DF29D885E16BBE5FF85329F14C6ADE8698F6A2DB70EC09CB91

Function 008C37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,008D4891,?,?,00000035,?), ref: 008C37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,008D4891,?,?,00000035,?), ref: 008C37F4

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 5e17ed44ba9b45d9b991f55adaff880f804d4815162b51231dc9f3ef2e8a7e0f
Instruction ID: 5c94457058a3476e25dadcbf160d4ffb2a5950038541f7dacaec4fb5105a36dc
Opcode Fuzzy Hash: 5e17ed44ba9b45d9b991f55adaff880f804d4815162b51231dc9f3ef2e8a7e0f
Instruction Fuzzy Hash: 8DF0E5B1A043296AEB20276A8C8DFEB3AAEFFC5761F000179F509D2281D9709D05C6B1

Function 008BB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 008BB25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 008BB270

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: c04201ab3f26f0576cc66bc8696502b3e7966dd2df004c3c92700ad6a492cc30
Instruction ID: bf7db7b40f8ee3b944be7118b5ee99c69e8b0a706951fab2537cfeba6e9797c0
Opcode Fuzzy Hash: c04201ab3f26f0576cc66bc8696502b3e7966dd2df004c3c92700ad6a492cc30
Instruction Fuzzy Hash: A5F01D7180428DABDB059FA5C805BEE7FB4FF04309F008009F965AA191C379C6119F94

Function 008B10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008B11FC), ref: 008B10D4
CloseHandle.KERNEL32(?,?,008B11FC), ref: 008B10E9

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 84134e0629b9767c636ae71b17ef049d1d6ca2d27f6ba586f38a542123a97b32
Instruction ID: 3348fba43b8e91117b5f6620d82442f16fa3a316e1d713cd80fb6b6af944d05d
Opcode Fuzzy Hash: 84134e0629b9767c636ae71b17ef049d1d6ca2d27f6ba586f38a542123a97b32
Instruction Fuzzy Hash: 7CE04F32404600AEE7252B15FC09E737BA9FB04310B10882EF5A5C44B1DB62AC91DB10

Function 0085CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 008A0C40

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 7eb07c840f35297f2d0e3f2086475cff05265b943791cf13410a352e1db958b6
Instruction ID: f9bfd9aa253e0ee4e0616b71f6e7c2c4663015ff709458eb89aa18566d15d4e9
Opcode Fuzzy Hash: 7eb07c840f35297f2d0e3f2086475cff05265b943791cf13410a352e1db958b6
Instruction Fuzzy Hash: 3E3257709002189FDF14DF94C981AEDB7B5FF05309F244059E806EB292DB75AE4ADF62

Function 0088676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00886766,?,?,00000008,?,?,0088FEFE,00000000), ref: 00886998

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: d63bff7769c014a75ad5eb71b1b113d76eed4d6feaf4d710ba9bcaa2ad5d5c8a
Instruction ID: 96b6707ac04426663c41593e959f682b5f389a6a9274895713cc18c8ae7d3ecb
Opcode Fuzzy Hash: d63bff7769c014a75ad5eb71b1b113d76eed4d6feaf4d710ba9bcaa2ad5d5c8a
Instruction Fuzzy Hash: 3CB15D31610608DFD719DF28C48AB657BE0FF45368F298658E899CF2E2D735E9A1CB40

Function 0086B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 008A851F

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 01dadd771b86459ff8a76c63ad898b4b3a2c901c615a6ce5047af99098bacd0d
Instruction ID: 9494c0909db7131ac0a49bf71b2dc453e77c683a53a5b0d51cda71cee861c364
Opcode Fuzzy Hash: 01dadd771b86459ff8a76c63ad898b4b3a2c901c615a6ce5047af99098bacd0d
Instruction Fuzzy Hash: 4E125F71900229DFDB14CF58C8816AEB7F5FF49714F1581AAE849EB251EB309E81CBA4

Function 008CEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 008CEABD

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 92280cd5be10543d7abf80b3dd0900ab5cb733e92f1c3c973e57c1a8eee0d09e
Instruction ID: af3c89086aca6edd0e3b25af1da67152cc4e03cd6e2e7e6f3e11021d2dc6a81b
Opcode Fuzzy Hash: 92280cd5be10543d7abf80b3dd0900ab5cb733e92f1c3c973e57c1a8eee0d09e
Instruction Fuzzy Hash: 24E01A312002149FC710EF69D844E9AB7E9FFA8760F00841AFC49CB261DAB0E8458B91

Function 008709D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,008703EE), ref: 008709DA

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7ad8f4dcfc2015d187292f1f22d3907fc2984d5d340dd16141a209263bd1010d
Instruction ID: 09815871041632bb022be69ae91ce603597fb642536b3c72870d89c95620e15a
Opcode Fuzzy Hash: 7ad8f4dcfc2015d187292f1f22d3907fc2984d5d340dd16141a209263bd1010d
Instruction Fuzzy Hash:

Function 0087781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0087798B

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 735e991d42355cc62bb27e2ecc8f162133922b4edfa48e7e4bd5287c6a04c00b
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 3E517B3160C74996DB38856CC85D7BE6785FB12304F18C539D98EC728EC629DE01D39B

Function 00886DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5908e5ae6c6a40f9cc9a5d5fdc1ed1dad3dfb0185f283b1db8b123dcbf8a6916
Instruction ID: f439713f8e28ee57334fcaff0cc04c3175ea0063bfc513022e9a04549e72c663
Opcode Fuzzy Hash: 5908e5ae6c6a40f9cc9a5d5fdc1ed1dad3dfb0185f283b1db8b123dcbf8a6916
Instruction Fuzzy Hash: C8320421D29F014DD723A634D922335A659FFB73C5F25D737E81AB59AAEB29C4838200

Function 0086CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b74c44260275cd8da1d92aef654b9a3ac8a59eca0cb29c494608b406a5ab5372
Instruction ID: 0b7cd8ef6fc4ec82c46cebb989ab828c3214d12032383953101c57480720a3f3
Opcode Fuzzy Hash: b74c44260275cd8da1d92aef654b9a3ac8a59eca0cb29c494608b406a5ab5372
Instruction Fuzzy Hash: 34323631A041198BEF28CF2DC4906BD7BA1FF47314F29816AD89ACBA91E734DD81DB50

Function 00857920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f696456ad71d0e81e3442aea893117224b7b594857ebfda9f10cfd0f069f417
Instruction ID: 4dc6a2957aedf2a38af4c8f5fb6fbd2655a556ed8babc3d6184038458196bafd
Opcode Fuzzy Hash: 1f696456ad71d0e81e3442aea893117224b7b594857ebfda9f10cfd0f069f417
Instruction Fuzzy Hash: DF22D0B0A04609DFDF14DFA8D881AAEB7B6FF44304F148529E816E7291EB36AD14CB51

Function 008591C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21713c73751870f58bc696759a7a1e837a1d5ca63f2c770b0d9debd1967d96ea
Instruction ID: 24559fdd0f6996e9326aaa02530c2e0ab46cfb30512c870c753147b39636b4c2
Opcode Fuzzy Hash: 21713c73751870f58bc696759a7a1e837a1d5ca63f2c770b0d9debd1967d96ea
Instruction Fuzzy Hash: 3C02E6B0E00209EBDF04DF58D881AADBBB5FF44304F158169E856DB391EB31EA65CB81

Function 00871C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 2f8f372a248cdca834c9f9d8ef5b953d180a3bdebd4aa374fa998f0e349f11fb
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 199167732080A349DF29463D857D03DFFE1EA923A531A479DD4FACA9C9FE14C954E620

Function 008719B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: d0e4c11f63605901d4d9e3907ab9cc45641222b29658425f663ac37ab763b03e
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 309185722090A34ADF29427E857C03DFFE1EA923B1319879DD4FACA9C9FE14C654D620

Function 00877A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 352580e09fe2fb560eb8a6076dd9b97723d4e96d3ed0327229435db459f09512
Instruction ID: 4ba78f4578e7e362e5b342dea6749da8ce1998d664d1735a6dec51aea279e396
Opcode Fuzzy Hash: 352580e09fe2fb560eb8a6076dd9b97723d4e96d3ed0327229435db459f09512
Instruction Fuzzy Hash: 0F61BA3034C709A6EE388A2C8C95BBEA384FF41364F10C91AE94FDB28DD611DE42D756

Function 00877CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0601d5e35f5e8ab12d7a85676727ca0d9c94e1627cdf06cdadbb59052ad32877
Instruction ID: d77633650d9f00718dd73734746cb657d6b1c381db09681ba8dd4aefe06dae6f
Opcode Fuzzy Hash: 0601d5e35f5e8ab12d7a85676727ca0d9c94e1627cdf06cdadbb59052ad32877
Instruction Fuzzy Hash: 41619D3224C709A7DE384A6C4895BBF2B94FF42B08F14C959E94FCB28DE611DD41C356

Function 00871706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: b3c04dcb106ed073bf4d11e2ab05999d833fe0901a2af4695f7919dc44eda376
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 2B8188325080A309DF6D463D857C13EFFE1FA923A131A47ADD4FACA9C9EE24C555E620

Function 008C2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55bcd4476535f5aa73e752e033b92711e67056ef03a8f17423f5750d5b400bb2
Instruction ID: accd3432be1b485ccb8dd5db55dcb6ba887d773f94f63062788e8a6879e12775
Opcode Fuzzy Hash: 55bcd4476535f5aa73e752e033b92711e67056ef03a8f17423f5750d5b400bb2
Instruction Fuzzy Hash: D721A5326206158BD728CF79C82267A73E5F764320F25862EE4A7C77D1DE35E904DB80

Function 008D2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 008D2B30
DeleteObject.GDI32(00000000), ref: 008D2B43
DestroyWindow.USER32 ref: 008D2B52
GetDesktopWindow.USER32 ref: 008D2B6D
GetWindowRect.USER32(00000000), ref: 008D2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 008D2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 008D2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008D2CF8
GetClientRect.USER32(00000000,?), ref: 008D2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 008D2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008D2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008D2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008D2D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008D2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008D2D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008D2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008D2DA8
GlobalFree.KERNEL32(00000000), ref: 008D2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008D2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,008EFC38,00000000), ref: 008D2DDB
GlobalFree.KERNEL32(00000000), ref: 008D2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 008D2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 008D2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008D2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008D303F

Strings

AutoIt v3, xrefs: 008D2CF2
static, xrefs: 008D2D3A, 008D2E91
DISPLAY, xrefs: 008D2EA2
, xrefs: 008D2FC5

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: cb8af1cf6d30fc98e0f0872f2de9b9d04255b672be408597a8d214c486462577
Instruction ID: 1a8abd157b99da0a400666ed397b015c3d2af167b4f3b1e06b4e4078f1edffa5
Opcode Fuzzy Hash: cb8af1cf6d30fc98e0f0872f2de9b9d04255b672be408597a8d214c486462577
Instruction Fuzzy Hash: 7D025E71900209EFDB14DF68CC89EAE7BB9FB58311F048659F915EB2A1DB749D01CB60

Function 008E70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 008E712F
GetSysColorBrush.USER32(0000000F), ref: 008E7160
GetSysColor.USER32(0000000F), ref: 008E716C
SetBkColor.GDI32(?,000000FF), ref: 008E7186
SelectObject.GDI32(?,?), ref: 008E7195
InflateRect.USER32(?,000000FF,000000FF), ref: 008E71C0
GetSysColor.USER32(00000010), ref: 008E71C8
CreateSolidBrush.GDI32(00000000), ref: 008E71CF
FrameRect.USER32(?,?,00000000), ref: 008E71DE
DeleteObject.GDI32(00000000), ref: 008E71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 008E7230
FillRect.USER32(?,?,?), ref: 008E7262
GetWindowLongW.USER32(?,000000F0), ref: 008E7284

Part of subcall function 008E73E8: GetSysColor.USER32(00000012), ref: 008E7421
Part of subcall function 008E73E8: SetTextColor.GDI32(?,?), ref: 008E7425
Part of subcall function 008E73E8: GetSysColorBrush.USER32(0000000F), ref: 008E743B
Part of subcall function 008E73E8: GetSysColor.USER32(0000000F), ref: 008E7446
Part of subcall function 008E73E8: GetSysColor.USER32(00000011), ref: 008E7463
Part of subcall function 008E73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 008E7471
Part of subcall function 008E73E8: SelectObject.GDI32(?,00000000), ref: 008E7482
Part of subcall function 008E73E8: SetBkColor.GDI32(?,00000000), ref: 008E748B
Part of subcall function 008E73E8: SelectObject.GDI32(?,?), ref: 008E7498
Part of subcall function 008E73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 008E74B7
Part of subcall function 008E73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008E74CE
Part of subcall function 008E73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 008E74DB

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 2065c2ffb22a1f27d16b0f99c425dd5db7e407d028ef9175c73248fa683ff3c0
Instruction ID: 456bcbd7fb04b9b48281f1ca8446562ee6d37669826e32be68ae66998b36fef2
Opcode Fuzzy Hash: 2065c2ffb22a1f27d16b0f99c425dd5db7e407d028ef9175c73248fa683ff3c0
Instruction Fuzzy Hash: 2CA1A172408381BFDB109F64DC88E6B7BA9FF49320F100A19FA62DA1E1D771E946DB51

Function 00868D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00868E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 008A6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 008A6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 008A6F43

Part of subcall function 00868F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00868BE8,?,00000000,?,?,?,?,00868BBA,00000000,?), ref: 00868FC5

SendMessageW.USER32(?,00001053), ref: 008A6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 008A6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 008A6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 008A6FB7

Strings

0, xrefs: 008A6DCF

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: c2c7047b45105d940ff5757c59690fbb1860be855cc17b83a1f3e650dc251e88
Instruction ID: 647a55a05646b054d3242f123399a4e6d21a22c729e81c5ad74896ac3dc823e6
Opcode Fuzzy Hash: c2c7047b45105d940ff5757c59690fbb1860be855cc17b83a1f3e650dc251e88
Instruction Fuzzy Hash: 0A12EF34604201DFE725CF18D884BA6B7E1FF5A310F184168F489CBA65DB32ECA2DB91

Function 008D2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 008D273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 008D286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 008D28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 008D28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 008D2900
GetClientRect.USER32(00000000,?), ref: 008D290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 008D2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 008D2964
GetStockObject.GDI32(00000011), ref: 008D2974
SelectObject.GDI32(00000000,00000000), ref: 008D2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 008D2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008D2991
DeleteDC.GDI32(00000000), ref: 008D299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008D29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 008D29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 008D2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 008D2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 008D2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 008D2A77
GetStockObject.GDI32(00000011), ref: 008D2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 008D2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 008D2A97

Strings

AutoIt v3, xrefs: 008D28F8
static, xrefs: 008D294F, 008D2A71
msctls_progress32, xrefs: 008D2A13
DISPLAY, xrefs: 008D295A

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 03e7dcd20a1ecc36759b109b728c9d85198000ea8382c2b24efa3ed7406371e8
Instruction ID: 5fdea04feee717ecb0b741b90387868ebc8d3f73e5ff3431e5ec7e16ade91421
Opcode Fuzzy Hash: 03e7dcd20a1ecc36759b109b728c9d85198000ea8382c2b24efa3ed7406371e8
Instruction Fuzzy Hash: 84B15D71A00219AFEB24DF68DC89FAE7BA9FB58711F008215F915EB290D774ED41CB90

Function 008C4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008C4AED
GetDriveTypeW.KERNEL32(?,008ECB68,?,\\.\,008ECC08), ref: 008C4BCA
SetErrorMode.KERNEL32(00000000,008ECB68,?,\\.\,008ECC08), ref: 008C4D36

Strings

CDROM, xrefs: 008C4BFB
SATA, xrefs: 008C4CD0
Unknown, xrefs: 008C4BED, 008C4C83
SCSI, xrefs: 008C4C8A
MMC, xrefs: 008C4CDE
Virtual, xrefs: 008C4CE5
ATA, xrefs: 008C4C98
USB, xrefs: 008C4CB4
1394, xrefs: 008C4C9F
Fixed, xrefs: 008C4C09
\\.\, xrefs: 008C4B3F
FileBackedVirtual, xrefs: 008C4CEC
SSD, xrefs: 008C4C4A
ATAPI, xrefs: 008C4C91
Network, xrefs: 008C4C02
SSA, xrefs: 008C4CA6
RAMDisk, xrefs: 008C4BF4
SAS, xrefs: 008C4CC9
Removable, xrefs: 008C4C10, 008C4C15
Fibre, xrefs: 008C4CAD
PhysicalDrive, xrefs: 008C4B76
iSCSI, xrefs: 008C4CC2
RAID, xrefs: 008C4CBB

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: e4f8322a3ec7d99dfe59b4f24f3c107662ba9ccbfffa06afe5ca9a53820f8eb7
Instruction ID: b704c3182e64e54d14938a20b747c1947be7d1d05fade17131ae7dde0c2fb42e
Opcode Fuzzy Hash: e4f8322a3ec7d99dfe59b4f24f3c107662ba9ccbfffa06afe5ca9a53820f8eb7
Instruction Fuzzy Hash: BF61B334B0120D9BCB14DF28D9A2EA977B0FB45358B20501DF806EB2A1DB35DDC1DB42

Function 008E73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 008E7421
SetTextColor.GDI32(?,?), ref: 008E7425
GetSysColorBrush.USER32(0000000F), ref: 008E743B
GetSysColor.USER32(0000000F), ref: 008E7446
CreateSolidBrush.GDI32(?), ref: 008E744B
GetSysColor.USER32(00000011), ref: 008E7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 008E7471
SelectObject.GDI32(?,00000000), ref: 008E7482
SetBkColor.GDI32(?,00000000), ref: 008E748B
SelectObject.GDI32(?,?), ref: 008E7498
InflateRect.USER32(?,000000FF,000000FF), ref: 008E74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008E74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 008E74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 008E752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 008E7554
InflateRect.USER32(?,000000FD,000000FD), ref: 008E7572
DrawFocusRect.USER32(?,?), ref: 008E757D
GetSysColor.USER32(00000011), ref: 008E758E
SetTextColor.GDI32(?,00000000), ref: 008E7596
DrawTextW.USER32(?,008E70F5,000000FF,?,00000000), ref: 008E75A8
SelectObject.GDI32(?,?), ref: 008E75BF
DeleteObject.GDI32(?), ref: 008E75CA
SelectObject.GDI32(?,?), ref: 008E75D0
DeleteObject.GDI32(?), ref: 008E75D5
SetTextColor.GDI32(?,?), ref: 008E75DB
SetBkColor.GDI32(?,?), ref: 008E75E5

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: bdc07acb8759d1370d4f5b81a231462958733abb30d3f0befd2bef25a4d4b7c5
Instruction ID: a45418ef19bbcaf242cc1cc96f77fdb5599ca845d4f3d4b2f48ebc3ba4b459ff
Opcode Fuzzy Hash: bdc07acb8759d1370d4f5b81a231462958733abb30d3f0befd2bef25a4d4b7c5
Instruction Fuzzy Hash: 83616B72D00258AFDF019FA4DC89EAEBFB9FB09320F114125F915AB2A1D7719941DF90

Function 008E0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 008E1128
GetDesktopWindow.USER32 ref: 008E113D
GetWindowRect.USER32(00000000), ref: 008E1144
GetWindowLongW.USER32(?,000000F0), ref: 008E1199
DestroyWindow.USER32(?), ref: 008E11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 008E11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008E120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 008E121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 008E1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 008E1245
IsWindowVisible.USER32(00000000), ref: 008E12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 008E12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 008E12D0
GetWindowRect.USER32(00000000,?), ref: 008E12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 008E130E
GetMonitorInfoW.USER32(00000000,?), ref: 008E1328
CopyRect.USER32(?,?), ref: 008E133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 008E13AA

Strings

0, xrefs: 008E10D3
tooltips_class32, xrefs: 008E11E6
(, xrefs: 008E131B

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: b71b0704f57dca64d50f344873518d94d6be647d720cc1a8869c0c70a4eaadb7
Instruction ID: 3c395b1e63df26c58f823210c26dee4747fa1d3377d7835bd3e5b47b9f43ef47
Opcode Fuzzy Hash: b71b0704f57dca64d50f344873518d94d6be647d720cc1a8869c0c70a4eaadb7
Instruction Fuzzy Hash: 83B17871604381AFDB14DF69C888A6ABBE4FF85354F00891CF999DB2A1D731E845CB92

Function 008E0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008E02E5
_wcslen.LIBCMT ref: 008E031F
_wcslen.LIBCMT ref: 008E0389
_wcslen.LIBCMT ref: 008E03F1
_wcslen.LIBCMT ref: 008E0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 008E04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 008E0504

Part of subcall function 0086F9F2: _wcslen.LIBCMT ref: 0086F9FD

Part of subcall function 008B223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 008B2258
Part of subcall function 008B223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 008B228A

Strings

SELECTALL, xrefs: 008E0515
GETSUBITEMCOUNT, xrefs: 008E0384, 008E039F
GETSELECTEDCOUNT, xrefs: 008E0470, 008E048B
SELECTCLEAR, xrefs: 008E052D
SELECT, xrefs: 008E0548
FINDITEM, xrefs: 008E0627
GETITEMCOUNT, xrefs: 008E0316, 008E0337
SELECTINVERT, xrefs: 008E057E
VIEWCHANGE, xrefs: 008E0675
GETTEXT, xrefs: 008E03EC, 008E0407
ISSELECTED, xrefs: 008E04DD
DESELECT, xrefs: 008E059C
GETSELECTED, xrefs: 008E05E1

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: ea959852a5cdbd69705d4682c0dc8d018f2fa40bcafb267a4e610fe8905cfcaf
Instruction ID: 761313aa7b5613d7f23753e7b11089d1f6fc0740033a2b16b74777b23d062286
Opcode Fuzzy Hash: ea959852a5cdbd69705d4682c0dc8d018f2fa40bcafb267a4e610fe8905cfcaf
Instruction Fuzzy Hash: 50E1AF312083858FC714DF29C55096AB7E6FF99318B14495CF896EB3A2DB70ED85CB82

Function 00868891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00868968
GetSystemMetrics.USER32(00000007), ref: 00868970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0086899B
GetSystemMetrics.USER32(00000008), ref: 008689A3
GetSystemMetrics.USER32(00000004), ref: 008689C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008689E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008689F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00868A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00868A3C
GetClientRect.USER32(00000000,000000FF), ref: 00868A5A
GetStockObject.GDI32(00000011), ref: 00868A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00868A81

Part of subcall function 0086912D: GetCursorPos.USER32(?), ref: 00869141
Part of subcall function 0086912D: ScreenToClient.USER32(00000000,?), ref: 0086915E
Part of subcall function 0086912D: GetAsyncKeyState.USER32(00000001), ref: 00869183
Part of subcall function 0086912D: GetAsyncKeyState.USER32(00000002), ref: 0086919D

SetTimer.USER32(00000000,00000000,00000028,008690FC), ref: 00868AA8

Strings

AutoIt v3 GUI, xrefs: 00868A20

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 0ea3e6d9c54c9ac060fd86c7c5d40d5c5ba7ee3b4d6ac79e21d240dd50a6866d
Instruction ID: efa09f916fdd1328888227156568e655fbb22404b56ade57bf6c252220194088
Opcode Fuzzy Hash: 0ea3e6d9c54c9ac060fd86c7c5d40d5c5ba7ee3b4d6ac79e21d240dd50a6866d
Instruction Fuzzy Hash: F6B17875A0020AEFDB14DFA8DC85BAE3BB5FB48314F154229FA15EB290DB34A851CF51

Function 008B0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008B10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008B1114
Part of subcall function 008B10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,008B0B9B,?,?,?), ref: 008B1120
Part of subcall function 008B10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,008B0B9B,?,?,?), ref: 008B112F
Part of subcall function 008B10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,008B0B9B,?,?,?), ref: 008B1136
Part of subcall function 008B10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008B114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 008B0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 008B0E29
GetLengthSid.ADVAPI32(?), ref: 008B0E40
GetAce.ADVAPI32(?,00000000,?), ref: 008B0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008B0E96
GetLengthSid.ADVAPI32(?), ref: 008B0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 008B0EB5
HeapAlloc.KERNEL32(00000000), ref: 008B0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 008B0EDD
CopySid.ADVAPI32(00000000), ref: 008B0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 008B0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008B0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 008B0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008B0F6E
HeapFree.KERNEL32(00000000), ref: 008B0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008B0F7E
HeapFree.KERNEL32(00000000), ref: 008B0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008B0F8E
HeapFree.KERNEL32(00000000), ref: 008B0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 008B0FA1
HeapFree.KERNEL32(00000000), ref: 008B0FA8

Part of subcall function 008B1193: GetProcessHeap.KERNEL32(00000008,008B0BB1,?,00000000,?,008B0BB1,?), ref: 008B11A1
Part of subcall function 008B1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,008B0BB1,?), ref: 008B11A8
Part of subcall function 008B1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,008B0BB1,?), ref: 008B11B7

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: e451028cc8da64b00643ca86e551dda27e5b5d355771d87260a327bcd6774598
Instruction ID: 598fb187e7f9448076243e352fffc7e2172c773bed2494fdd2f228e0c037e5fb
Opcode Fuzzy Hash: e451028cc8da64b00643ca86e551dda27e5b5d355771d87260a327bcd6774598
Instruction Fuzzy Hash: 4B713D71A0024AABDF209FA4DC45BEFBBB8FF05310F148155F959EA291DB719A05CF60

Function 008DC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008DC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,008ECC08,00000000,?,00000000,?,?), ref: 008DC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 008DC5A4
_wcslen.LIBCMT ref: 008DC5F4
_wcslen.LIBCMT ref: 008DC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 008DC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 008DC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 008DC84D
RegCloseKey.ADVAPI32(?), ref: 008DC881
RegCloseKey.ADVAPI32(00000000), ref: 008DC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 008DC960

Strings

REG_EXPAND_SZ, xrefs: 008DC5CD
REG_QWORD, xrefs: 008DC8C3
REG_DWORD, xrefs: 008DC804
REG_SZ, xrefs: 008DC644
REG_BINARY, xrefs: 008DC913
REG_MULTI_SZ, xrefs: 008DC6F5

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 469b317963091987ff067b33779cbc0a3a957058384e955e4de690dcb4d8773c
Instruction ID: cc21ae72dc99ba3a16ac69ed504675f88e69db3dd2681c962f72c1c61003a425
Opcode Fuzzy Hash: 469b317963091987ff067b33779cbc0a3a957058384e955e4de690dcb4d8773c
Instruction Fuzzy Hash: 711245356042019FDB14DF18D881A2AB7E5FF88765F04895DF88ADB3A2DB31ED45CB82

Function 008E091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008E09C6
_wcslen.LIBCMT ref: 008E0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 008E0A54
_wcslen.LIBCMT ref: 008E0A8A
_wcslen.LIBCMT ref: 008E0B06
_wcslen.LIBCMT ref: 008E0B81

Part of subcall function 0086F9F2: _wcslen.LIBCMT ref: 0086F9FD

Part of subcall function 008B2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008B2BFA

Strings

UNCHECK, xrefs: 008E0D3E
SELECT, xrefs: 008E0D11
GETTOTALCOUNT, xrefs: 008E09F2, 008E0A17
EXISTS, xrefs: 008E0B7C, 008E0B97
EXPAND, xrefs: 008E0BF8
GETITEMCOUNT, xrefs: 008E0C1E
GETTEXT, xrefs: 008E0C97
COLLAPSE, xrefs: 008E0B01, 008E0B1C
CHECK, xrefs: 008E0A85, 008E0AA0
ISCHECKED, xrefs: 008E0CE1
GETSELECTED, xrefs: 008E0C4E

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 73d1ed363788ab5f9c3941fada91687d37c3b0ff1082db4c6c6ab9d921697ed3
Instruction ID: d41e2aa687df82a16134b2b5d434c4d41360a0066a50bbe925a7a630cd8d9244
Opcode Fuzzy Hash: 73d1ed363788ab5f9c3941fada91687d37c3b0ff1082db4c6c6ab9d921697ed3
Instruction Fuzzy Hash: 3DE18A352083858FC714DF29C45096AB7E1FF9A358B14895CF896DB3A2D770ED89CB82

Function 008DC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,008DB6AE,?,?), ref: 008DC9B5
_wcslen.LIBCMT ref: 008DC9F1
_wcslen.LIBCMT ref: 008DCA68
_wcslen.LIBCMT ref: 008DCA9E
_wcslen.LIBCMT ref: 008DCAF9
_wcslen.LIBCMT ref: 008DCB2F
_wcslen.LIBCMT ref: 008DCB7F

Strings

HKCU, xrefs: 008DCBCE
HKEY_CURRENT_CONFIG, xrefs: 008DCB79, 008DCB7E
HKEY_USERS, xrefs: 008DCBDF
HKEY_CLASSES_ROOT, xrefs: 008DCAF3, 008DCAF8
HKLM, xrefs: 008DCA98, 008DCA9D
HKEY_LOCAL_MACHINE, xrefs: 008DCA62, 008DCA67
HKEY_CURRENT_USER, xrefs: 008DCBBD
HKCR, xrefs: 008DCB29, 008DCB2E
HKU, xrefs: 008DCBF0
HKCC, xrefs: 008DCBAC

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: a3df0efdc313a69acf351a6adb7e071230fc18577c4c64d7d8b7950c9f0d64da
Instruction ID: 5f3e576c7c64008a3dca4a7fc060ac7b2d29a142be3471919db47dca78109d9a
Opcode Fuzzy Hash: a3df0efdc313a69acf351a6adb7e071230fc18577c4c64d7d8b7950c9f0d64da
Instruction Fuzzy Hash: 9D71F27261012B8BCB20DE6CC9416BA77A1FB61764F11072BF856DB384EA31CD85C3A1

Function 008E833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008E835A
_wcslen.LIBCMT ref: 008E836E
_wcslen.LIBCMT ref: 008E8391
_wcslen.LIBCMT ref: 008E83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 008E83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,008E5BF2), ref: 008E844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 008E8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 008E84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 008E8501
FreeLibrary.KERNEL32(?), ref: 008E850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 008E851D
DestroyIcon.USER32(?,?,?,?,?,008E5BF2), ref: 008E852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 008E8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 008E8555

Strings

.icl, xrefs: 008E8368
.exe, xrefs: 008E8388
.dll, xrefs: 008E83AB

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 6a5aa2932eab2112676b8812c29364c1e90177323830f0124b0f9b3fa3d6c896
Instruction ID: ef616086aa34d976e8d7f96ec9d6c92ad48e4bfd60e3becc03549dfabe4158ff
Opcode Fuzzy Hash: 6a5aa2932eab2112676b8812c29364c1e90177323830f0124b0f9b3fa3d6c896
Instruction Fuzzy Hash: 9561CF71940259FAEB14DF65CC81BBE77A8FB05711F108509F919DA1D1DF74E980CBA0

Function 00857778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Cannot parse #include, xrefs: 00895279
#ce, xrefs: 008578ED
#pragma compile, xrefs: 008577D3
Bad directive syntax error, xrefs: 0089519A
#comments-start, xrefs: 0085785F, 008578B1
Unterminated group of comments, xrefs: 0089528C
', xrefs: 00895169
#notrayicon, xrefs: 008577E7
#cs, xrefs: 00857873, 008578C5
#include-once, xrefs: 0085782F
#requireadmin, xrefs: 008577FF
#comments-end, xrefs: 008578D9
#OnAutoItStartRegister, xrefs: 00857817
", xrefs: 00895153
#include, xrefs: 00857847

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 32c1513f74ecc35d2385ad3a17508ddf999f7359f6ea9b18147aec614ec5d336
Instruction ID: d941fa11773a972bffe78060c132aa2dcafb9f4ef5ab8b40d53f53ae3beece41
Opcode Fuzzy Hash: 32c1513f74ecc35d2385ad3a17508ddf999f7359f6ea9b18147aec614ec5d336
Instruction Fuzzy Hash: 8881F771A44205BBDF21AF64EC42FAE37A8FF15301F148024FD14EA296EB70DA05C792

Function 008B5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 008B5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 008B5A40
SetWindowTextW.USER32(?,?), ref: 008B5A57
GetDlgItem.USER32(?,000003EA), ref: 008B5A6C
SetWindowTextW.USER32(00000000,?), ref: 008B5A72
GetDlgItem.USER32(?,000003E9), ref: 008B5A82
SetWindowTextW.USER32(00000000,?), ref: 008B5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 008B5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 008B5AC3
GetWindowRect.USER32(?,?), ref: 008B5ACC
_wcslen.LIBCMT ref: 008B5B33
SetWindowTextW.USER32(?,?), ref: 008B5B6F
GetDesktopWindow.USER32 ref: 008B5B75
GetWindowRect.USER32(00000000), ref: 008B5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 008B5BD3
GetClientRect.USER32(?,?), ref: 008B5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 008B5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 008B5C2F

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 0ba973e9f402f24c631cd28353a5fdcd81979017beca4e6ae4b82e32a5fe9a9f
Instruction ID: 82e8afe7e0e45a559e4d7be423e8ad0f645de65e02c78634b6fe4063a7a928d7
Opcode Fuzzy Hash: 0ba973e9f402f24c631cd28353a5fdcd81979017beca4e6ae4b82e32a5fe9a9f
Instruction Fuzzy Hash: 4E716B31900B09AFDB20DFA8CE85BAEBBF5FF48714F104918E582E66A0D775E945CB50

Function 008700C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 008700C6

Part of subcall function 008700ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0092070C,00000FA0,E580436A,?,?,?,?,008923B3,000000FF), ref: 0087011C
Part of subcall function 008700ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,008923B3,000000FF), ref: 00870127
Part of subcall function 008700ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,008923B3,000000FF), ref: 00870138
Part of subcall function 008700ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0087014E
Part of subcall function 008700ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0087015C
Part of subcall function 008700ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0087016A
Part of subcall function 008700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00870195
Part of subcall function 008700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008701A0

___scrt_fastfail.LIBCMT ref: 008700E7

Part of subcall function 008700A3: __onexit.LIBCMT ref: 008700A9

Strings

WakeAllConditionVariable, xrefs: 00870162
kernel32.dll, xrefs: 00870133
InitializeConditionVariable, xrefs: 00870148
SleepConditionVariableCS, xrefs: 00870154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00870122

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: abd833f62d7325f661c57f75f84d44fcf0a738b4c3640f89041f3193ede5c43d
Instruction ID: f8e9168bb5b1283428077473bd9439f033e5dee434201a5307e5e421cd643974
Opcode Fuzzy Hash: abd833f62d7325f661c57f75f84d44fcf0a738b4c3640f89041f3193ede5c43d
Instruction Fuzzy Hash: 0B213B32A49750EFD7206B68BC45B2A3798FB45B60F008139F919DB396DB74DC008FA1

Function 008B30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008B318D
_wcslen.LIBCMT ref: 008B31F8

Strings

INSTANCE, xrefs: 008B3453
TEXT, xrefs: 008B347C
CLASS, xrefs: 008B3188, 008B31A5
CLASSNN, xrefs: 008B31F3, 008B3204
REGEXPCLASS, xrefs: 008B3255, 008B3266
NAME, xrefs: 008B3335, 008B3346

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: ca4a73e0322a087246faa9a07c73d851f5c7089179172a3a361ad1c02ec57fd8
Instruction ID: 4e864961780e6452df4e2cc7563ef8e36f059d0550221ca8e9325cf1824a6aea
Opcode Fuzzy Hash: ca4a73e0322a087246faa9a07c73d851f5c7089179172a3a361ad1c02ec57fd8
Instruction Fuzzy Hash: 2FE1C532A0061AEBCB289F78C8517EEBBB4FF54714F558129E456F7350DB30AE898790

Function 008C44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,008ECC08), ref: 008C4527
_wcslen.LIBCMT ref: 008C453B
_wcslen.LIBCMT ref: 008C4599
_wcslen.LIBCMT ref: 008C45F4
_wcslen.LIBCMT ref: 008C463F
_wcslen.LIBCMT ref: 008C46A7

Part of subcall function 0086F9F2: _wcslen.LIBCMT ref: 0086F9FD

GetDriveTypeW.KERNEL32(?,00916BF0,00000061), ref: 008C4743

Strings

unknown, xrefs: 008C4708
all, xrefs: 008C4531, 008C4536
cdrom, xrefs: 008C458F, 008C4594
ramdisk, xrefs: 008C46F1
network, xrefs: 008C469D, 008C46A2
removable, xrefs: 008C45EA, 008C45EF
fixed, xrefs: 008C4635, 008C463A

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 47a513bb51a877e7770d306d4cca09ca3d98ca4c9c7c1a881d67a78791567615
Instruction ID: 3c781cb4c855a3e2a0394afe4e9db145c4e773effca223c36f51b7483e1006b2
Opcode Fuzzy Hash: 47a513bb51a877e7770d306d4cca09ca3d98ca4c9c7c1a881d67a78791567615
Instruction Fuzzy Hash: 6AB1DE31A083029BC720DF28D8A0F6AB7F5FFA5764F50592DF596C7295E730D888CA52

Function 008DAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008DB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 008DB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 008DB1D4
_wcslen.LIBCMT ref: 008DB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 008DB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 008DB236
_wcslen.LIBCMT ref: 008DB332

Part of subcall function 008C05A7: GetStdHandle.KERNEL32(000000F6), ref: 008C05C6

_wcslen.LIBCMT ref: 008DB34B
_wcslen.LIBCMT ref: 008DB366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 008DB3B6
GetLastError.KERNEL32(00000000), ref: 008DB407
CloseHandle.KERNEL32(?), ref: 008DB439
CloseHandle.KERNEL32(00000000), ref: 008DB44A
CloseHandle.KERNEL32(00000000), ref: 008DB45C
CloseHandle.KERNEL32(00000000), ref: 008DB46E
CloseHandle.KERNEL32(?), ref: 008DB4E3

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 458be6f243156c445121a9ee84a197c07e912e2fda4ac4fd4c6d180974cb53d8
Instruction ID: 9ab1983a4b2b1fdab8576b33b20e2a9ac5d63eefb6f607e88e139af4a2e0680e
Opcode Fuzzy Hash: 458be6f243156c445121a9ee84a197c07e912e2fda4ac4fd4c6d180974cb53d8
Instruction Fuzzy Hash: 53F15731508240DFCB14EF28C891A6ABBE5FF85314F15865EF8999B3A2DB31EC45CB52

Function 0085326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00921990), ref: 00892F8D
GetMenuItemCount.USER32(00921990), ref: 0089303D
GetCursorPos.USER32(?), ref: 00893081
SetForegroundWindow.USER32(00000000), ref: 0089308A
TrackPopupMenuEx.USER32(00921990,00000000,?,00000000,00000000,00000000), ref: 0089309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008930A9

Strings

0, xrefs: 0085327D

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: e56bcb6888896f6d531982ffcbe9b43a4daabe02757d89e8a8ee2267ea720ac2
Instruction ID: cf89626bebc8f6b1370846df8d7640e0155390c45b00cc6fb653555fc488e413
Opcode Fuzzy Hash: e56bcb6888896f6d531982ffcbe9b43a4daabe02757d89e8a8ee2267ea720ac2
Instruction Fuzzy Hash: BB712930640609BEEF319F68CC89FAABF64FF05364F244216F925EA1E0C7B1A914DB51

Function 008E6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 008E6DEB

Part of subcall function 00856B57: _wcslen.LIBCMT ref: 00856B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 008E6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 008E6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008E6E94
DestroyWindow.USER32(?), ref: 008E6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00850000,00000000), ref: 008E6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008E6EFD
GetDesktopWindow.USER32 ref: 008E6F16
GetWindowRect.USER32(00000000), ref: 008E6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 008E6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 008E6F4D

Part of subcall function 00869944: GetWindowLongW.USER32(?,000000EB), ref: 00869952

Strings

tooltips_class32, xrefs: 008E6E58, 008E6EDD
0, xrefs: 008E6D98

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: e468a7fc2a8081b1e6c2e65aab10d1967b33032f2b791ef555f7cf923bc83b52
Instruction ID: 43353ea9b0e2a2a3a144c89e8a2ace715df5d40ae937f59cadc2855dc762471d
Opcode Fuzzy Hash: e468a7fc2a8081b1e6c2e65aab10d1967b33032f2b791ef555f7cf923bc83b52
Instruction Fuzzy Hash: 2A71AC74504285AFDB20CF19DC84A6BBBE9FBAA344F14041DF988C72A1DB30EC56DB12

Function 008E911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00869BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00869BB2

DragQueryPoint.SHELL32(?,?), ref: 008E9147

Part of subcall function 008E7674: ClientToScreen.USER32(?,?), ref: 008E769A
Part of subcall function 008E7674: GetWindowRect.USER32(?,?), ref: 008E7710
Part of subcall function 008E7674: PtInRect.USER32(?,?,008E8B89), ref: 008E7720

SendMessageW.USER32(?,000000B0,?,?), ref: 008E91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 008E91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 008E91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 008E9225
SendMessageW.USER32(?,000000B0,?,?), ref: 008E923E
SendMessageW.USER32(?,000000B1,?,?), ref: 008E9255
SendMessageW.USER32(?,000000B1,?,?), ref: 008E9277
DragFinish.SHELL32(?), ref: 008E927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 008E9371

Strings

@GUI_DRAGID, xrefs: 008E92E9
@GUI_DRAGFILE, xrefs: 008E9320
@GUI_DROPID, xrefs: 008E929E

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: e550a6fe5cc45c4cbfe0f53faa76f8dfd44445b10328839e886c154eee35b221
Instruction ID: 4afd798c3582b74afea0e8532fcb4e459728a39f422ddfc85d56df801b378b3a
Opcode Fuzzy Hash: e550a6fe5cc45c4cbfe0f53faa76f8dfd44445b10328839e886c154eee35b221
Instruction Fuzzy Hash: 68619971108341AFC701DF68DC85DAFBBE8FF99750F00092EF9A5962A1DB709A49CB52

Function 008CC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008CC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 008CC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 008CC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 008CC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 008CC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 008CC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008CC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 008CC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 008CC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 008CC5F0
InternetCloseHandle.WININET(00000000), ref: 008CC5FB

Strings

, xrefs: 008CC575

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: deca39a5984d874cfd4f99282ed37ea461baeec34bfaa490e46755623dc34ec2
Instruction ID: d85cf8e5236510ff912151c14330e748b15d595018835d5660e3ed7354198d5d
Opcode Fuzzy Hash: deca39a5984d874cfd4f99282ed37ea461baeec34bfaa490e46755623dc34ec2
Instruction Fuzzy Hash: 055139B1900648BFDB219F64CD88FAB7BBCFB08754F00841EF94AD6250DB34E9459B61

Function 008E856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 008E8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008E85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008E85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008E85BA
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008E85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008E85D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008E85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008E85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008E85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,008EFC38,?), ref: 008E8611
GlobalFree.KERNEL32(00000000), ref: 008E8621
GetObjectW.GDI32(?,00000018,?), ref: 008E8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 008E8671
DeleteObject.GDI32(?), ref: 008E8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 008E86AF

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: e16d56f3424dc1070bd7bd506401a4b477b4f2714e9b4cf7d62c66a6e1bc28d3
Instruction ID: 7eab7b26d2bbcfadb1eab0c9655db2d0c4fdd9095ef01eeb4f5ca52a28cadbaa
Opcode Fuzzy Hash: e16d56f3424dc1070bd7bd506401a4b477b4f2714e9b4cf7d62c66a6e1bc28d3
Instruction Fuzzy Hash: E641EB75A00244FFDB119FA5DC88EAE7BB8FB99715F104058F919EB260DB309901DB60

Function 008C14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 008C1502
VariantCopy.OLEAUT32(?,?), ref: 008C150B
VariantClear.OLEAUT32(?), ref: 008C1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 008C15FB
VarR8FromDec.OLEAUT32(?,?), ref: 008C1657
VariantInit.OLEAUT32(?), ref: 008C1708
SysFreeString.OLEAUT32(?), ref: 008C178C
VariantClear.OLEAUT32(?), ref: 008C17D8
VariantClear.OLEAUT32(?), ref: 008C17E7
VariantInit.OLEAUT32(00000000), ref: 008C1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 008C1625
Default, xrefs: 008C16AF

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 2ed676895917cc4617accd59bd6cc409a2c597762f167d3708e4510617982fed
Instruction ID: c7b56cfa12a9448f97c13c4c488f10701f9f4a14e8fabf724da9b10b88457fd3
Opcode Fuzzy Hash: 2ed676895917cc4617accd59bd6cc409a2c597762f167d3708e4510617982fed
Instruction Fuzzy Hash: DFD1CD71A00219DBDF009F69E8C9F69B7B5FF46704F50809AE846EB182DB30EC45DB62

Function 008DB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00859CB3: _wcslen.LIBCMT ref: 00859CBD

Part of subcall function 008DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008DB6AE,?,?), ref: 008DC9B5
Part of subcall function 008DC998: _wcslen.LIBCMT ref: 008DC9F1
Part of subcall function 008DC998: _wcslen.LIBCMT ref: 008DCA68
Part of subcall function 008DC998: _wcslen.LIBCMT ref: 008DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008DB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008DB772
RegDeleteValueW.ADVAPI32(?,?), ref: 008DB80A
RegCloseKey.ADVAPI32(?), ref: 008DB87E
RegCloseKey.ADVAPI32(?), ref: 008DB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 008DB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 008DB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 008DB922
FreeLibrary.KERNEL32(00000000), ref: 008DB983
RegCloseKey.ADVAPI32(00000000), ref: 008DB994

Strings

advapi32.dll, xrefs: 008DB8ED
RegDeleteKeyExW, xrefs: 008DB8FE

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 66c7038615848a5a8caa923947e6a653946acf44ecb9ae33687692cd75383b9f
Instruction ID: 7dac8f7d2e12b30c04d7d64dcba7560941db38ee896bd5d59c212f7dda164cd7
Opcode Fuzzy Hash: 66c7038615848a5a8caa923947e6a653946acf44ecb9ae33687692cd75383b9f
Instruction Fuzzy Hash: CEC17B34204241EFD714DF18C494F2ABBE5FF84318F55865DE49A8B3A2DB71E845CB92

Function 008D255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008D25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 008D25E8
CreateCompatibleDC.GDI32(?), ref: 008D25F4
SelectObject.GDI32(00000000,?), ref: 008D2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 008D266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 008D26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 008D26D0
SelectObject.GDI32(?,?), ref: 008D26D8
DeleteObject.GDI32(?), ref: 008D26E1
DeleteDC.GDI32(?), ref: 008D26E8
ReleaseDC.USER32(00000000,?), ref: 008D26F3

Strings

(, xrefs: 008D268D

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: a2a1618ae43852bd9f9e473dfef4906401aa0c37d3877364e762f90e67d27c6d
Instruction ID: b0bddceb84fba5595cd738faea469b704a1931bdaae49c14f63c909ec95fa398
Opcode Fuzzy Hash: a2a1618ae43852bd9f9e473dfef4906401aa0c37d3877364e762f90e67d27c6d
Instruction Fuzzy Hash: A461D175D00219EFCF14CFA8D884EAEBBB5FF58310F20852AE955AB250E770A9518F60

Function 0088DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0088DAA1

Part of subcall function 0088D63C: _free.LIBCMT ref: 0088D659
Part of subcall function 0088D63C: _free.LIBCMT ref: 0088D66B
Part of subcall function 0088D63C: _free.LIBCMT ref: 0088D67D
Part of subcall function 0088D63C: _free.LIBCMT ref: 0088D68F
Part of subcall function 0088D63C: _free.LIBCMT ref: 0088D6A1
Part of subcall function 0088D63C: _free.LIBCMT ref: 0088D6B3
Part of subcall function 0088D63C: _free.LIBCMT ref: 0088D6C5
Part of subcall function 0088D63C: _free.LIBCMT ref: 0088D6D7
Part of subcall function 0088D63C: _free.LIBCMT ref: 0088D6E9
Part of subcall function 0088D63C: _free.LIBCMT ref: 0088D6FB
Part of subcall function 0088D63C: _free.LIBCMT ref: 0088D70D
Part of subcall function 0088D63C: _free.LIBCMT ref: 0088D71F
Part of subcall function 0088D63C: _free.LIBCMT ref: 0088D731

_free.LIBCMT ref: 0088DA96

Part of subcall function 008829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0088D7D1,00000000,00000000,00000000,00000000,?,0088D7F8,00000000,00000007,00000000,?,0088DBF5,00000000), ref: 008829DE
Part of subcall function 008829C8: GetLastError.KERNEL32(00000000,?,0088D7D1,00000000,00000000,00000000,00000000,?,0088D7F8,00000000,00000007,00000000,?,0088DBF5,00000000,00000000), ref: 008829F0

_free.LIBCMT ref: 0088DAB8
_free.LIBCMT ref: 0088DACD
_free.LIBCMT ref: 0088DAD8
_free.LIBCMT ref: 0088DAFA
_free.LIBCMT ref: 0088DB0D
_free.LIBCMT ref: 0088DB1B
_free.LIBCMT ref: 0088DB26
_free.LIBCMT ref: 0088DB5E
_free.LIBCMT ref: 0088DB65
_free.LIBCMT ref: 0088DB82
_free.LIBCMT ref: 0088DB9A

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 7eca3f07c264824bc1c19b8b256f59abaab8b3d367e48cc767bc4029346566e6
Instruction ID: d3bcf750fd3667edfbc9890db6e9c5f6ceb5358ee2884acce63fbbcca4f5f689
Opcode Fuzzy Hash: 7eca3f07c264824bc1c19b8b256f59abaab8b3d367e48cc767bc4029346566e6
Instruction Fuzzy Hash: AA3147326443059FEB26BA39EC45F5ABBE9FF00360F264429E449D71D2DE35EC808B21

Function 008B365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 008B369C
_wcslen.LIBCMT ref: 008B36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 008B3797
GetClassNameW.USER32(?,?,00000400), ref: 008B380C
GetDlgCtrlID.USER32(?), ref: 008B385D
GetWindowRect.USER32(?,?), ref: 008B3882
GetParent.USER32(?), ref: 008B38A0
ScreenToClient.USER32(00000000), ref: 008B38A7
GetClassNameW.USER32(?,?,00000100), ref: 008B3921
GetWindowTextW.USER32(?,?,00000400), ref: 008B395D

Strings

%s%u, xrefs: 008B3734

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: ed9e66f6cb2c73f56e36bed0e12a26b9411f308055ceb72979261644c66d9dd9
Instruction ID: c541a744df007549bd8159aed699a36d37a03d97d0776a0f3282335847d7610b
Opcode Fuzzy Hash: ed9e66f6cb2c73f56e36bed0e12a26b9411f308055ceb72979261644c66d9dd9
Instruction Fuzzy Hash: DA91C371204706AFD719DF24C885FEAFBA8FF45350F008529F999C6290EB30EA45CB92

Function 008B4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 008B4994
GetWindowTextW.USER32(?,?,00000400), ref: 008B49DA
_wcslen.LIBCMT ref: 008B49EB
CharUpperBuffW.USER32(?,00000000), ref: 008B49F7
_wcsstr.LIBVCRUNTIME ref: 008B4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 008B4A64
GetWindowTextW.USER32(?,?,00000400), ref: 008B4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 008B4AE6
GetClassNameW.USER32(?,?,00000400), ref: 008B4B20
GetWindowRect.USER32(?,?), ref: 008B4B8B

Strings

ThumbnailClass, xrefs: 008B4A6F, 008B4AF1

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: f9d4742ff11b85366434e58512feb48d2c24ea17c9affd01b4166464e65ab052
Instruction ID: bd91bb3612ecf9fe0f0cb49aa5d13d5a5e91aa654aef7647158eed91a8ff8cc7
Opcode Fuzzy Hash: f9d4742ff11b85366434e58512feb48d2c24ea17c9affd01b4166464e65ab052
Instruction Fuzzy Hash: D091AE711042059BDB04DF54C982BEA7BA8FF84714F049469FE89DA2A7DB30ED45CBA2

Function 008E8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00869BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00869BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008E8D5A
GetFocus.USER32 ref: 008E8D6A
GetDlgCtrlID.USER32(00000000), ref: 008E8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 008E8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 008E8ECF
GetMenuItemCount.USER32(?), ref: 008E8EEC
GetMenuItemID.USER32(?,00000000), ref: 008E8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 008E8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 008E8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 008E8FA1

Strings

0, xrefs: 008E8E9F

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: bc07785640e89dbf56414afc58be229e614aba2ddb64d9c793fc3009fc9de89e
Instruction ID: 74eff4b9ba1fd13529ab7a486cc96ec1c4733ff67f1578134f045e7960a04fdb
Opcode Fuzzy Hash: bc07785640e89dbf56414afc58be229e614aba2ddb64d9c793fc3009fc9de89e
Instruction Fuzzy Hash: 9981AE71908381DFDB10CF25D884AAF7BE9FB8A714F040959F999D7291DB30D901CBA2

Function 008BDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 008BDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 008BDC46
_wcslen.LIBCMT ref: 008BDC50
_wcsstr.LIBVCRUNTIME ref: 008BDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 008BDCBC

Strings

DefaultLangCodepage, xrefs: 008BDD1F
StringFileInfo\, xrefs: 008BDC8F
%u.%u.%u.%u, xrefs: 008BDD9A
\VarFileInfo\Translation, xrefs: 008BDCB4
04090000, xrefs: 008BDCF2

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 574a8d19dbe43c9156bec59501a17e06b559da86c9674811839f7925e78be9b4
Instruction ID: 24be9206d2ac2787b25d5dd60e88b1c2de3bec08e9fc55ec0f7757680d20c904
Opcode Fuzzy Hash: 574a8d19dbe43c9156bec59501a17e06b559da86c9674811839f7925e78be9b4
Instruction Fuzzy Hash: 8541F332A403047BDB10A7699C47EFF7B6CFF42750F144069FA08E6293FB65D90296A6

Function 008DCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 008DCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 008DCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 008DCD48

Part of subcall function 008DCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 008DCCAA
Part of subcall function 008DCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 008DCCBD
Part of subcall function 008DCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 008DCCCF
Part of subcall function 008DCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 008DCD05
Part of subcall function 008DCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 008DCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 008DCCF3

Strings

advapi32.dll, xrefs: 008DCCB8
RegDeleteKeyExW, xrefs: 008DCCC9

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 12e197b2a8175fd8dd491e379cb924f764c3633c2773fd319f1dae5a7a9d266d
Instruction ID: 9d50504126de3a6af7094f9f65c6d281b1252645b7a701b13bd34e23c21e1559
Opcode Fuzzy Hash: 12e197b2a8175fd8dd491e379cb924f764c3633c2773fd319f1dae5a7a9d266d
Instruction Fuzzy Hash: BB316E71D0112ABBDB208B94DC88EFFBB7CFF45754F000266F905E6240DA349A46DAA0

Function 008C3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 008C3D40
_wcslen.LIBCMT ref: 008C3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 008C3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 008C3DBE
RemoveDirectoryW.KERNEL32(?), ref: 008C3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 008C3E55
CloseHandle.KERNEL32(00000000), ref: 008C3E60
CloseHandle.KERNEL32(00000000), ref: 008C3E6B

Strings

\??\%s, xrefs: 008C3D5B
:, xrefs: 008C3D82
\, xrefs: 008C3D77

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: fba9d26e22d114558c5032184db2231aaa6d6bd6044b8976188e7ba16de20c74
Instruction ID: e8192c8ba0034345ef1564c9062d73ae1404ea1495e291962d9f784d3d2e9b60
Opcode Fuzzy Hash: fba9d26e22d114558c5032184db2231aaa6d6bd6044b8976188e7ba16de20c74
Instruction Fuzzy Hash: EC31A371A00249ABDB209BA4DC89FEF37BCFF89700F1081A9F619D6160EB70D7458B24

Function 008BE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 008BE6B4

Part of subcall function 0086E551: timeGetTime.WINMM(?,?,008BE6D4), ref: 0086E555

Sleep.KERNEL32(0000000A), ref: 008BE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 008BE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 008BE727
SetActiveWindow.USER32 ref: 008BE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 008BE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 008BE773
Sleep.KERNEL32(000000FA), ref: 008BE77E
IsWindow.USER32 ref: 008BE78A
EndDialog.USER32(00000000), ref: 008BE79B

Strings

BUTTON, xrefs: 008BE719

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 90c0cd760a32ccbbbef8f323b3fc7e460a4cd0d478ee7080ad70b27287969813
Instruction ID: 547f38462d35bf80c70c1ef384057663b6e06a5e1961619724dd76573441c913
Opcode Fuzzy Hash: 90c0cd760a32ccbbbef8f323b3fc7e460a4cd0d478ee7080ad70b27287969813
Instruction Fuzzy Hash: 2621E771614288BFEB205F24ECC9EAA3B69FB65348F101425F811D53B1DF71AC02EB25

Function 008BE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00859CB3: _wcslen.LIBCMT ref: 00859CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 008BEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 008BEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008BEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 008BEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 008BEAA7

Strings

open , xrefs: 008BEA0C
status PlayMe mode, xrefs: 008BEA58
play PlayMe, xrefs: 008BEAA2
alias PlayMe, xrefs: 008BEA36
close PlayMe, xrefs: 008BEA6E, 008BEA9B
play PlayMe wait, xrefs: 008BEA91

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 4b4182f4ed170470b4fc283686e263014235cef66b534922c880430b590c95e1
Instruction ID: 508c50d95e471a964f52f6b7afc3c697be1167c60060ca4079d597dd07fd38c9
Opcode Fuzzy Hash: 4b4182f4ed170470b4fc283686e263014235cef66b534922c880430b590c95e1
Instruction Fuzzy Hash: BC114C21A9026D7ED720A7A9DC4ADFB6A7CFBD1B44F401429B811E21D1EEB01A89C5B1

Function 008B5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 008B5CE2
GetWindowRect.USER32(00000000,?), ref: 008B5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 008B5D59
GetDlgItem.USER32(?,00000002), ref: 008B5D69
GetWindowRect.USER32(00000000,?), ref: 008B5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 008B5DCF
GetDlgItem.USER32(?,000003E9), ref: 008B5DDD
GetWindowRect.USER32(00000000,?), ref: 008B5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 008B5E31
GetDlgItem.USER32(?,000003EA), ref: 008B5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 008B5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 008B5E67

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 3855971d6bc574e5018d1a163945a5f0722ef2c95234ede6fb9e8f6557157f19
Instruction ID: 52421d5b2ee5b768bacd1aace6344ec381d02d44be28fc780bc75529da3e1cc5
Opcode Fuzzy Hash: 3855971d6bc574e5018d1a163945a5f0722ef2c95234ede6fb9e8f6557157f19
Instruction Fuzzy Hash: CA51FD71E00609AFDF18CF68DD89AAEBBB5FB58300F548229F915E6290D770AE05CB50

Function 00868BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00868F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00868BE8,?,00000000,?,?,?,?,00868BBA,00000000,?), ref: 00868FC5

DestroyWindow.USER32(?), ref: 00868C81
KillTimer.USER32(00000000,?,?,?,?,00868BBA,00000000,?), ref: 00868D1B
DestroyAcceleratorTable.USER32(00000000), ref: 008A6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00868BBA,00000000,?), ref: 008A69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00868BBA,00000000,?), ref: 008A69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00868BBA,00000000), ref: 008A69D4
DeleteObject.GDI32(00000000), ref: 008A69E6

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: e525cfb3398f7e7116f79b2443716e23803bd91343e51fdfbc0f4e4b91d2a89c
Instruction ID: f269efcc3268d62c7210206b6a246be388a9492bb67abfc5fde73bd07fa1cc05
Opcode Fuzzy Hash: e525cfb3398f7e7116f79b2443716e23803bd91343e51fdfbc0f4e4b91d2a89c
Instruction Fuzzy Hash: 6961DA30402704DFDB369F28D998B267BF1FB61316F194618E046DB960CB31A8E2DF91

Function 00869838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00869944: GetWindowLongW.USER32(?,000000EB), ref: 00869952

GetSysColor.USER32(0000000F), ref: 00869862

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: c2986909ce0b950910548aa9fc9b6ab4fba62de40e043efbc65e7123e785554c
Instruction ID: 88cbe364f6ade16f933bbe344df13a16750a9f72fe465071022e0c1e0cd3598b
Opcode Fuzzy Hash: c2986909ce0b950910548aa9fc9b6ab4fba62de40e043efbc65e7123e785554c
Instruction Fuzzy Hash: 89417C31504644EFDB205F389C88BBA3BA9FB46361F154669F9E2CB1E1D7319C42DB11

Function 008B96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0089F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 008B9717
LoadStringW.USER32(00000000,?,0089F7F8,00000001), ref: 008B9720

Part of subcall function 00859CB3: _wcslen.LIBCMT ref: 00859CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0089F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 008B9742
LoadStringW.USER32(00000000,?,0089F7F8,00000001), ref: 008B9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 008B9866

Strings

Line %d (File "%s"):, xrefs: 008B978F
Line %d:, xrefs: 008B97A0
Error: , xrefs: 008B981D
%s (%d) : ==> %s: %s %s, xrefs: 008B984A
^ ERROR, xrefs: 008B97FB

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 4c4f98a545407837394ea3f051438c206d7ff6e2b2247ba777b1b2dc8665ded6
Instruction ID: b6e1ed3238f8ce19866f5f0ef19683e37dcb53f2c388d23b3262ceaadb51897f
Opcode Fuzzy Hash: 4c4f98a545407837394ea3f051438c206d7ff6e2b2247ba777b1b2dc8665ded6
Instruction Fuzzy Hash: 71415A7290021DAACF04EBE8DD86DEEB778FF55341F500065FA05B2192EA356F49CB62

Function 008B06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00856B57: _wcslen.LIBCMT ref: 00856B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008B07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008B07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008B07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 008B0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 008B082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 008B0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 008B083C

Strings

SOFTWARE\Classes\, xrefs: 008B070E
\CLSID, xrefs: 008B0724
\IPC$, xrefs: 008B0784

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 88bff457a297e45a7e2cf210e0ce9a06042ec7f5574c16e8f41b6233470af3d5
Instruction ID: a04a155ba5c08795786e071500929fa3b271ab8ed490aac006bcb717df14f1d5
Opcode Fuzzy Hash: 88bff457a297e45a7e2cf210e0ce9a06042ec7f5574c16e8f41b6233470af3d5
Instruction Fuzzy Hash: 4C410672C1022DEBCF15EBA4DC958EEB778FF44351B454129E811A7261EB309E48CF91

Function 008D3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008D3C5C
CoInitialize.OLE32(00000000), ref: 008D3C8A
CoUninitialize.OLE32 ref: 008D3C94
_wcslen.LIBCMT ref: 008D3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 008D3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 008D3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 008D3F0E
CoGetObject.OLE32(?,00000000,008EFB98,?), ref: 008D3F2D
SetErrorMode.KERNEL32(00000000), ref: 008D3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 008D3FC4
VariantClear.OLEAUT32(?), ref: 008D3FD8

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: bff8a6d75fa6e3c9471356fff647c8c761eec01fc8db62e359600b7f7778fb98
Instruction ID: a0b549052bbccab30c8549300b59560535e5e2fdd95d7fdcd71df4d14d054310
Opcode Fuzzy Hash: bff8a6d75fa6e3c9471356fff647c8c761eec01fc8db62e359600b7f7778fb98
Instruction Fuzzy Hash: B5C104716082059FD700DF68C88492BB7E9FF89748F144A1EF98ADB251DB31EE05CB52

Function 008C7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 008C7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 008C7B8F
SHGetDesktopFolder.SHELL32(?), ref: 008C7BA3
CoCreateInstance.OLE32(008EFD08,00000000,00000001,00916E6C,?), ref: 008C7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 008C7C74
CoTaskMemFree.OLE32(?,?), ref: 008C7CCC
SHBrowseForFolderW.SHELL32(?), ref: 008C7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 008C7D7A
CoTaskMemFree.OLE32(00000000), ref: 008C7D81
CoTaskMemFree.OLE32(00000000), ref: 008C7DD6
CoUninitialize.OLE32 ref: 008C7DDC

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 01ea8803dca0c0b4a5fcdbe107f807e628f087f12c025d2f1b2345f7c9f5d3a6
Instruction ID: b9006390a89bfb45ce65bd45e60b9099861f4ad8c0f76adaf4ce36bf19ac2d98
Opcode Fuzzy Hash: 01ea8803dca0c0b4a5fcdbe107f807e628f087f12c025d2f1b2345f7c9f5d3a6
Instruction Fuzzy Hash: 97C1FA75A04119AFCB14DFA8C884DAEBBF9FF48314B1484A9E91ADB261D730ED45CF90

Function 008E541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 008E5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008E5515
CharNextW.USER32(00000158), ref: 008E5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 008E5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 008E559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008E55AC

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: d0b010eeae76f0ab7c35f421bf7fa43b0994296058eaa614e43fdbf0b7ff3446
Instruction ID: 51f77c7795f9dd2152375f2b2b59efc0448d798f210130acf15c04e6044faccb
Opcode Fuzzy Hash: d0b010eeae76f0ab7c35f421bf7fa43b0994296058eaa614e43fdbf0b7ff3446
Instruction Fuzzy Hash: 3361BF70900689EFDF109F56DC84AFE3BB9FB06328F104149F925EB2A1D7708A81DB61

Function 008AFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 008AFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 008AFB08
VariantInit.OLEAUT32(?), ref: 008AFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 008AFB3A
VariantCopy.OLEAUT32(?,?), ref: 008AFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 008AFBA1
VariantClear.OLEAUT32(?), ref: 008AFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 008AFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008AFBCC
VariantClear.OLEAUT32(?), ref: 008AFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008AFBE9

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 2745512e174a6573545d1522063443ec927e7241b2b214511f4605510075af10
Instruction ID: f9592a36bb37bee78df47e91322cbc0b1b694d08dce6a5af14d35a4609e49bec
Opcode Fuzzy Hash: 2745512e174a6573545d1522063443ec927e7241b2b214511f4605510075af10
Instruction Fuzzy Hash: 5D415235E002199FDB00DFA8C894DADBBB9FF09354F008065F955EB261DB30A946CFA1

Function 008B9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 008B9CA1
GetAsyncKeyState.USER32(000000A0), ref: 008B9D22
GetKeyState.USER32(000000A0), ref: 008B9D3D
GetAsyncKeyState.USER32(000000A1), ref: 008B9D57
GetKeyState.USER32(000000A1), ref: 008B9D6C
GetAsyncKeyState.USER32(00000011), ref: 008B9D84
GetKeyState.USER32(00000011), ref: 008B9D96
GetAsyncKeyState.USER32(00000012), ref: 008B9DAE
GetKeyState.USER32(00000012), ref: 008B9DC0
GetAsyncKeyState.USER32(0000005B), ref: 008B9DD8
GetKeyState.USER32(0000005B), ref: 008B9DEA

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 61b323f545af4d11698720f4e0d3873f35a9ddec385bc5df8c94fa56708f14f4
Instruction ID: 1243cc4e614e6eb889a598bdba0f50685123895e79298d7bc7e832e236af1571
Opcode Fuzzy Hash: 61b323f545af4d11698720f4e0d3873f35a9ddec385bc5df8c94fa56708f14f4
Instruction Fuzzy Hash: 9441D8345047C96DFF31866584543F5BEA0FF11344F48805ADBC69A7C2D7E4A9C8CBA2

Function 008D055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 008D05BC
inet_addr.WSOCK32(?), ref: 008D061C
gethostbyname.WSOCK32(?), ref: 008D0628
IcmpCreateFile.IPHLPAPI ref: 008D0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 008D06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 008D06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 008D07B9
WSACleanup.WSOCK32 ref: 008D07BF

Strings

Ping, xrefs: 008D0676

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: a5a91cfa678977450268adc2c584bcbcf1bda83e22262c5d1a77e058bf09dce5
Instruction ID: a5626c9330f0da9b1ea0711559aaf70bf5dfad36c3dae7309e7064c8296eb6da
Opcode Fuzzy Hash: a5a91cfa678977450268adc2c584bcbcf1bda83e22262c5d1a77e058bf09dce5
Instruction Fuzzy Hash: 4A915B35A042419FD720DF19D888B1ABBE0FB44318F1486AAE469DF7A2C731ED45CF92

Function 008D8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 008D8CF3

Part of subcall function 008B8E54: _wcslen.LIBCMT ref: 008B8E77

_wcslen.LIBCMT ref: 008D8D4E
_wcslen.LIBCMT ref: 008D8D9C
_wcslen.LIBCMT ref: 008D8DDC
_wcslen.LIBCMT ref: 008D8E6E

Strings

none, xrefs: 008D8E65, 008D8E6A
cdecl, xrefs: 008D8D48, 008D8D4D
winapi, xrefs: 008D8D96, 008D8D9B
stdcall, xrefs: 008D8DD6, 008D8DDB

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 40617ea7e3b47ae0e868216fae519d05273fa378a706cd61fdcd347bd0a451f1
Instruction ID: 5bd3065001f600dd099638a27f495c7d0eac0d023bbe11cf195ef1cafc478659
Opcode Fuzzy Hash: 40617ea7e3b47ae0e868216fae519d05273fa378a706cd61fdcd347bd0a451f1
Instruction Fuzzy Hash: 09515B31A0011ADACB24DF6CC9419BEB7A6FF65724B21432AE866E73C5DB31DD408B91

Function 008D372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 008D3774
CoUninitialize.OLE32 ref: 008D377F
CoCreateInstance.OLE32(?,00000000,00000017,008EFB78,?), ref: 008D37D9
IIDFromString.OLE32(?,?), ref: 008D384C
VariantInit.OLEAUT32(?), ref: 008D38E4
VariantClear.OLEAUT32(?), ref: 008D3936

Strings

NULL Pointer assignment, xrefs: 008D381E
Invalid parameter, xrefs: 008D3865
Failed to create object, xrefs: 008D37E4, 008D389A

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 9219c58f8fbf4abb83421beaa8f7c8b5f1a156c0d1081a1b979e4265555341f0
Instruction ID: fc36c4972a78ed96b39af14ff05d344dc5873bcceebc0cdcf6aa2da20dec615b
Opcode Fuzzy Hash: 9219c58f8fbf4abb83421beaa8f7c8b5f1a156c0d1081a1b979e4265555341f0
Instruction Fuzzy Hash: DB617970608711AFD310DF54C888A6ABBE4FF49714F100A2AF995DB391D770EA49CB93

Function 008C3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 008C33CF

Part of subcall function 00859CB3: _wcslen.LIBCMT ref: 00859CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 008C33F0

Strings

Line %d (File "%s"):, xrefs: 008C3443, 008C345C
Error: , xrefs: 008C34D1
Incorrect parameters to object property !, xrefs: 008C34AB
"%s" (%d) : ==> %s:, xrefs: 008C3522
"%s" (%d) : ==> %s:%s%s, xrefs: 008C3504
^ ERROR , xrefs: 008C349E

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 6b2f0519ed1eb0833b69411d8fcdb0cbc3a8bbec69585d3494cf0e70f24aac7d
Instruction ID: 1a96b2c988fe64c9c16ddcdf11cf75656d1a8ac33f047ff0a7262c89ea707da1
Opcode Fuzzy Hash: 6b2f0519ed1eb0833b69411d8fcdb0cbc3a8bbec69585d3494cf0e70f24aac7d
Instruction Fuzzy Hash: 27518C32D00209AADF15EBA4DD42EEEB779FF14341F104065F905B21A2EB316F99DB62

Function 008BB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008BB5FC
_wcslen.LIBCMT ref: 008BB608
_wcslen.LIBCMT ref: 008BB64D
_wcslen.LIBCMT ref: 008BB68C
_wcslen.LIBCMT ref: 008BB6C7

Strings

KEYS, xrefs: 008BB647, 008BB64C
EXISTS, xrefs: 008BB686, 008BB68B
REMOVE, xrefs: 008BB602, 008BB607
APPEND, xrefs: 008BB6C1, 008BB6C6

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: efe7969786c8f645909185017477f8863473138faf5c48a57f977875ca55fe17
Instruction ID: 0d3d9917b957d6e296659a36e105a8c980cc0dddc82be6656a2c7dd6320063c5
Opcode Fuzzy Hash: efe7969786c8f645909185017477f8863473138faf5c48a57f977875ca55fe17
Instruction Fuzzy Hash: 7241C432A001269BCB205F7D8C905FE7BA5FBB2758B244229E425DB384F771CD81C790

Function 008C5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008C53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 008C5416
GetLastError.KERNEL32 ref: 008C5420
SetErrorMode.KERNEL32(00000000,READY), ref: 008C54A7

Strings

READONLY, xrefs: 008C5452
UNKNOWN, xrefs: 008C5444
INVALID, xrefs: 008C5459
NOTREADY, xrefs: 008C544B
READY, xrefs: 008C5460, 008C5468

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 6f98d06cf3397eb414cbae203bdf91b146c9ce1cddecf3f30aaacb1e326d98cc
Instruction ID: 9990d6c78c889f161932f7e111b4536acca5619adc8ed0a5c3b39ab52a5f0a5f
Opcode Fuzzy Hash: 6f98d06cf3397eb414cbae203bdf91b146c9ce1cddecf3f30aaacb1e326d98cc
Instruction Fuzzy Hash: 4D3160B5A006089FDB14DF68C884FAA7BB4FF45309F548069E805DB292DB71EDC6CB91

Function 008E3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 008E3C79
SetMenu.USER32(?,00000000), ref: 008E3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008E3D10
IsMenu.USER32(?), ref: 008E3D24
CreatePopupMenu.USER32 ref: 008E3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 008E3D5B
DrawMenuBar.USER32 ref: 008E3D63

Strings

F, xrefs: 008E3D4E
0, xrefs: 008E3C54

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: f64bd166dc3d1e363854d4c0109370ae544c63657122ce86f1668ace7fc07f97
Instruction ID: 79d11dbb478bb8e4a992e1d345ccbd96bf672877b527d2674966544f7a1a4ad2
Opcode Fuzzy Hash: f64bd166dc3d1e363854d4c0109370ae544c63657122ce86f1668ace7fc07f97
Instruction Fuzzy Hash: EA414A79A01249EFDB14CF65D888AAA7BB5FF4A350F140029E956EB360D730AE11CF94

Function 008E3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 008E3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 008E3AA0
GetWindowLongW.USER32(?,000000F0), ref: 008E3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 008E3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 008E3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 008E3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 008E3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 008E3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 008E3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 008E3C13

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 3fa51899fd3caaec87763d8ec982dadd285f3d9cabfe62eec0047d29f70b4f2f
Instruction ID: 8977d88d10dc1ea62d78dc53e2d2e14767cf6a3ae85d59677a0c4bf990bb0f22
Opcode Fuzzy Hash: 3fa51899fd3caaec87763d8ec982dadd285f3d9cabfe62eec0047d29f70b4f2f
Instruction Fuzzy Hash: F8617B75900248AFDB21DFA8CC85EEE77B8FB4A714F100199FA15E72A1C770AE81DB50

Function 008BB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 008BB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,008BA1E1,?,00000001), ref: 008BB165
GetWindowThreadProcessId.USER32(00000000), ref: 008BB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008BA1E1,?,00000001), ref: 008BB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 008BB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,008BA1E1,?,00000001), ref: 008BB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008BA1E1,?,00000001), ref: 008BB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,008BA1E1,?,00000001), ref: 008BB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,008BA1E1,?,00000001), ref: 008BB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,008BA1E1,?,00000001), ref: 008BB21D

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 1b5bc175e49011e2530d032bdaeecf14747b8de64dafadb639144cc509ff3e24
Instruction ID: e5e91f5683d155037d1c2441e19b6c6d9f9a2822422796f9842a2bcde11b9426
Opcode Fuzzy Hash: 1b5bc175e49011e2530d032bdaeecf14747b8de64dafadb639144cc509ff3e24
Instruction Fuzzy Hash: 3E31A271655204BFDB209F64DC88FAE7BA9FB51311F108009FA11DA2A0D7F89E428F74

Function 00882C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00882C94

Part of subcall function 008829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0088D7D1,00000000,00000000,00000000,00000000,?,0088D7F8,00000000,00000007,00000000,?,0088DBF5,00000000), ref: 008829DE
Part of subcall function 008829C8: GetLastError.KERNEL32(00000000,?,0088D7D1,00000000,00000000,00000000,00000000,?,0088D7F8,00000000,00000007,00000000,?,0088DBF5,00000000,00000000), ref: 008829F0

_free.LIBCMT ref: 00882CA0
_free.LIBCMT ref: 00882CAB
_free.LIBCMT ref: 00882CB6
_free.LIBCMT ref: 00882CC1
_free.LIBCMT ref: 00882CCC
_free.LIBCMT ref: 00882CD7
_free.LIBCMT ref: 00882CE2
_free.LIBCMT ref: 00882CED
_free.LIBCMT ref: 00882CFB

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 273606be5f97725babb06b3dd5e949c9852a7bace26235e24e338695fb6da4cd
Instruction ID: d3cd2a05789f72623d80f27941368f51a8eb277a4864dbdb97b1e567739032d3
Opcode Fuzzy Hash: 273606be5f97725babb06b3dd5e949c9852a7bace26235e24e338695fb6da4cd
Instruction Fuzzy Hash: 75119376100108AFCB02FF98DC82DDD3FA5FF05350F4244A5FA489B222DA35EE509B91

Function 00851410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00851459
OleUninitialize.OLE32(?,00000000), ref: 008514F8
UnregisterHotKey.USER32(?), ref: 008516DD
DestroyWindow.USER32(?), ref: 008924B9
FreeLibrary.KERNEL32(?), ref: 0089251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0089254B

Strings

close all, xrefs: 00851454

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 39196e31adf651bbfc1dfc8dba0eb01049b3263fe35bb87859102330804b052a
Instruction ID: dd07bb89a26fe0efdb172d37b623b5d310bc5aec3c60a424f8e07e0b57664e3f
Opcode Fuzzy Hash: 39196e31adf651bbfc1dfc8dba0eb01049b3263fe35bb87859102330804b052a
Instruction Fuzzy Hash: 56D156316012129FCF29EF19C899B29F7A0FF05715F1941ADE94AEB252DB30AC1ACF51

Function 008C7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008C7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 008C7FC1
GetFileAttributesW.KERNEL32(?), ref: 008C7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 008C8005
SetCurrentDirectoryW.KERNEL32(?), ref: 008C8017
SetCurrentDirectoryW.KERNEL32(?), ref: 008C8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008C80B0

Strings

*.*, xrefs: 008C8066

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 9ff5d5071c7a699705802187749ba30cd6b2757f76b3b92f91877f493c91eb34
Instruction ID: b19f3c862bd2e8fff42236ce8dc213fd89b51fe961165a341529bb80076fefa3
Opcode Fuzzy Hash: 9ff5d5071c7a699705802187749ba30cd6b2757f76b3b92f91877f493c91eb34
Instruction Fuzzy Hash: 31818F725082459BCB20EF18C884EAAB3E8FF85754F14486EF889D7250EB35DD49CF52

Function 00855BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00855C7A

Part of subcall function 00855D0A: GetClientRect.USER32(?,?), ref: 00855D30
Part of subcall function 00855D0A: GetWindowRect.USER32(?,?), ref: 00855D71
Part of subcall function 00855D0A: ScreenToClient.USER32(?,?), ref: 00855D99

GetDC.USER32 ref: 008946F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00894708
SelectObject.GDI32(00000000,00000000), ref: 00894716
SelectObject.GDI32(00000000,00000000), ref: 0089472B
ReleaseDC.USER32(?,00000000), ref: 00894733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008947C4

Strings

U, xrefs: 00894693

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 42a082816f45759b7e7f903c865ddda619580e47f8e3d489c2d16638cf4168a5
Instruction ID: 3e113767c430fd01f8232ae6f95a1d0896f7cfb44751561c81d35cad4c499116
Opcode Fuzzy Hash: 42a082816f45759b7e7f903c865ddda619580e47f8e3d489c2d16638cf4168a5
Instruction Fuzzy Hash: 8471DF3440020DEFCF21AFA4C984EAA3BB1FF56325F181269ED51DA266C7309C46DF50

Function 008C359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 008C35E4

Part of subcall function 00859CB3: _wcslen.LIBCMT ref: 00859CBD

LoadStringW.USER32(00922390,?,00000FFF,?), ref: 008C360A

Strings

Line %d (File "%s"):, xrefs: 008C366B
Error: , xrefs: 008C36EF
^ ERROR, xrefs: 008C36C9
"%s" (%d) : ==> %s:, xrefs: 008C3742
"%s" (%d) : ==> %s:%s%s, xrefs: 008C3724

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 20a9c30e17c71772ee5ee651b9fe43a3b811bd35e70cbd8bf409569cd4281c6e
Instruction ID: ae17ff08e444d3302486e07363a6dacf16106bb10b36f9f568aaf15300076022
Opcode Fuzzy Hash: 20a9c30e17c71772ee5ee651b9fe43a3b811bd35e70cbd8bf409569cd4281c6e
Instruction Fuzzy Hash: BB517F72D00209BACF14EBA4DC42EEEBB79FF14341F544129F505B21A2EB315B99DB62

Function 008E8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00869BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00869BB2

Part of subcall function 0086912D: GetCursorPos.USER32(?), ref: 00869141
Part of subcall function 0086912D: ScreenToClient.USER32(00000000,?), ref: 0086915E
Part of subcall function 0086912D: GetAsyncKeyState.USER32(00000001), ref: 00869183
Part of subcall function 0086912D: GetAsyncKeyState.USER32(00000002), ref: 0086919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 008E8B6B
ImageList_EndDrag.COMCTL32 ref: 008E8B71
ReleaseCapture.USER32 ref: 008E8B77
SetWindowTextW.USER32(?,00000000), ref: 008E8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 008E8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 008E8CFF

Strings

@GUI_DRAGFILE, xrefs: 008E8C9A
@GUI_DROPID, xrefs: 008E8C51

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: c754485d8cb8f1eab0a5875810b248278a71e99d84596b4d71bf8319c487177a
Instruction ID: f848ad28c70841efc1dbb7917e88f2508a0ec98985b06efca68fdbbc0a85f174
Opcode Fuzzy Hash: c754485d8cb8f1eab0a5875810b248278a71e99d84596b4d71bf8319c487177a
Instruction Fuzzy Hash: 0151CB70104340AFD714DF28DC96BAE77E4FB89714F10062DF996A72E1CB709959CB62

Function 008CC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 008CC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008CC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 008CC2CA
GetLastError.KERNEL32 ref: 008CC322
SetEvent.KERNEL32(?), ref: 008CC336
InternetCloseHandle.WININET(00000000), ref: 008CC341

Strings

, xrefs: 008CC2BB

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 60eeca1c94881fa6276695b05136039b1c59ba006c7b14ffeaf2994f782264b0
Instruction ID: 992fae716d7d8d308ec63b09bb3e5691039b8755da87ccdbc65f34b47158e649
Opcode Fuzzy Hash: 60eeca1c94881fa6276695b05136039b1c59ba006c7b14ffeaf2994f782264b0
Instruction Fuzzy Hash: 0E3169B1A00648AFD7219FA8AC88FAB7BFCFB49744B14851EF44AD6201DB30DD459B61

Function 008B989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00893AAF,?,?,Bad directive syntax error,008ECC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 008B98BC
LoadStringW.USER32(00000000,?,00893AAF,?), ref: 008B98C3

Part of subcall function 00859CB3: _wcslen.LIBCMT ref: 00859CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 008B9987

Strings

Line %d (File "%s"):, xrefs: 008B992D
Line %d:, xrefs: 008B9912
Error: , xrefs: 008B9955
%s (%d) : ==> %s.: %s %s, xrefs: 008B98F1
., xrefs: 008B996D

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 777c3a22e9ba65716d2a34584ab71584e1ccd11e3642afba8f0bb3931c899774
Instruction ID: ea77af26700e0ad0dfed3c61acdc748069d926b524d6cab2683aa35111624a17
Opcode Fuzzy Hash: 777c3a22e9ba65716d2a34584ab71584e1ccd11e3642afba8f0bb3931c899774
Instruction Fuzzy Hash: C221A631D0021EEBCF11AF94CC06EEE7B35FF14305F044465F615A51A2DB719A58CB12

Function 008B209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 008B20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 008B20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 008B214D

Strings

SHELLDLL_DefView, xrefs: 008B20CC
largeicons, xrefs: 008B20E1
list, xrefs: 008B212F
smallicons, xrefs: 008B2115
details, xrefs: 008B20FB

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 986fc506688163c34ffd397b55375779f91a64dd94fa7c3e0c8073384e1d5c0e
Instruction ID: 2d017838142aecb6f6c0b886ec9d27854ec94be3a46d235baf2a15bce25f3708
Opcode Fuzzy Hash: 986fc506688163c34ffd397b55375779f91a64dd94fa7c3e0c8073384e1d5c0e
Instruction Fuzzy Hash: AE1136767C870BF9F6012228DC06CE7739CFB54328B21401AFB08E41E5FA65B8825A14

Function 0088CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0088CEB7
_free.LIBCMT ref: 0088CF22
_free.LIBCMT ref: 0088CF48
_free.LIBCMT ref: 0088CF71
_free.LIBCMT ref: 0088CFA9
_free.LIBCMT ref: 0088CFDA
_free.LIBCMT ref: 0088D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0088D09C
_free.LIBCMT ref: 0088D0B5

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 457f440411427c27ad8670c9880c82f037aaebfd69d8f615cdc5170f67d19933
Instruction ID: e83bfcbb41a16c12be10e54e77896afa2cc7b4315627e35516ffef19a15746d2
Opcode Fuzzy Hash: 457f440411427c27ad8670c9880c82f037aaebfd69d8f615cdc5170f67d19933
Instruction Fuzzy Hash: 36614771908305AFEF31BFB89C81A697BA5FF05310F14416EFA44D7286DB719D0287A1

Function 00868B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 008A6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 008A68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008A68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 008A68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008A68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00868874,00000000,00000000,00000000,000000FF,00000000), ref: 008A6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 008A691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00868874,00000000,00000000,00000000,000000FF,00000000), ref: 008A692D

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 6e8afcc140d82e297ef30caeeeb93d6d30fa5d03a33517b75b44abc0633b160b
Instruction ID: 96a29b9f4ccbc55b958054db9a9a7e273d5753ae67ebb4b369f8af60548567c1
Opcode Fuzzy Hash: 6e8afcc140d82e297ef30caeeeb93d6d30fa5d03a33517b75b44abc0633b160b
Instruction Fuzzy Hash: 7F519C70A00209EFEB20CF24CC95FAA7BB5FB54760F144618F956D72A0EB70E9A1DB40

Function 008CC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008CC182
GetLastError.KERNEL32 ref: 008CC195
SetEvent.KERNEL32(?), ref: 008CC1A9

Part of subcall function 008CC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 008CC272
Part of subcall function 008CC253: GetLastError.KERNEL32 ref: 008CC322
Part of subcall function 008CC253: SetEvent.KERNEL32(?), ref: 008CC336
Part of subcall function 008CC253: InternetCloseHandle.WININET(00000000), ref: 008CC341

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: ba7d425069b8c1749f0f46da75e5f61dbafe99afdc45108b707e6666c77c8d92
Instruction ID: 64b8a2412c2c58d58af3caa200e788ba0eb6fc5f8a205ac49a2ffbb838432537
Opcode Fuzzy Hash: ba7d425069b8c1749f0f46da75e5f61dbafe99afdc45108b707e6666c77c8d92
Instruction Fuzzy Hash: 65316D71A00645AFDB219FA9DC44F76BBF9FF18310B14841EF95AC6610D731E8159BA0

Function 008B25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 008B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 008B3A57
Part of subcall function 008B3A3D: GetCurrentThreadId.KERNEL32 ref: 008B3A5E
Part of subcall function 008B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008B25B3), ref: 008B3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 008B25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008B25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 008B25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 008B25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 008B2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 008B2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 008B260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 008B2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 008B2627

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 91f93018c119401cfcc391d57ff691856d8cfea0315b766b375d9c3a00bb22ed
Instruction ID: 958cb3a7e1849fdeacb8628ab27a411eaa401fc34ee1c5cef41d56ea7be3db89
Opcode Fuzzy Hash: 91f93018c119401cfcc391d57ff691856d8cfea0315b766b375d9c3a00bb22ed
Instruction Fuzzy Hash: 5D01D830790664BBFB1067699CCAF9A3F59FB5EB12F100015F314EE1E1C9E114458A6A

Function 008B1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,008B1449,?,?,00000000), ref: 008B180C
HeapAlloc.KERNEL32(00000000,?,008B1449,?,?,00000000), ref: 008B1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,008B1449,?,?,00000000), ref: 008B1828
GetCurrentProcess.KERNEL32(?,00000000,?,008B1449,?,?,00000000), ref: 008B1830
DuplicateHandle.KERNEL32(00000000,?,008B1449,?,?,00000000), ref: 008B1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,008B1449,?,?,00000000), ref: 008B1843
GetCurrentProcess.KERNEL32(008B1449,00000000,?,008B1449,?,?,00000000), ref: 008B184B
DuplicateHandle.KERNEL32(00000000,?,008B1449,?,?,00000000), ref: 008B184E
CreateThread.KERNEL32(00000000,00000000,008B1874,00000000,00000000,00000000), ref: 008B1868

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: e6fe18b7696c14ea8a8dcc6ca1532c3afdb27a8d5810184330a864d4ef0ceb3d
Instruction ID: 773610b90b063ef91b7c48054d3491f9a04b0311fb113b10267b288b02b52891
Opcode Fuzzy Hash: e6fe18b7696c14ea8a8dcc6ca1532c3afdb27a8d5810184330a864d4ef0ceb3d
Instruction Fuzzy Hash: E601BBB5640348BFE710ABA5DC8DF6B7BACFB89B11F404411FA15DF2A1CA749801CB20

Function 008DA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 008BD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 008BD501
Part of subcall function 008BD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 008BD50F
Part of subcall function 008BD4DC: CloseHandle.KERNEL32(00000000), ref: 008BD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 008DA16D
GetLastError.KERNEL32 ref: 008DA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 008DA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 008DA268
GetLastError.KERNEL32(00000000), ref: 008DA273
CloseHandle.KERNEL32(00000000), ref: 008DA2C4

Strings

SeDebugPrivilege, xrefs: 008DA18F

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 17f6439a9b087b6253703038af6008ddc45cc7bdc7288cac3aeb6bdadc9cdb36
Instruction ID: 0dd178bae4804fb0f3448ecc25e03239eb2be0639d8810aa7d48e6d363b1aac1
Opcode Fuzzy Hash: 17f6439a9b087b6253703038af6008ddc45cc7bdc7288cac3aeb6bdadc9cdb36
Instruction Fuzzy Hash: 43618C30204242AFD714DF19C894F16BBE1FF44318F64859DE8668B7A2C772ED49CB92

Function 008E3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 008E3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 008E393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 008E3954
_wcslen.LIBCMT ref: 008E3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 008E39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 008E39F4

Strings

SysListView32, xrefs: 008E38F7

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 19c977425e620b4697cb2957e5dcec35eadf68d048fb4071b7c09a8fe31f0417
Instruction ID: 9d54ca97b2583e91aab2877594e967ef73ee076aaf73cc8d744ad13e388bd93f
Opcode Fuzzy Hash: 19c977425e620b4697cb2957e5dcec35eadf68d048fb4071b7c09a8fe31f0417
Instruction Fuzzy Hash: D941E371A00259ABEF219F65CC49BEA7BA9FF09350F10012AF948E7291D771DE80CB90

Function 008BBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008BBCFD
IsMenu.USER32(00000000), ref: 008BBD1D
CreatePopupMenu.USER32 ref: 008BBD53
GetMenuItemCount.USER32(00EF5900), ref: 008BBDA4
InsertMenuItemW.USER32(00EF5900,?,00000001,00000030), ref: 008BBDCC

Strings

2, xrefs: 008BBD37
0, xrefs: 008BBCA8

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 59dc9358032c1c38602318e61396901a971254691b196df126eeb0e629574af2
Instruction ID: 967b6863e810c6f3872b134290d6182cc1dca0ee41a85a0f638924d907ce2720
Opcode Fuzzy Hash: 59dc9358032c1c38602318e61396901a971254691b196df126eeb0e629574af2
Instruction Fuzzy Hash: 99518C70A042099BDF20CFA8D884BEEBBF4FF45354F184659E411DB391D7B89945CB62

Function 008BC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 008BC913

Strings

blank, xrefs: 008BC895
question, xrefs: 008BC8CC
info, xrefs: 008BC8B4
stop, xrefs: 008BC8E4
warning, xrefs: 008BC8FC

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: d78230f5d58c72c2aa266afb70e21907c57936cd65cc29462cd1c6f4fafeb56f
Instruction ID: 7c376e686a2c6071a120061a7b2323e7da09a662424c8589910a463d3332981e
Opcode Fuzzy Hash: d78230f5d58c72c2aa266afb70e21907c57936cd65cc29462cd1c6f4fafeb56f
Instruction Fuzzy Hash: FE110D31B8930BBAF7015B549C83CEB6B9CFF55359B10403AF504E63C2D7709D805265

Function 008BED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 008BED2A
_wcslen.LIBCMT ref: 008BED3B
_wcslen.LIBCMT ref: 008BED79
_wcslen.LIBCMT ref: 008BEDAF
_wcslen.LIBCMT ref: 008BEDDF
_wcslen.LIBCMT ref: 008BEDEF
_wcslen.LIBCMT ref: 008BEE2B
_wcslen.LIBCMT ref: 008BEE5A

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: a053c29fe8a25d68d483e3c06d751ad65fcddf425c680529f47f543a4401afd8
Instruction ID: a90ae1a26c140a9964c39f2ad774660a009ae38518a6769e7f48f16125573f65
Opcode Fuzzy Hash: a053c29fe8a25d68d483e3c06d751ad65fcddf425c680529f47f543a4401afd8
Instruction Fuzzy Hash: B1414365D1021866CB11EBF8888AACF77A8FF45710F508566E51CE3226FB34E255C3A7

Function 0086F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,008A682C,00000004,00000000,00000000), ref: 0086F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,008A682C,00000004,00000000,00000000), ref: 008AF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,008A682C,00000004,00000000,00000000), ref: 008AF454

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 41dd49a1c5c014be22166f97917f7a80de043c417aee7683bb70b7f2b2171965
Instruction ID: 07d04e35b2965ef75adf36f38a3521b77cf84ed2fec40d4cd4ab87b106773e19
Opcode Fuzzy Hash: 41dd49a1c5c014be22166f97917f7a80de043c417aee7683bb70b7f2b2171965
Instruction Fuzzy Hash: 9A411C31508780BAE7398B6DE8C8B2A7F91FB56318F16453CE397D6A63C631D881DB11

Function 008E2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 008E2D1B
GetDC.USER32(00000000), ref: 008E2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008E2D2E
ReleaseDC.USER32(00000000,00000000), ref: 008E2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 008E2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 008E2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,008E5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 008E2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 008E2DE1

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: c3093e5d2c583aa7a217f1ef1c208952a86f304f2c0cd51769b978ba4faa899b
Instruction ID: 11f34c018a826fbbcec4580972c83540614e14e000ecd3209b1124b5dbd9f293
Opcode Fuzzy Hash: c3093e5d2c583aa7a217f1ef1c208952a86f304f2c0cd51769b978ba4faa899b
Instruction Fuzzy Hash: CF318B72601294BBEB118F558C8AFEB3BADFB4A711F044055FE08DE2A1C6759C41CBA0

Function 008B5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 008B5637
_memcmp.LIBVCRUNTIME ref: 008B5659
_memcmp.LIBVCRUNTIME ref: 008B5671
_memcmp.LIBVCRUNTIME ref: 008B5684
_memcmp.LIBVCRUNTIME ref: 008B569E
_memcmp.LIBVCRUNTIME ref: 008B56B1
_memcmp.LIBVCRUNTIME ref: 008B56C9
_memcmp.LIBVCRUNTIME ref: 008B56E4

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: aada87660131ffda7b79042e38450537a7fdc3c2eaf08b357f7b0440bd625318
Instruction ID: 0c7542ebcff890124999f8e5fecebbc7e17aacc09d73521edbaba0d4ea792ac9
Opcode Fuzzy Hash: aada87660131ffda7b79042e38450537a7fdc3c2eaf08b357f7b0440bd625318
Instruction Fuzzy Hash: 4421FC7174091977E61455298D82FFB335CFF32398F644020FE09DAB86FB28EE1182A6

Function 008D4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 008D502E, 008D5383
Not an Object type, xrefs: 008D5007

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: b5d33eb75055314273002b38b906c1ddfa70565af93d2431d9f69588e3840331
Instruction ID: d6685004261426e335042fa84c9edc1f928cbe46dfc2460e0a15c2d88593db44
Opcode Fuzzy Hash: b5d33eb75055314273002b38b906c1ddfa70565af93d2431d9f69588e3840331
Instruction Fuzzy Hash: 9ED17C71A0060A9FDF14CFA8C881AAEB7B5FB48354F14826AE915EB381E771DD45CB90

Function 00891522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,008917FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 008915CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00891651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,008917FB,?,008917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008916E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008916FB

Part of subcall function 00883820: RtlAllocateHeap.NTDLL(00000000,?,00921444,?,0086FDF5,?,?,0085A976,00000010,00921440,008513FC,?,008513C6,?,00851129), ref: 00883852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,008917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00891777
__freea.LIBCMT ref: 008917A2
__freea.LIBCMT ref: 008917AE

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: f788290dea0b3b5a494771552d62f2b002d19b7d3fc0ff276204605cb7c0f6a4
Instruction ID: 226110a6951b50843e45b3a3c07afd30a369ab111bca065af77fe0e58d862a53
Opcode Fuzzy Hash: f788290dea0b3b5a494771552d62f2b002d19b7d3fc0ff276204605cb7c0f6a4
Instruction Fuzzy Hash: 1491C472E08217AADF21AEA4CC89AEE7BB5FF45714F1D4559E901E7141DB35CC40C760

Function 008D4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008D4648
VariantInit.OLEAUT32(?), ref: 008D4749
VariantClear.OLEAUT32(?), ref: 008D4753
VariantClear.OLEAUT32(?), ref: 008D47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 008D45D8, 008D4706, 008D47BE
Incorrect Object type in FOR..IN loop, xrefs: 008D472C

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 1592046ccbd0582b18f4302c970f638fd102a3fbd447339ada6becfc7d437317
Instruction ID: b5830a9a2ea5072f676b547e2c65139c1dc7c43a64af1fa0c6894c79d0b56155
Opcode Fuzzy Hash: 1592046ccbd0582b18f4302c970f638fd102a3fbd447339ada6becfc7d437317
Instruction Fuzzy Hash: D5917071A00219ABDF20CFA5D884FAEBBB8FF46714F10865AF515EB281D7709945CFA0

Function 008C1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 008C125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 008C1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 008C12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008C12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008C135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008C13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008C1430

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: fe64d255706b59e8c4cf57d5eb0e8a63873375f184856ee629c026efd11e9f00
Instruction ID: 7c03884a8a60e31116d39cc7c0b2fd52baeb6462e94212c42685b3ce875573d2
Opcode Fuzzy Hash: fe64d255706b59e8c4cf57d5eb0e8a63873375f184856ee629c026efd11e9f00
Instruction Fuzzy Hash: 6191CE75A002199FDB04DFA8C8C8FAEB7B5FF46319F108029E900EB292D774E941CB95

Function 0086948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: ca60d4bda3cb8ba842a952d210613871cd0928203beb9f846ff7977bb446fb66
Instruction ID: dd6bc56aa17f2ff4c23bb881b789cbe2758fca1318b33cbdea1a43429d6504b3
Opcode Fuzzy Hash: ca60d4bda3cb8ba842a952d210613871cd0928203beb9f846ff7977bb446fb66
Instruction Fuzzy Hash: 90911571D00219EFCB10CFA9CC88AEEBBB8FF49320F154059E556F7291D674AA42DB60

Function 008D3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008D396B
CharUpperBuffW.USER32(?,?), ref: 008D3A7A
_wcslen.LIBCMT ref: 008D3A8A
VariantClear.OLEAUT32(?), ref: 008D3C1F

Part of subcall function 008C0CDF: VariantInit.OLEAUT32(00000000), ref: 008C0D1F
Part of subcall function 008C0CDF: VariantCopy.OLEAUT32(?,?), ref: 008C0D28
Part of subcall function 008C0CDF: VariantClear.OLEAUT32(?), ref: 008C0D34

Strings

Incorrect Parameter format, xrefs: 008D39A6, 008D3BA1
AUTOIT.ERROR, xrefs: 008D3A80, 008D3A85

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: be4a9b30bd74efc143a745dc2a0c4960f56c6f218d0aa3adbbf231714edb1293
Instruction ID: af6356813cba4edebd68add3a4860856e4d914defd6406b4fc3fe86851f83c6d
Opcode Fuzzy Hash: be4a9b30bd74efc143a745dc2a0c4960f56c6f218d0aa3adbbf231714edb1293
Instruction Fuzzy Hash: 79911375A083059FC704DF68C48196AB7E4FB89314F14892EF899DB351DB31EE45CB92

Function 008D4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 008B000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,008AFF41,80070057,?,?,?,008B035E), ref: 008B002B
Part of subcall function 008B000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008AFF41,80070057,?,?), ref: 008B0046
Part of subcall function 008B000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008AFF41,80070057,?,?), ref: 008B0054
Part of subcall function 008B000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008AFF41,80070057,?), ref: 008B0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 008D4C51
_wcslen.LIBCMT ref: 008D4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 008D4DCF
CoTaskMemFree.OLE32(?), ref: 008D4DDA

Strings

NULL Pointer assignment, xrefs: 008D4E23, 008D4E52

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 8c73a7b89e67c7bdd3b345a6d778f7f12919996603e55cab7f42105653525179
Instruction ID: 7163e42d4f1adbd9bf2dfc42e4ab0a0ed9590604a15e9d0a38fa36560257534e
Opcode Fuzzy Hash: 8c73a7b89e67c7bdd3b345a6d778f7f12919996603e55cab7f42105653525179
Instruction Fuzzy Hash: B591E771D0021DAFDF14DFA4C891AEEB7B9FF08314F10466AE915E7251EB309A458F61

Function 008E20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 008E2183
GetMenuItemCount.USER32(00000000), ref: 008E21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 008E21DD
_wcslen.LIBCMT ref: 008E2213
GetMenuItemID.USER32(?,?), ref: 008E224D
GetSubMenu.USER32(?,?), ref: 008E225B

Part of subcall function 008B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 008B3A57
Part of subcall function 008B3A3D: GetCurrentThreadId.KERNEL32 ref: 008B3A5E
Part of subcall function 008B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008B25B3), ref: 008B3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008E22E3

Part of subcall function 008BE97B: Sleep.KERNEL32 ref: 008BE9F3

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: a4eccabb442ddd185df3285bb68062a09094725874fcc427a2eeb930acc69c70
Instruction ID: 2fbdef5ed51e7f91690e1f77cd415d398bc05bec842f413771283cd7eec38978
Opcode Fuzzy Hash: a4eccabb442ddd185df3285bb68062a09094725874fcc427a2eeb930acc69c70
Instruction Fuzzy Hash: B5719D75E00245AFCB10EF69C881AAEBBF9FF49310F148459E916EB351DB34EE418B91

Function 008BAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 008BAEF9
GetKeyboardState.USER32(?), ref: 008BAF0E
SetKeyboardState.USER32(?), ref: 008BAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 008BAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 008BAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 008BAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 008BB020

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 2dd05aea7b5abb72bf7e9429e2b28c2ebbafcf44cbbae6d64eb6ce2e4909e781
Instruction ID: 3fe316008c58b65e2df843e43fc1e0cfe421bb8464450125c885845d224bb816
Opcode Fuzzy Hash: 2dd05aea7b5abb72bf7e9429e2b28c2ebbafcf44cbbae6d64eb6ce2e4909e781
Instruction Fuzzy Hash: D651D2A0A046D53DFB3A52388845BFA7EA9BB06304F088489E1E5D56C2C7D9E885D752

Function 008BACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 008BAD19
GetKeyboardState.USER32(?), ref: 008BAD2E
SetKeyboardState.USER32(?), ref: 008BAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 008BADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 008BADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 008BAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 008BAE38

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: ea020a17074a6820e92e3a1e5894ebbe0dc06ddbb33f2559d057688535650192
Instruction ID: dec22b8b1e0776568214cc5b3c1402008d2cc592c4090d5ddc7b95d7cdac3161
Opcode Fuzzy Hash: ea020a17074a6820e92e3a1e5894ebbe0dc06ddbb33f2559d057688535650192
Instruction Fuzzy Hash: A351D5A19047D53DFB3B8324CC95BFA7E99BB46300F0C8588E1D5D6AD2D294EC84D762

Function 0088542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00893CD6,?,?,?,?,?,?,?,?,00885BA3,?,?,00893CD6,?,?), ref: 00885470
__fassign.LIBCMT ref: 008854EB
__fassign.LIBCMT ref: 00885506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00893CD6,00000005,00000000,00000000), ref: 0088552C
WriteFile.KERNEL32(?,00893CD6,00000000,00885BA3,00000000,?,?,?,?,?,?,?,?,?,00885BA3,?), ref: 0088554B
WriteFile.KERNEL32(?,?,00000001,00885BA3,00000000,?,?,?,?,?,?,?,?,?,00885BA3,?), ref: 00885584

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 6bfe67ee889528a3e249d234a710d54082f4660263c086d62ff65a6c6e692cc3
Instruction ID: 5cf9fa33119cbbaf2e6f65b5b692a3e6e2e20a21b9958e7f86fd9642454978cb
Opcode Fuzzy Hash: 6bfe67ee889528a3e249d234a710d54082f4660263c086d62ff65a6c6e692cc3
Instruction Fuzzy Hash: D851B1B1A00649AFDB10DFA8D895AEEBBF9FF09300F14415AF955E7291E730DA41CB60

Function 00872D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00872D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00872D53
_ValidateLocalCookies.LIBCMT ref: 00872DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00872E0C
_ValidateLocalCookies.LIBCMT ref: 00872E61

Strings

csm, xrefs: 00872DF6

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: c1e23e27e0a9a3bba16131ebdadb79694a5b8103495a3a9912b9997c3dbf5d05
Instruction ID: f36d844faebd32373b945f4869286d77e35259638d649b060558963f2ac62b60
Opcode Fuzzy Hash: c1e23e27e0a9a3bba16131ebdadb79694a5b8103495a3a9912b9997c3dbf5d05
Instruction Fuzzy Hash: 69418234E0020DABCF20DF68C855A9EBFA5FF45328F14C165E819EB256D731EA15CB92

Function 008D10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008D304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 008D307A
Part of subcall function 008D304E: _wcslen.LIBCMT ref: 008D309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 008D1112
WSAGetLastError.WSOCK32 ref: 008D1121
WSAGetLastError.WSOCK32 ref: 008D11C9
closesocket.WSOCK32(00000000), ref: 008D11F9

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 7990a8c25b6e1e07d534909aa7802033189888e90519c087e80996c33166fdec
Instruction ID: a6c9dd90685124c9a0a4a598e23d756fa669a188d481674458a37c06932a69ea
Opcode Fuzzy Hash: 7990a8c25b6e1e07d534909aa7802033189888e90519c087e80996c33166fdec
Instruction Fuzzy Hash: 8341C031600214AFDF109F68CC88BAABBA9FF45369F14825AFD15DB391C770AD45CBA1

Function 008BCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 008BDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008BCF22,?), ref: 008BDDFD

Part of subcall function 008BDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008BCF22,?), ref: 008BDE16

lstrcmpiW.KERNEL32(?,?), ref: 008BCF45
MoveFileW.KERNEL32(?,?), ref: 008BCF7F
_wcslen.LIBCMT ref: 008BD005
_wcslen.LIBCMT ref: 008BD01B
SHFileOperationW.SHELL32(?), ref: 008BD061

Strings

\*.*, xrefs: 008BCFF3

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 908442de41894aec52bd3b1215dafc1694a2ccfdcfd75e13b10cf77d96e83176
Instruction ID: 8cf34ffa8435a780eb4a07e35612a3af8f0053e12541327c24ca4b21123f8226
Opcode Fuzzy Hash: 908442de41894aec52bd3b1215dafc1694a2ccfdcfd75e13b10cf77d96e83176
Instruction Fuzzy Hash: 2D4135719452199FDF12EFA4C981AEDB7B9FF08340F1000E6E549EB242EF74A649CB51

Function 008E2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 008E2E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 008E2E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 008E2E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 008E2EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 008E2EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 008E2EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 008E2F0B

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 9e61807a88b7ead4fe8a1d0ea65665bfe5fff59d3f62beb3ad446e3fa7c74c47
Instruction ID: d2ecf5a2cb060893092c921dcbdbae7df3f8750ec5106e58bb5c4fb586f28af0
Opcode Fuzzy Hash: 9e61807a88b7ead4fe8a1d0ea65665bfe5fff59d3f62beb3ad446e3fa7c74c47
Instruction Fuzzy Hash: 643114346042A5AFDB20CF59DC84F6537E8FB6A710F1401A4F911CF2B2CB71AC919B41

Function 008B7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008B7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008B778F
SysAllocString.OLEAUT32(00000000), ref: 008B7792
SysAllocString.OLEAUT32(?), ref: 008B77B0
SysFreeString.OLEAUT32(?), ref: 008B77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 008B77DE
SysAllocString.OLEAUT32(?), ref: 008B77EC

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 6814e75a9c3fc26deaffcc0f55ba6049e6c5506fe800969a7634208f775d4691
Instruction ID: 83cec8c95394b94eb083e8ee31354b3cb13654bfede7fc6a2417bf3cafc7a872
Opcode Fuzzy Hash: 6814e75a9c3fc26deaffcc0f55ba6049e6c5506fe800969a7634208f775d4691
Instruction Fuzzy Hash: 60219F76A04219AFDB10DFA8DC88CFA77ACFB49364B108025BA14DF291DA70DC428768

Function 008B77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008B7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008B7868
SysAllocString.OLEAUT32(00000000), ref: 008B786B
SysAllocString.OLEAUT32 ref: 008B788C
SysFreeString.OLEAUT32 ref: 008B7895
StringFromGUID2.OLE32(?,?,00000028), ref: 008B78AF
SysAllocString.OLEAUT32(?), ref: 008B78BD

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 145c89a2a74a712edc5bbaeff74995d9bb0d0dfb84a4375d477f9090ecf00b37
Instruction ID: b553f65a3c0f093a19f573712a3b608b4acba7b256ebadd0e5999859b1083b24
Opcode Fuzzy Hash: 145c89a2a74a712edc5bbaeff74995d9bb0d0dfb84a4375d477f9090ecf00b37
Instruction Fuzzy Hash: 00214135A08218AFDB109FB8DC88DAA77ECFB497647108135F915CB2A1D674DC45CB68

Function 008C04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 008C04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008C052E

Strings

nul, xrefs: 008C0567

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: ab5acf2d1e6e5e8cc8eb2d816bdfe50e300b37c25689ea194f3389ce2d4395b4
Instruction ID: 68980889e8f6390aa5e34f73199aac1f7523c7dcdb6de6affef85a52a05bec30
Opcode Fuzzy Hash: ab5acf2d1e6e5e8cc8eb2d816bdfe50e300b37c25689ea194f3389ce2d4395b4
Instruction Fuzzy Hash: C6210675A00209EBDB209F69D844F9A7BB8FF447A5F204A1DE9A1E62E0D770D941CF20

Function 008C05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 008C05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008C0601

Strings

nul, xrefs: 008C0639

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: c4a1d230015b5d27d76af3d595987fe74b3f7e56153f99fb1adc5ab75e582d0d
Instruction ID: 290f0d3b8eee3ee46b32aa7dfb49c643fba371466c30249eae4d15852bf84cfd
Opcode Fuzzy Hash: c4a1d230015b5d27d76af3d595987fe74b3f7e56153f99fb1adc5ab75e582d0d
Instruction Fuzzy Hash: 41216D75900315DBDB209F698844F9A77B8FFA5BA4F200A1DE9A1E72E0D770D861CF10

Function 008E40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0085600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0085604C
Part of subcall function 0085600E: GetStockObject.GDI32(00000011), ref: 00856060
Part of subcall function 0085600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0085606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 008E4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 008E411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 008E412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 008E4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 008E4145

Strings

Msctls_Progress32, xrefs: 008E40E3

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 4b4e51af37a6a4b2008c62e189bdfb643b23ca80059f86bb266f2f50136b9470
Instruction ID: d1ace1a02a594c461a58c054efd317c2a7eed521c2c76c708101cbd6782a3460
Opcode Fuzzy Hash: 4b4e51af37a6a4b2008c62e189bdfb643b23ca80059f86bb266f2f50136b9470
Instruction Fuzzy Hash: F811E2B214021DBEEF108F65CC81EE77FADFF09398F004120BA18E20A0C6729C61DBA0

Function 0088D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0088D7A3: _free.LIBCMT ref: 0088D7CC

_free.LIBCMT ref: 0088D82D

Part of subcall function 008829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0088D7D1,00000000,00000000,00000000,00000000,?,0088D7F8,00000000,00000007,00000000,?,0088DBF5,00000000), ref: 008829DE
Part of subcall function 008829C8: GetLastError.KERNEL32(00000000,?,0088D7D1,00000000,00000000,00000000,00000000,?,0088D7F8,00000000,00000007,00000000,?,0088DBF5,00000000,00000000), ref: 008829F0

_free.LIBCMT ref: 0088D838
_free.LIBCMT ref: 0088D843
_free.LIBCMT ref: 0088D897
_free.LIBCMT ref: 0088D8A2
_free.LIBCMT ref: 0088D8AD
_free.LIBCMT ref: 0088D8B8

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction ID: 5f24228c44c7a34c1c4cf78ccd6ddbeb06e22e38d9b15bbc4b16c1e5ff1bd501
Opcode Fuzzy Hash: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction Fuzzy Hash: 1D110771940B04AADA21BFB8CD47FCB7BDCFF04700F404825F299E64D2DA69B5058762

Function 008BDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 008BDA74
LoadStringW.USER32(00000000), ref: 008BDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 008BDA91
LoadStringW.USER32(00000000), ref: 008BDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 008BDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 008BDAB9

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 4e854a9571a5c774959e5ac81c8f1dc73fc072636018e77fc70062f4ea9fffda
Instruction ID: cfba08797ef969bf8c242aeea160c9f5890432a8dadd7da54003362f6293ef78
Opcode Fuzzy Hash: 4e854a9571a5c774959e5ac81c8f1dc73fc072636018e77fc70062f4ea9fffda
Instruction Fuzzy Hash: B2014BF2900358BFEB10ABE49D89EEB776CFB08305F400496B756E6051EA749E858B74

Function 008C096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00EED200,00EED200), ref: 008C097B
EnterCriticalSection.KERNEL32(00EED1E0,00000000), ref: 008C098D
TerminateThread.KERNEL32(00EE9D88,000001F6), ref: 008C099B
WaitForSingleObject.KERNEL32(00EE9D88,000003E8), ref: 008C09A9
CloseHandle.KERNEL32(00EE9D88), ref: 008C09B8
InterlockedExchange.KERNEL32(00EED200,000001F6), ref: 008C09C8
LeaveCriticalSection.KERNEL32(00EED1E0), ref: 008C09CF

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 04426c7f0a38c044808a48762de5af57b4bd552f843201027e69fbfd5428721d
Instruction ID: 806de1bb356ca9a64f5814719b6ab6bc4f525acb58e47a3478611a7fda90f3e3
Opcode Fuzzy Hash: 04426c7f0a38c044808a48762de5af57b4bd552f843201027e69fbfd5428721d
Instruction Fuzzy Hash: D0F03C32842A42FBD7415FA4EECCBD6BB39FF01742F402025F612988A1C7749466CF90

Function 008D1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 008D1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 008D1DE1
WSAGetLastError.WSOCK32 ref: 008D1DF2
htons.WSOCK32(?,?,?,?,?), ref: 008D1EDB
inet_ntoa.WSOCK32(?), ref: 008D1E8C

Part of subcall function 008B39E8: _strlen.LIBCMT ref: 008B39F2

Part of subcall function 008D3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,008CEC0C), ref: 008D3240

_strlen.LIBCMT ref: 008D1F35

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 395541658bd002bdfc8f9cb00dbb526eac48b756f0cdf7975227f4d980d44aff
Instruction ID: 975c9fb1639c0908770a3117f00076e831f7f6633a254a90c71be0f15aa5a5df
Opcode Fuzzy Hash: 395541658bd002bdfc8f9cb00dbb526eac48b756f0cdf7975227f4d980d44aff
Instruction Fuzzy Hash: C3B1A131604340AFC724DF28C885E2A7BA5FF85318F548A5DF4569B3A2DB31ED46CB92

Function 00855D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00855D30
GetWindowRect.USER32(?,?), ref: 00855D71
ScreenToClient.USER32(?,?), ref: 00855D99
GetClientRect.USER32(?,?), ref: 00855ED7
GetWindowRect.USER32(?,?), ref: 00855EF8

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: c1fa5c23eb0ca68b488adb656bc8d2e029a497aec65af7fe8add8af3bd0050a4
Instruction ID: 96bd5a5517f53fe2bcfc9f09a8a70bc173395d8ce2b502e783211e827b7183a1
Opcode Fuzzy Hash: c1fa5c23eb0ca68b488adb656bc8d2e029a497aec65af7fe8add8af3bd0050a4
Instruction Fuzzy Hash: 65B18B35A0064ADBDF10DFA8C481BEEB7F1FF58311F14941AE8A9D7250DB30AA45CB50

Function 008801B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 008800BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008800D6
__allrem.LIBCMT ref: 008800ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0088010B
__allrem.LIBCMT ref: 00880122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00880140

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 5f551c8842949b68108d10a2c59bee90c028c0fe66aa514914d0df4a67f420cc
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 7581E376A00B069BE720BA6DCC45B6A73E8FF51334F24813AF555D6282EF70E9048B91

Function 008861FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,008782D9,008782D9,?,?,?,0088644F,00000001,00000001,8BE85006), ref: 00886258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0088644F,00000001,00000001,8BE85006,?,?,?), ref: 008862DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008863D8
__freea.LIBCMT ref: 008863E5

Part of subcall function 00883820: RtlAllocateHeap.NTDLL(00000000,?,00921444,?,0086FDF5,?,?,0085A976,00000010,00921440,008513FC,?,008513C6,?,00851129), ref: 00883852

__freea.LIBCMT ref: 008863EE
__freea.LIBCMT ref: 00886413

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 1cf611ab560fee0eb7c69496a8451687c93670a4d11db9d864c73c3685144272
Instruction ID: 631f9768fd26990142ebe254673453d142544461c576efb66d67cf95ddda7ada
Opcode Fuzzy Hash: 1cf611ab560fee0eb7c69496a8451687c93670a4d11db9d864c73c3685144272
Instruction Fuzzy Hash: 0851DF72A00216ABEB25AF64DC81EAF77AAFB44710F144669FC05DA240FB34DC60C7A0

Function 008DBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00859CB3: _wcslen.LIBCMT ref: 00859CBD

Part of subcall function 008DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008DB6AE,?,?), ref: 008DC9B5
Part of subcall function 008DC998: _wcslen.LIBCMT ref: 008DC9F1
Part of subcall function 008DC998: _wcslen.LIBCMT ref: 008DCA68
Part of subcall function 008DC998: _wcslen.LIBCMT ref: 008DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008DBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008DBD25
RegCloseKey.ADVAPI32(00000000), ref: 008DBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 008DBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 008DBDF3
RegCloseKey.ADVAPI32(?), ref: 008DBDFF

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 9c1e5088e4ce75be5bac10378bf32a426721f1136c839ce146baf6840bf7c347
Instruction ID: dedc477546be3262aeb6708cf2f55bcdabcb66d8d6f6b86b8efcd759e0112571
Opcode Fuzzy Hash: 9c1e5088e4ce75be5bac10378bf32a426721f1136c839ce146baf6840bf7c347
Instruction Fuzzy Hash: 04814A30208241EFD714DF24C895E2ABBE5FF84308F158A5DF5958B2A2DB31ED45CB92

Function 008AF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 008AF7B9
SysAllocString.OLEAUT32(00000001), ref: 008AF860
VariantCopy.OLEAUT32(008AFA64,00000000), ref: 008AF889
VariantClear.OLEAUT32(008AFA64), ref: 008AF8AD
VariantCopy.OLEAUT32(008AFA64,00000000), ref: 008AF8B1
VariantClear.OLEAUT32(?), ref: 008AF8BB

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 263a297cdc70a9497b6bdefd115c7d4ca0b2b902658fabfebe91658a04a5a214
Instruction ID: 6b0b36eb64afae081201378a0713a03ebb0a5a992fe8b1049dba40406b604f55
Opcode Fuzzy Hash: 263a297cdc70a9497b6bdefd115c7d4ca0b2b902658fabfebe91658a04a5a214
Instruction Fuzzy Hash: 4E51F831500314BBEF20ABA9D895B2AB7A4FF46314F244466FA05DF693DB748C41C797

Function 008C910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00857620: _wcslen.LIBCMT ref: 00857625

Part of subcall function 00856B57: _wcslen.LIBCMT ref: 00856B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 008C94E5
_wcslen.LIBCMT ref: 008C9506
_wcslen.LIBCMT ref: 008C952D
GetSaveFileNameW.COMDLG32(00000058), ref: 008C9585

Strings

X, xrefs: 008C9412

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 3abf767a9dce40c541e4403585eb4709aa7dba066636f11168acd26cba988246
Instruction ID: d158f3d45b59c67ef053e1e52fdd0d6c7e2f9c959108c9c792aeb54349e3624c
Opcode Fuzzy Hash: 3abf767a9dce40c541e4403585eb4709aa7dba066636f11168acd26cba988246
Instruction Fuzzy Hash: 28E15B315083408FC724DF28C885B6AB7E4FF85314F1589ADE999DB2A2EB31DD05CB92

Function 0086920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00869BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00869BB2

BeginPaint.USER32(?,?,?), ref: 00869241
GetWindowRect.USER32(?,?), ref: 008692A5
ScreenToClient.USER32(?,?), ref: 008692C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008692D3
EndPaint.USER32(?,?,?,?,?), ref: 00869321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 008A71EA

Part of subcall function 00869339: BeginPath.GDI32(00000000), ref: 00869357

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 35e1a31d51b3b103632dc0a4dbaba365c34035d22683f0fd35fc5ae06a2329ea
Instruction ID: 2251ab9601f60ee7d70bd176bc65bc550a0711213a3e53df8da36c12220d5fba
Opcode Fuzzy Hash: 35e1a31d51b3b103632dc0a4dbaba365c34035d22683f0fd35fc5ae06a2329ea
Instruction Fuzzy Hash: 3041A170508340AFD721DF18DC94FAA7BE8FB56324F040229F9A4C72E1C7309846DB62

Function 008C07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 008C080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 008C0847
EnterCriticalSection.KERNEL32(?), ref: 008C0863
LeaveCriticalSection.KERNEL32(?), ref: 008C08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 008C08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 008C0921

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: c45a237dd178552d35672d858493ad31271d01faded1d99e7ef2c786760a0130
Instruction ID: 71ddf7f1ce1f36b7dbb60b5810c8c13132c0d37485217bf7a0f066bf8a087ca4
Opcode Fuzzy Hash: c45a237dd178552d35672d858493ad31271d01faded1d99e7ef2c786760a0130
Instruction Fuzzy Hash: 0D415871900205EBDF14AF58DC85AAA7B78FF04300F1480A9EE04DE297D731DE65DBA1

Function 008E81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,008AF3AB,00000000,?,?,00000000,?,008A682C,00000004,00000000,00000000), ref: 008E824C
EnableWindow.USER32(00000000,00000000), ref: 008E8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 008E82D1
ShowWindow.USER32(00000000,00000004), ref: 008E82E5
EnableWindow.USER32(00000000,00000001), ref: 008E830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 008E832F

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: aacdb61a48e4415f01f80c8fbe024567ab8f210e3b5453a1757938d56fff7d1a
Instruction ID: 2053c834d9922e6b8e340a3cbe6ca56d6b470e04d19298ba09232974bcd7a441
Opcode Fuzzy Hash: aacdb61a48e4415f01f80c8fbe024567ab8f210e3b5453a1757938d56fff7d1a
Instruction Fuzzy Hash: A5419634601684EFDB25CF16D895BE87BE1FB1B714F184169EA0C9F272CB32A852CB50

Function 008B4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 008B4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 008B4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 008B4CEA
_wcslen.LIBCMT ref: 008B4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 008B4D10
_wcsstr.LIBVCRUNTIME ref: 008B4D1A

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 8b266ff480ffd785cadb628661aa9f7dfff6be8c1fc4eeb44d89abcb15712c9a
Instruction ID: 43643e1c64138d13afc8b3ab3e399b719b4d6229df2a40e132127c8e132e13df
Opcode Fuzzy Hash: 8b266ff480ffd785cadb628661aa9f7dfff6be8c1fc4eeb44d89abcb15712c9a
Instruction Fuzzy Hash: 052129326042447BEB555B39EC4AEBB7FACFF45750F14902DF905CE2A3EA61CC0182A1

Function 008C581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00853AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00853A97,?,?,00852E7F,?,?,?,00000000), ref: 00853AC2

_wcslen.LIBCMT ref: 008C587B
CoInitialize.OLE32(00000000), ref: 008C5995
CoCreateInstance.OLE32(008EFCF8,00000000,00000001,008EFB68,?), ref: 008C59AE
CoUninitialize.OLE32 ref: 008C59CC

Strings

.lnk, xrefs: 008C5876, 008C58C1, 008C5985

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 45ebf8cad8eed7736685b4f77359f26d244b8e30bb7b25bbe4ae4130ad776caa
Instruction ID: fe7d66b780be044930fb8c3aebe477da84fa6f4ac916ef753832a39631296cd9
Opcode Fuzzy Hash: 45ebf8cad8eed7736685b4f77359f26d244b8e30bb7b25bbe4ae4130ad776caa
Instruction Fuzzy Hash: FBD132756046019FCB14DF29C480A2ABBF1FF89724F14895DF889DB261DB31ED89CB92

Function 008B175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008B0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008B0FCA
Part of subcall function 008B0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008B0FD6
Part of subcall function 008B0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008B0FE5
Part of subcall function 008B0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008B0FEC
Part of subcall function 008B0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008B1002

GetLengthSid.ADVAPI32(?,00000000,008B1335), ref: 008B17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 008B17BA
HeapAlloc.KERNEL32(00000000), ref: 008B17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 008B17DA
GetProcessHeap.KERNEL32(00000000,00000000,008B1335), ref: 008B17EE
HeapFree.KERNEL32(00000000), ref: 008B17F5

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 91360b6c9154365154dcddd669bf1a07179524926ec86b573217d795ff331ed8
Instruction ID: afb7004b2a0faf23096135959dfba0614682e4fbad2eebb6067f23788153f881
Opcode Fuzzy Hash: 91360b6c9154365154dcddd669bf1a07179524926ec86b573217d795ff331ed8
Instruction Fuzzy Hash: 8C11AC32A10605FFDF109FA4CC99BEE7BA9FB42355F504018F851DB214CB35A941CB64

Function 008B14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008B14FF
OpenProcessToken.ADVAPI32(00000000), ref: 008B1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 008B1515
CloseHandle.KERNEL32(00000004), ref: 008B1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 008B154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 008B1563

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 53af5d105716c5ac16f742dae32dc0700f7c007375f9defcbf6a42d33fea0091
Instruction ID: a87dbd1d6e2e381332bbc396cc3f0466f53a1595749f0439c5099137d454f3f6
Opcode Fuzzy Hash: 53af5d105716c5ac16f742dae32dc0700f7c007375f9defcbf6a42d33fea0091
Instruction Fuzzy Hash: 5111297250024DEBDF11CF98DD49BDE7BA9FF48744F044025FA15AA160C3758E61DB60

Function 00873382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00873379,00872FE5), ref: 00873390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0087339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008733B7
SetLastError.KERNEL32(00000000,?,00873379,00872FE5), ref: 00873409

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 53b1c99cb32e51cb9a9d116feeb3003dfcb7745ae73fcf976bdbf1cd08125ee1
Instruction ID: b2f4753f3b43f131d76a78ebfadf32f47dde08863a83f45735c658ae6013d7c2
Opcode Fuzzy Hash: 53b1c99cb32e51cb9a9d116feeb3003dfcb7745ae73fcf976bdbf1cd08125ee1
Instruction Fuzzy Hash: 9401287275C311BEAA2527787CC59972A55FB29379330C229F428C42F8EF11CD02B147

Function 00882D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00885686,00893CD6,?,00000000,?,00885B6A,?,?,?,?,?,0087E6D1,?,00918A48), ref: 00882D78
_free.LIBCMT ref: 00882DAB
_free.LIBCMT ref: 00882DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0087E6D1,?,00918A48,00000010,00854F4A,?,?,00000000,00893CD6), ref: 00882DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0087E6D1,?,00918A48,00000010,00854F4A,?,?,00000000,00893CD6), ref: 00882DEC
_abort.LIBCMT ref: 00882DF2

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: b34c2046ed04bf922e92a1da8299b57b57fea50d45c47e900734edb362e3ef28
Instruction ID: 3e926847d5b6e8a72b00a04c798b1b18dd41dd70f58536e3a970103689141d30
Opcode Fuzzy Hash: b34c2046ed04bf922e92a1da8299b57b57fea50d45c47e900734edb362e3ef28
Instruction Fuzzy Hash: D1F0C876A4960477C612373CBC06E5B2D59FFC17A5F254518FC25D62D2EF2498025362

Function 008E8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00869639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00869693
Part of subcall function 00869639: SelectObject.GDI32(?,00000000), ref: 008696A2
Part of subcall function 00869639: BeginPath.GDI32(?), ref: 008696B9
Part of subcall function 00869639: SelectObject.GDI32(?,00000000), ref: 008696E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 008E8A4E
LineTo.GDI32(?,00000003,00000000), ref: 008E8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 008E8A70
LineTo.GDI32(?,00000000,00000003), ref: 008E8A80
EndPath.GDI32(?), ref: 008E8A90
StrokePath.GDI32(?), ref: 008E8AA0

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 87925ae93878190f30039c1247c418baa32c948d644ba51a8e5ac578d140ae7a
Instruction ID: 52a91b9c0f949766362ebb5b84995238afaea7913567149837f9cd968daf24bf
Opcode Fuzzy Hash: 87925ae93878190f30039c1247c418baa32c948d644ba51a8e5ac578d140ae7a
Instruction Fuzzy Hash: 84110C7640015CFFDF129F94DC88E9A7F6CFB04394F008021FA199A1A1C7719D56DB60

Function 008B51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008B5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 008B5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008B5230
ReleaseDC.USER32(00000000,00000000), ref: 008B5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 008B524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 008B5261

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 5c93d5dd114d76b860f85caaeaefb10c37c9e57f86ab1b75ffb28c174baa9a8b
Instruction ID: 29189bf91e2a17f79ce0f2a886364d481a580eed2774e85308a86dcb8de06512
Opcode Fuzzy Hash: 5c93d5dd114d76b860f85caaeaefb10c37c9e57f86ab1b75ffb28c174baa9a8b
Instruction Fuzzy Hash: 75014475E01754BBEB109BE59C49B5EBF78FB44751F044065FA04EB291D6709801CF60

Function 00851BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00851BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00851BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00851C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00851C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00851C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00851C22

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: e4b16c3c893a6c9e9de5ad238255ce78cf0f826a5b631a3b8295cb3978fe05eb
Instruction ID: 2c1678a40f46f0d61292c9710779cc0d915d5c66e98a7d83f0f7ecc81233770b
Opcode Fuzzy Hash: e4b16c3c893a6c9e9de5ad238255ce78cf0f826a5b631a3b8295cb3978fe05eb
Instruction Fuzzy Hash: F30144B0902B5ABDE3008F6A8C85A52FFA8FF19354F00411BA15C4BA42C7B5A864CBE5

Function 008BEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 008BEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 008BEB46
GetWindowThreadProcessId.USER32(?,?), ref: 008BEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008BEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008BEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008BEB75

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: a3be907b002165d99d0f7001c93726dab6290e0affa07e910c6c817c8affe294
Instruction ID: ef95a78326fbc6d250ae78ee89e9e57f296552363289e437725b22b1d09b685e
Opcode Fuzzy Hash: a3be907b002165d99d0f7001c93726dab6290e0affa07e910c6c817c8affe294
Instruction Fuzzy Hash: 8BF05472940198BFE7215B529C4DEEF7E7CFFCAB11F000159FA11D5191D7A05A02C6B5

Function 008A7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 008A7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 008A7469
GetWindowDC.USER32(?), ref: 008A7475
GetPixel.GDI32(00000000,?,?), ref: 008A7484
ReleaseDC.USER32(?,00000000), ref: 008A7496
GetSysColor.USER32(00000005), ref: 008A74B0

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: d62581af6fe86fbaa0b26b512128faa511465c5512c35d0966be52035bdd675b
Instruction ID: bd94a9ff83228ddc95324fc1070ba8db12b54213d8e137aaf82a9e0c76111dc1
Opcode Fuzzy Hash: d62581af6fe86fbaa0b26b512128faa511465c5512c35d0966be52035bdd675b
Instruction Fuzzy Hash: D601AD31800259EFEB505F64DC48BAA7BB6FF08311F110064FA26A70B0CB311E52EF10

Function 008B1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 008B187F
UnloadUserProfile.USERENV(?,?), ref: 008B188B
CloseHandle.KERNEL32(?), ref: 008B1894
CloseHandle.KERNEL32(?), ref: 008B189C
GetProcessHeap.KERNEL32(00000000,?), ref: 008B18A5
HeapFree.KERNEL32(00000000), ref: 008B18AC

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 972bd196d2e6a76ea37c4454d916bb60d2a9aaf0709e86768766520ad4a378a1
Instruction ID: c9d0461438c8e65c81f69f59572c2f3379193ab253ad9dc385e137e725749bdd
Opcode Fuzzy Hash: 972bd196d2e6a76ea37c4454d916bb60d2a9aaf0709e86768766520ad4a378a1
Instruction Fuzzy Hash: A7E0E536804241BBDB015FA5ED4C90AFF39FF4AB22B108220F62589170CB329422DF50

Function 008BC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00857620: _wcslen.LIBCMT ref: 00857625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008BC6EE
_wcslen.LIBCMT ref: 008BC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008BC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 008BC7CA

Strings

0, xrefs: 008BC6AF

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 3850bfba79e41b110265bff150f3fd4cdb325ddd0c1ab84e78402b488aaf6469
Instruction ID: 4b7d4b5c9e1c665e1cb9be30133a1d6dec4e271f7866737aeafff67bc9250120
Opcode Fuzzy Hash: 3850bfba79e41b110265bff150f3fd4cdb325ddd0c1ab84e78402b488aaf6469
Instruction Fuzzy Hash: 0751DE716043019BD7249F2CD885BAB7BE8FF9A314F040A2DF9A5D72A1DF60D904CB5A

Function 008DAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 008DAEA3

Part of subcall function 00857620: _wcslen.LIBCMT ref: 00857625

GetProcessId.KERNEL32(00000000), ref: 008DAF38
CloseHandle.KERNEL32(00000000), ref: 008DAF67

Strings

<, xrefs: 008DAE6B
@, xrefs: 008DAE72

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 8203467f930844e1922f93ee9fcbb3de359aee6849720a3f7f4a7fb8cabf8de3
Instruction ID: 8359931e6272c3ef631705cf2290ad2da4fd37e848ed5a7c6ffd4a3137eb52bd
Opcode Fuzzy Hash: 8203467f930844e1922f93ee9fcbb3de359aee6849720a3f7f4a7fb8cabf8de3
Instruction Fuzzy Hash: 7E716771A00218DFCB18DF58C484A9EBBF0FF08314F14859AE856AB392CB70ED45CB92

Function 008B719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 008B7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 008B723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 008B724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008B72CF

Strings

DllGetClassObject, xrefs: 008B7242

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 4afc5a67b27f92a585637d9c96affb9ffb83425a31b2a7f39ddce33f52b0ea6b
Instruction ID: 0761a692ac96e9b3e0b19915edaeab94f4a10fbde8ddc2808ff226fa7c220207
Opcode Fuzzy Hash: 4afc5a67b27f92a585637d9c96affb9ffb83425a31b2a7f39ddce33f52b0ea6b
Instruction Fuzzy Hash: 17411E71A04305AFDB15CF54C884ADA7BA9FF85314F1580A9BD06DF30AD7B1DA45CBA0

Function 008E3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008E3E35
IsMenu.USER32(?), ref: 008E3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 008E3E92
DrawMenuBar.USER32 ref: 008E3EA5

Strings

0, xrefs: 008E3D89

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 47453b144df9c9600ad128240a5f9a9dc7104e8f258c6d391000a6a5086c3b40
Instruction ID: dd5add37e9925af76848f4ea0184678fbab21dbc7bcf51f1a678eb6fd7d0ac7d
Opcode Fuzzy Hash: 47453b144df9c9600ad128240a5f9a9dc7104e8f258c6d391000a6a5086c3b40
Instruction Fuzzy Hash: 58418874A0024AEFDB24DF51D888EAABBB9FF4A354F044129E815EB250C330EE41CF50

Function 008B1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00859CB3: _wcslen.LIBCMT ref: 00859CBD

Part of subcall function 008B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008B3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 008B1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 008B1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 008B1EA9

Part of subcall function 00856B57: _wcslen.LIBCMT ref: 00856B6A

Strings

ComboBox, xrefs: 008B1DF0
ListBox, xrefs: 008B1E25

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 536f6f28e298695f444e23d7b031b21521a73bda6194d310d80bb77a408faeec
Instruction ID: b939d7cdcdbcd12f51f8c24161ed9bc71c74f79413c650f3e48e03c3be9968bf
Opcode Fuzzy Hash: 536f6f28e298695f444e23d7b031b21521a73bda6194d310d80bb77a408faeec
Instruction Fuzzy Hash: 83210771A00108BADB149BA8DC99CFFBBB9FF55354B504119FC25EB2E1DB34890A8621

Function 008E2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 008E2F8D
LoadLibraryW.KERNEL32(?), ref: 008E2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 008E2FA9
DestroyWindow.USER32(?), ref: 008E2FB1

Strings

SysAnimate32, xrefs: 008E2F68

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: af789954ddcf87c216c8369c77a37b7ee4e68db3b4cdb26d329556c641a20afc
Instruction ID: 2ac5dea97a830aa7d2639d35356b8de62c1f88a38f9322ab65c06fc62941b5e3
Opcode Fuzzy Hash: af789954ddcf87c216c8369c77a37b7ee4e68db3b4cdb26d329556c641a20afc
Instruction Fuzzy Hash: 7F21C072604289ABEB205F65DC81FBB77BDFB5A364F100218F950D61A0DB71DC919760

Function 00874D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00874D1E,008828E9,?,00874CBE,008828E9,009188B8,0000000C,00874E15,008828E9,00000002), ref: 00874D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00874DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00874D1E,008828E9,?,00874CBE,008828E9,009188B8,0000000C,00874E15,008828E9,00000002,00000000), ref: 00874DC3

Strings

mscoree.dll, xrefs: 00874D86
CorExitProcess, xrefs: 00874D98

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 355088818968934ddd3dbd2cf28350e68e17e4d521e0f601a82f35a98d0dac30
Instruction ID: 51d8c1a3bea5c974a615795a954a47b79b563cfc88a2e4c4f04f2176b06027fa
Opcode Fuzzy Hash: 355088818968934ddd3dbd2cf28350e68e17e4d521e0f601a82f35a98d0dac30
Instruction Fuzzy Hash: 72F04F34A4021CBFDB119FA4DC89BADBFB5FF44752F0040A8F909E6260DB359941DE91

Function 008AD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 008AD3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 008AD3BF
FreeLibrary.KERNEL32(00000000), ref: 008AD3E5

Strings

GetSystemWow64DirectoryW, xrefs: 008AD3B9
X64, xrefs: 008AD2A8

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 758d19a1a5acd1f86271739b8ade554c6124371edc8f317db5b67a03d2124ab1
Instruction ID: a0b6a9d7c25412687afa629c04f61ad4012289e5355ede5c17438b61502e6075
Opcode Fuzzy Hash: 758d19a1a5acd1f86271739b8ade554c6124371edc8f317db5b67a03d2124ab1
Instruction Fuzzy Hash: 3EF05531C01F258BFB7167108C88AAE7320FF13B05B518058F603EAE24EB20CC49C6C2

Function 00854E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00854EDD,?,00921418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00854E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00854EAE
FreeLibrary.KERNEL32(00000000,?,?,00854EDD,?,00921418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00854EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00854EA8
kernel32.dll, xrefs: 00854E94

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: b24bbd069ad5ed7d9deeb91cb289297b52c96f4b68bc9e47335d446b76dfba92
Instruction ID: e1f249d04c9565dc2f83a68d7101f277299fe7061d0b783271f6a8dcf725a2c5
Opcode Fuzzy Hash: b24bbd069ad5ed7d9deeb91cb289297b52c96f4b68bc9e47335d446b76dfba92
Instruction Fuzzy Hash: B7E08C36E026225B93221B25AC1AA6B7A68FFC2F77B050115FC04E7200DB64CD4A80A0

Function 00854E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00893CDE,?,00921418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00854E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00854E74
FreeLibrary.KERNEL32(00000000,?,?,00893CDE,?,00921418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00854E87

Strings

kernel32.dll, xrefs: 00854E5B
Wow64RevertWow64FsRedirection, xrefs: 00854E6E

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 1206c07635a1e0d05ef3e8df528ff1df17c03a1aea7db8eed771bfc06fbd1b8c
Instruction ID: b43ec7e89f903d9ffd41e64367a3d1185de011f4012d8c3a1547271a4b7f2e18
Opcode Fuzzy Hash: 1206c07635a1e0d05ef3e8df528ff1df17c03a1aea7db8eed771bfc06fbd1b8c
Instruction Fuzzy Hash: 0AD0C231E026615747221B256C09D8B3A28FF81F3A3450114BC04E6110CF20CD4281D0

Function 008DA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 008DA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 008DA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 008DA468
CloseHandle.KERNEL32(?), ref: 008DA63D

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 01af7e21b5f00e203a264dbb71312d03cd1454443aae1ff5e147a7b42a2ee9db
Instruction ID: 7aa107af01aa46d3cccd8b79c9598d2ad934d79a82a37ed53c98397437c34b6f
Opcode Fuzzy Hash: 01af7e21b5f00e203a264dbb71312d03cd1454443aae1ff5e147a7b42a2ee9db
Instruction Fuzzy Hash: 4EA18E716043009FD724DF28D886B2AB7E5FB84714F14895DF95ADB392DBB0EC458B82

Function 0088BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,008F3700), ref: 0088BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0092121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0088BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00921270,000000FF,?,0000003F,00000000,?), ref: 0088BC36
_free.LIBCMT ref: 0088BB7F

Part of subcall function 008829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0088D7D1,00000000,00000000,00000000,00000000,?,0088D7F8,00000000,00000007,00000000,?,0088DBF5,00000000), ref: 008829DE
Part of subcall function 008829C8: GetLastError.KERNEL32(00000000,?,0088D7D1,00000000,00000000,00000000,00000000,?,0088D7F8,00000000,00000007,00000000,?,0088DBF5,00000000,00000000), ref: 008829F0

_free.LIBCMT ref: 0088BD4B

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 9cfd8ae6df7ea09ccebf649c4b7707eca97dd5c5476a2bc3e6f929500c4036e1
Instruction ID: 521ad0bdbe7420015e52f83ff42b0a08044ad2a131237f978446498c22b9f4d1
Opcode Fuzzy Hash: 9cfd8ae6df7ea09ccebf649c4b7707eca97dd5c5476a2bc3e6f929500c4036e1
Instruction Fuzzy Hash: 7651EA71904219EFCB24FF699C819AEBBBDFF90320B10426AF564D7291EB309E41DB51

Function 008BE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 008BDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008BCF22,?), ref: 008BDDFD

Part of subcall function 008BDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008BCF22,?), ref: 008BDE16

Part of subcall function 008BE199: GetFileAttributesW.KERNEL32(?,008BCF95), ref: 008BE19A

lstrcmpiW.KERNEL32(?,?), ref: 008BE473
MoveFileW.KERNEL32(?,?), ref: 008BE4AC
_wcslen.LIBCMT ref: 008BE5EB
_wcslen.LIBCMT ref: 008BE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 008BE650

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 629c46aa9439c50e5c207c523a6603ed2c3385446f86d801f484e08ab9e7dd1b
Instruction ID: 5f25901fcdcf792a6b7998307c193187bf01866d6717b20e820961dd039cd399
Opcode Fuzzy Hash: 629c46aa9439c50e5c207c523a6603ed2c3385446f86d801f484e08ab9e7dd1b
Instruction Fuzzy Hash: 07512FB24087859FC724DBA4D8819DB73ECFF85340F00492EE689D3251EE75A688876B

Function 008DB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00859CB3: _wcslen.LIBCMT ref: 00859CBD

Part of subcall function 008DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008DB6AE,?,?), ref: 008DC9B5
Part of subcall function 008DC998: _wcslen.LIBCMT ref: 008DC9F1
Part of subcall function 008DC998: _wcslen.LIBCMT ref: 008DCA68
Part of subcall function 008DC998: _wcslen.LIBCMT ref: 008DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008DBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008DBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 008DBB63
RegCloseKey.ADVAPI32(?,?), ref: 008DBBA6
RegCloseKey.ADVAPI32(00000000), ref: 008DBBB3

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 11dca31f0c1689b9f1775565558dfafd33e798b4e1f96016ed1249bc7ce39a34
Instruction ID: 51d11da5dd0249066e22849563a4ecb6d6100cc2d96c0220999d91988cb6a2b6
Opcode Fuzzy Hash: 11dca31f0c1689b9f1775565558dfafd33e798b4e1f96016ed1249bc7ce39a34
Instruction Fuzzy Hash: 24615D31208241EFD714DF14C491E2ABBE5FF84318F558A5EF4998B2A2DB31ED45CB92

Function 008B8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008B8BCD
VariantClear.OLEAUT32 ref: 008B8C3E
VariantClear.OLEAUT32 ref: 008B8C9D
VariantClear.OLEAUT32(?), ref: 008B8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 008B8D3B

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 7d5afd4d72b4a48ef4593263d87fc4ab82247a7e51c88a8d37f03885590e46e4
Instruction ID: 9732c119b987621c0c22a3a006b28db7f2e045ddd9afd89407867087108cda1d
Opcode Fuzzy Hash: 7d5afd4d72b4a48ef4593263d87fc4ab82247a7e51c88a8d37f03885590e46e4
Instruction Fuzzy Hash: 0E516AB5A00219EFCB10CF68C894AEAB7F8FF89314B15855AE919DB350E730E911CF90

Function 008C8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 008C8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 008C8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 008C8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 008C8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 008C8C5F

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 434c5a540a2b112ba3c84b7f6586accf87062a7087d621fefa0eee5273d6be77
Instruction ID: 09b8e0653a5688b27eeedc5ee8096c49f84392fdd230ab687eee66c8ac590c0f
Opcode Fuzzy Hash: 434c5a540a2b112ba3c84b7f6586accf87062a7087d621fefa0eee5273d6be77
Instruction Fuzzy Hash: 95515835A00218EFCB05DF68C880E6ABBF5FF48314F088458E949AB362DB31ED55CB91

Function 008D8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 008D8F40
GetProcAddress.KERNEL32(00000000,?), ref: 008D8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 008D8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 008D9032
FreeLibrary.KERNEL32(00000000), ref: 008D9052

Part of subcall function 0086F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,008C1043,?,7529E610), ref: 0086F6E6
Part of subcall function 0086F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,008AFA64,00000000,00000000,?,?,008C1043,?,7529E610,?,008AFA64), ref: 0086F70D

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 3a2378e2c2918cffd90a978fb36eac224cc68340a9c3cb903bcff6cf375058f4
Instruction ID: bf812e6ec39c03d9c01543e56f33926655e63f2d3ef0aed7649ca72bea40136b
Opcode Fuzzy Hash: 3a2378e2c2918cffd90a978fb36eac224cc68340a9c3cb903bcff6cf375058f4
Instruction Fuzzy Hash: 07514B35600205DFC715DF68C4848ADBBF1FF49324B0581A9E846DB362DB31ED8ACB91

Function 008E6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 008E6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 008E6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 008E6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,008CAB79,00000000,00000000), ref: 008E6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 008E6CC7

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 27dbbe2b7663e8d7f646bf1d193e7c7ac455b2b2d2ce2710f80e384d5a3cd68f
Instruction ID: b6591caaee3e7b7ad57c8cf48d407bf082d1cf0764bc60ea84369ace71263304
Opcode Fuzzy Hash: 27dbbe2b7663e8d7f646bf1d193e7c7ac455b2b2d2ce2710f80e384d5a3cd68f
Instruction Fuzzy Hash: 3F41A435A04184AFD724CF2ACC95FA57BA5FB1B3A0F240268EC95E72A0E371AD61D640

Function 00882051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008820C3
_free.LIBCMT ref: 008820E3

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 99e167960e928caded553f53863afad196ad2a49e9623c549a4730b29e1dbd95
Instruction ID: 70d91636428f5a8579f2eae6c48ae8cf2e8a1fff44d8055a9a434c66002a1fee
Opcode Fuzzy Hash: 99e167960e928caded553f53863afad196ad2a49e9623c549a4730b29e1dbd95
Instruction Fuzzy Hash: 1041E276A006049FCB20EF78C880A5DB7E5FF89314F2685A8E615EB392D731ED01CB81

Function 0086912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00869141
ScreenToClient.USER32(00000000,?), ref: 0086915E
GetAsyncKeyState.USER32(00000001), ref: 00869183
GetAsyncKeyState.USER32(00000002), ref: 0086919D

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 8e143d975aeba0eba35746e57fa5140e0e15b755013567feb173fc2918edeb42
Instruction ID: 422bd422469c8818a40085cdd30ce1b141ec15010a8e1285701bf5d24a162f2c
Opcode Fuzzy Hash: 8e143d975aeba0eba35746e57fa5140e0e15b755013567feb173fc2918edeb42
Instruction Fuzzy Hash: 39417F31A0860AFBDF059F68CC44BEEB7B8FB06324F208229E465E72D0C7346954DB91

Function 008C3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 008C38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 008C3922
TranslateMessage.USER32(?), ref: 008C394B
DispatchMessageW.USER32(?), ref: 008C3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008C3966

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: f64f0994690a7ec35d68834c8e551803088e5a4a6c4b2d9b46af54ddac1f10bd
Instruction ID: ba41d58e05bc810f935fec1f47b15c532c071d9b62cb5390af21b85cfae52acb
Opcode Fuzzy Hash: f64f0994690a7ec35d68834c8e551803088e5a4a6c4b2d9b46af54ddac1f10bd
Instruction Fuzzy Hash: DF31A6709183869EEB35CB349848FB67BB8FB16304F04856DE462D61A0E3B5D68BDB11

Function 008CCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 008CCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 008CCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,008CC21E,00000000), ref: 008CCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,008CC21E,00000000), ref: 008CCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,008CC21E,00000000), ref: 008CCFF2

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 7b17a55ff9d8691fe0e8c017ef7fda66dff5d670c025e582c9e393ce9f0872ca
Instruction ID: e34d8058fbe625789175895665097914e5fbf6926c588ab64d5a0db87c89b401
Opcode Fuzzy Hash: 7b17a55ff9d8691fe0e8c017ef7fda66dff5d670c025e582c9e393ce9f0872ca
Instruction Fuzzy Hash: 67314A71A10209EFDB20DFA9D884EABBBFAFB14354B10442EF51AD6141DB70EE419B60

Function 008B1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 008B1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 008B19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 008B19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 008B19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 008B19E2

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 2bb330604f23c0fc97987c1a7e93e07105abbf03606f625a76d5a52382723294
Instruction ID: 3a7fcb7dd778fa2ed12f38e4e9815e55dea2431fca557554c81d4f4ea34c6d08
Opcode Fuzzy Hash: 2bb330604f23c0fc97987c1a7e93e07105abbf03606f625a76d5a52382723294
Instruction Fuzzy Hash: D6318B71A00259EFCB04CFA8C9ADADE3BB5FB05315F504229F921EB2D1C7709944CB90

Function 008E5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 008E5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 008E579D
_wcslen.LIBCMT ref: 008E57AF
_wcslen.LIBCMT ref: 008E57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 008E5816

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 4e4f853683500c46cf30ce8e90658098f681ad1b9296c83f68dd05a3b01441a1
Instruction ID: 3db3325bc5dd440d2984fd8fcc4fb6e6294c609c7f57db0722951aef85fa4c4c
Opcode Fuzzy Hash: 4e4f853683500c46cf30ce8e90658098f681ad1b9296c83f68dd05a3b01441a1
Instruction Fuzzy Hash: 4D21D2709046989ADB209FA5CC84AEE7BB8FF12328F108216E929EB1D1D770C981CF50

Function 008D0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 008D0951
GetForegroundWindow.USER32 ref: 008D0968
GetDC.USER32(00000000), ref: 008D09A4
GetPixel.GDI32(00000000,?,00000003), ref: 008D09B0
ReleaseDC.USER32(00000000,00000003), ref: 008D09E8

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: a7ec233b649e916c1df0782d2c8c3b1677b3c9eff733e8750157a354f4890f5e
Instruction ID: bacccfb5a6222058fabc7c7fe27223ef823afbc3d2a449962549d3eb56712d14
Opcode Fuzzy Hash: a7ec233b649e916c1df0782d2c8c3b1677b3c9eff733e8750157a354f4890f5e
Instruction Fuzzy Hash: C4216F35A00204AFD704EF69C898AAEBBF5FF44701F04846DE85ADB362DB70AC05CB90

Function 0088CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0088CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0088CDE9

Part of subcall function 00883820: RtlAllocateHeap.NTDLL(00000000,?,00921444,?,0086FDF5,?,?,0085A976,00000010,00921440,008513FC,?,008513C6,?,00851129), ref: 00883852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0088CE0F
_free.LIBCMT ref: 0088CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0088CE31

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: b195030e74f3ca6bf2f3e35239d3f572ac3d5add5cd8ef6a3e411ff9491f67e4
Instruction ID: c897d3629392c4e9dcf4297bad98a71686b67463c8d5212758affe212495ab12
Opcode Fuzzy Hash: b195030e74f3ca6bf2f3e35239d3f572ac3d5add5cd8ef6a3e411ff9491f67e4
Instruction Fuzzy Hash: 77018472A012557F23213ABAAC88D7B7A6DFFC6BA13154129F905D7205EB718D0283B1

Function 00869639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00869693
SelectObject.GDI32(?,00000000), ref: 008696A2
BeginPath.GDI32(?), ref: 008696B9
SelectObject.GDI32(?,00000000), ref: 008696E2

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: e2042b0ac112007fe9f40108d6e484322de646e0af6052b803472523c166ccfa
Instruction ID: 4593f377362dc9f0d0db6738c2a85dc3ef60fe1a55bb8b9a00b2aa8f32a76a6a
Opcode Fuzzy Hash: e2042b0ac112007fe9f40108d6e484322de646e0af6052b803472523c166ccfa
Instruction Fuzzy Hash: 8A217F7482A345EBDB219F28FC44BA93BA8FB21355F110216F450E61F0D37058A3EB90

Function 008B5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 008B5726
_memcmp.LIBVCRUNTIME ref: 008B5744
_memcmp.LIBVCRUNTIME ref: 008B5757
_memcmp.LIBVCRUNTIME ref: 008B576F
_memcmp.LIBVCRUNTIME ref: 008B5787

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 519cb240abfc69f38e198d1c80a400fa842570736b41ff0bd3f252cde9ed7ca6
Instruction ID: 970784dd7439d6e6d2543cd2dadbe4399bff1a3b65f656434945172d97275b5e
Opcode Fuzzy Hash: 519cb240abfc69f38e198d1c80a400fa842570736b41ff0bd3f252cde9ed7ca6
Instruction Fuzzy Hash: 3601B971781619BBE60855199D42FFB735CFB713A8F208020FE18DA742FB64EE1183A5

Function 00882DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0087F2DE,00883863,00921444,?,0086FDF5,?,?,0085A976,00000010,00921440,008513FC,?,008513C6), ref: 00882DFD
_free.LIBCMT ref: 00882E32
_free.LIBCMT ref: 00882E59
SetLastError.KERNEL32(00000000,00851129), ref: 00882E66
SetLastError.KERNEL32(00000000,00851129), ref: 00882E6F

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: f261d5089f1f4e0256ebabd1296821ab279c0dd2df2ba2076416a7e33258dde0
Instruction ID: bdd05f50177b6ba11ce45f767416db6b32d874c5c5aeb85ea4a555637848796f
Opcode Fuzzy Hash: f261d5089f1f4e0256ebabd1296821ab279c0dd2df2ba2076416a7e33258dde0
Instruction Fuzzy Hash: C60128326896007BC612773C6C89D2B265DFBC17BAB214028F821E22D3EF34AC018325

Function 008B000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,008AFF41,80070057,?,?,?,008B035E), ref: 008B002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008AFF41,80070057,?,?), ref: 008B0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008AFF41,80070057,?,?), ref: 008B0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008AFF41,80070057,?), ref: 008B0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008AFF41,80070057,?,?), ref: 008B0070

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 324872c9c0c0c5c685e66f3c1edf0ea0b0efd78689468013d1e18cd463377242
Instruction ID: bcab9e72a32e74bd50e62d8b7b7c904da01433e56cff60573dfbee1e7d9c0a69
Opcode Fuzzy Hash: 324872c9c0c0c5c685e66f3c1edf0ea0b0efd78689468013d1e18cd463377242
Instruction Fuzzy Hash: 6E018F72A00614BFDB115F68DC44BEB7AADFB44791F144124F905D6310D771DD428BA0

Function 008BE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 008BE997
QueryPerformanceFrequency.KERNEL32(?), ref: 008BE9A5
Sleep.KERNEL32(00000000), ref: 008BE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 008BE9B7
Sleep.KERNEL32 ref: 008BE9F3

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 7224b8731ce3f6ea4099301000360409c75c8b67f7554db09dbac37b7822f7ab
Instruction ID: 1ff2586897b1ef6e875d48066a8061723589fa1a1da540b8d299ca0124921887
Opcode Fuzzy Hash: 7224b8731ce3f6ea4099301000360409c75c8b67f7554db09dbac37b7822f7ab
Instruction Fuzzy Hash: 07011331C0162DDBCF00ABE5D899AEDBF78FB09701F000556E902F6241CB30A6598BA2

Function 008B10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008B1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,008B0B9B,?,?,?), ref: 008B1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,008B0B9B,?,?,?), ref: 008B112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,008B0B9B,?,?,?), ref: 008B1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008B114D

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 941dc7c5ab70a92e4bb2d4fbd70cc74644bc27f27641372269552bbfb13b7f4f
Instruction ID: f1d742a30053ea0a2d9e6a78eaae8030ab0eebedc95bae14e76146bc625eea4f
Opcode Fuzzy Hash: 941dc7c5ab70a92e4bb2d4fbd70cc74644bc27f27641372269552bbfb13b7f4f
Instruction Fuzzy Hash: D1011975600205BFDB114FA9DC9DAAA3B6EFF8A3A0B604419FE45DB360DA31DC019A60

Function 008B0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008B0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008B0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008B0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008B0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008B1002

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 3b012cf76806c904b5b4916336c9d94b8ddcca3ff526cfc7e065ff49f0646feb
Instruction ID: 6581e7dea67ac6f4e6b7d9ed4f86d4dd63806e159965a24449b7f1906df207a9
Opcode Fuzzy Hash: 3b012cf76806c904b5b4916336c9d94b8ddcca3ff526cfc7e065ff49f0646feb
Instruction Fuzzy Hash: 29F04935600745ABDB215FA49C8DF963BADFF8AB62F504415FE45CA261CA70DC428A60

Function 008B1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 008B102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 008B1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008B1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 008B104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008B1062

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 09a7306be2a610c3e78445d118344b2c55856eeb3799cd052dab3d1e6738233c
Instruction ID: 5096a6091f745e6ca8a8428f91416e86a1a986c2cde23d090d1236b4aa238ce0
Opcode Fuzzy Hash: 09a7306be2a610c3e78445d118344b2c55856eeb3799cd052dab3d1e6738233c
Instruction Fuzzy Hash: F3F06D35600741EBDB21AFA4EC9DF963BADFF8A761F500414FE45CB350CA70D8428A60

Function 008C030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,008C017D,?,008C32FC,?,00000001,00892592,?), ref: 008C0324
CloseHandle.KERNEL32(?,?,?,?,008C017D,?,008C32FC,?,00000001,00892592,?), ref: 008C0331
CloseHandle.KERNEL32(?,?,?,?,008C017D,?,008C32FC,?,00000001,00892592,?), ref: 008C033E
CloseHandle.KERNEL32(?,?,?,?,008C017D,?,008C32FC,?,00000001,00892592,?), ref: 008C034B
CloseHandle.KERNEL32(?,?,?,?,008C017D,?,008C32FC,?,00000001,00892592,?), ref: 008C0358
CloseHandle.KERNEL32(?,?,?,?,008C017D,?,008C32FC,?,00000001,00892592,?), ref: 008C0365

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 673b4325d2519fc7d855a1f0b7114e8a9880c0fc81b6f57effc188c78b7f7837
Instruction ID: 45a36a5e715f0f981b6e5c2ecdb57f14dfaa7f9e6300915d9ef4d1718a0a7de9
Opcode Fuzzy Hash: 673b4325d2519fc7d855a1f0b7114e8a9880c0fc81b6f57effc188c78b7f7837
Instruction Fuzzy Hash: D9019C72800B95DFCB30AF66D880912FBF9FE602553158A3ED19692A31C3B1A959CE80

Function 0088D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0088D752

Part of subcall function 008829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0088D7D1,00000000,00000000,00000000,00000000,?,0088D7F8,00000000,00000007,00000000,?,0088DBF5,00000000), ref: 008829DE
Part of subcall function 008829C8: GetLastError.KERNEL32(00000000,?,0088D7D1,00000000,00000000,00000000,00000000,?,0088D7F8,00000000,00000007,00000000,?,0088DBF5,00000000,00000000), ref: 008829F0

_free.LIBCMT ref: 0088D764
_free.LIBCMT ref: 0088D776
_free.LIBCMT ref: 0088D788
_free.LIBCMT ref: 0088D79A

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 03cec2044083d06d180a446690b1b4958fd0ec11e47b9ef254a61ade03a4ca08
Instruction ID: ab16ad33131b26abd1f7c6830d091faa86a74b1d2fb09a150f15efb466f87861
Opcode Fuzzy Hash: 03cec2044083d06d180a446690b1b4958fd0ec11e47b9ef254a61ade03a4ca08
Instruction Fuzzy Hash: 93F01D72699304AB8625FB68FDC6D5A7BEDFB44710BA54805F048E7582CB34FC808B65

Function 008B5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 008B5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 008B5C6F
MessageBeep.USER32(00000000), ref: 008B5C87
KillTimer.USER32(?,0000040A), ref: 008B5CA3
EndDialog.USER32(?,00000001), ref: 008B5CBD

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 7e8248b2e9e038d06ef12cb636518a19f9242c8fc1a3cb26e58ec71e25fbf0dd
Instruction ID: 38d947493ab9ef47ea72f42ff90ceca0cfba956406d01ff598c122d11f42e708
Opcode Fuzzy Hash: 7e8248b2e9e038d06ef12cb636518a19f9242c8fc1a3cb26e58ec71e25fbf0dd
Instruction Fuzzy Hash: B6018130900B44ABEB205B50DD9EFE67BB9FB10B06F00055DA583E51E1DBF4A9898A91

Function 008822A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008822BE

Part of subcall function 008829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0088D7D1,00000000,00000000,00000000,00000000,?,0088D7F8,00000000,00000007,00000000,?,0088DBF5,00000000), ref: 008829DE
Part of subcall function 008829C8: GetLastError.KERNEL32(00000000,?,0088D7D1,00000000,00000000,00000000,00000000,?,0088D7F8,00000000,00000007,00000000,?,0088DBF5,00000000,00000000), ref: 008829F0

_free.LIBCMT ref: 008822D0
_free.LIBCMT ref: 008822E3
_free.LIBCMT ref: 008822F4
_free.LIBCMT ref: 00882305

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 593841d8e1cb6482f5bfdcfbb795fdd3378a41b34482a857182bb9a3e224a12c
Instruction ID: 671b23192e26c05b3bf19dfce41165521530d4f21293b17ff4005f56a2308f8b
Opcode Fuzzy Hash: 593841d8e1cb6482f5bfdcfbb795fdd3378a41b34482a857182bb9a3e224a12c
Instruction Fuzzy Hash: CCF05EB09A82208BC632BF58BD41D883FA4F72C761702054AF420D22B2C7351863FFE5

Function 008695C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 008695D4
StrokeAndFillPath.GDI32(?,?,008A71F7,00000000,?,?,?), ref: 008695F0
SelectObject.GDI32(?,00000000), ref: 00869603
DeleteObject.GDI32 ref: 00869616
StrokePath.GDI32(?), ref: 00869631

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 382b9afca4ec2c5ce7a086c7241a7c2e078a8f36b7d52e876dea33d93c2c6e90
Instruction ID: 538e94503a6225e456b8a87303a537c4a9f8c583f748ecb5e1a22bc5574175fe
Opcode Fuzzy Hash: 382b9afca4ec2c5ce7a086c7241a7c2e078a8f36b7d52e876dea33d93c2c6e90
Instruction Fuzzy Hash: BEF0C939419788EBDB265F65ED5DB643B65FB21362F048214F465990F0C73089A7EF20

Function 00880F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 008810F9
__freea.LIBCMT ref: 00881117

Part of subcall function 00881537: _free.LIBCMT ref: 0088154F

Strings

am/pm, xrefs: 0088117A
a/p, xrefs: 008811DE

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: ef34d32d19fcdc4b768b1f87e7962eb0a2ca3809856967e00b192dd38342a16d
Instruction ID: 604a94f4e10a4d080208e8aa2151913141b2a9c72d835c657c2450e4bd08c384
Opcode Fuzzy Hash: ef34d32d19fcdc4b768b1f87e7962eb0a2ca3809856967e00b192dd38342a16d
Instruction Fuzzy Hash: 73D1E23590020ACACF24AF68C84DAFAB7B9FF06704F244169E505DBB51DB799D82CB51

Function 008D7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00870242: EnterCriticalSection.KERNEL32(0092070C,00921884,?,?,0086198B,00922518,?,?,?,008512F9,00000000), ref: 0087024D
Part of subcall function 00870242: LeaveCriticalSection.KERNEL32(0092070C,?,0086198B,00922518,?,?,?,008512F9,00000000), ref: 0087028A

Part of subcall function 00859CB3: _wcslen.LIBCMT ref: 00859CBD

Part of subcall function 008700A3: __onexit.LIBCMT ref: 008700A9

__Init_thread_footer.LIBCMT ref: 008D7BFB

Part of subcall function 008701F8: EnterCriticalSection.KERNEL32(0092070C,?,?,00868747,00922514), ref: 00870202
Part of subcall function 008701F8: LeaveCriticalSection.KERNEL32(0092070C,?,00868747,00922514), ref: 00870235

Strings

Variable must be of type 'Object'., xrefs: 008D7C3A
G, xrefs: 008D7C7F
5, xrefs: 008D7C78

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: ea25d7e1f1a2b5e0771a812a7d893d3a17092c40503b57b0e106351d66892939
Instruction ID: 02ba30c9a8abfb6b5b34f5465962b83171f0ef68d0329743630a8e012fa98418
Opcode Fuzzy Hash: ea25d7e1f1a2b5e0771a812a7d893d3a17092c40503b57b0e106351d66892939
Instruction Fuzzy Hash: BD915B70A04209AFCB14EF58D891DADB7B2FF45304F10815AF846EB395EB71AE45CB52

Function 008B2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008BB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008B21D0,?,?,00000034,00000800,?,00000034), ref: 008BB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 008B2760

Part of subcall function 008BB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008B21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 008BB3F8

Part of subcall function 008BB32A: GetWindowThreadProcessId.USER32(?,?), ref: 008BB355
Part of subcall function 008BB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,008B2194,00000034,?,?,00001004,00000000,00000000), ref: 008BB365
Part of subcall function 008BB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,008B2194,00000034,?,?,00001004,00000000,00000000), ref: 008BB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008B27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008B281A

Strings

@, xrefs: 008B2832

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: adbf88c97f7103f0eb943f44e105faa0e59ff6d62a7c3829701a95441b92c5f1
Instruction ID: 1b3d4e78224e4f8a00faf1e7ed53694b70458f14f3e4577e99659864ec55eeb0
Opcode Fuzzy Hash: adbf88c97f7103f0eb943f44e105faa0e59ff6d62a7c3829701a95441b92c5f1
Instruction Fuzzy Hash: F041FE76900218AFDB10DFA8CD85ADEBBB8FF09700F104059FA55B7291DB716E45CB61

Function 0088172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\shipping advice.exe,00000104), ref: 00881769
_free.LIBCMT ref: 00881834
_free.LIBCMT ref: 0088183E

Strings

C:\Users\user\Desktop\shipping advice.exe, xrefs: 00881760, 00881767, 00881796, 008817CE

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\shipping advice.exe
API String ID: 2506810119-3906570568
Opcode ID: 1e286e619fc8ae567459aed6996d9b524daa0cfae185b05b85a98e4cf33ccd3d
Instruction ID: 5635aaf7c8a9a83ac5787fe7aacb0e0eaf65f728dc384fe1299414500144156e
Opcode Fuzzy Hash: 1e286e619fc8ae567459aed6996d9b524daa0cfae185b05b85a98e4cf33ccd3d
Instruction Fuzzy Hash: 34318E71A04218EBDF21FB999C89D9EBBFCFB95710B1041AAF804D7211DA708E42CB91

Function 008BC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 008BC306
DeleteMenu.USER32(?,00000007,00000000), ref: 008BC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00921990,00EF5900), ref: 008BC395

Strings

0, xrefs: 008BC2DF

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: b1e6a79c97b0ed776b23ec1d9e26e9a036ee2239b5ed50907169dc9aaf0a7c92
Instruction ID: c3ffdbfffffa9f70c58aae53d75a9e0c6e734b98518d7c7aa20c99752361ef92
Opcode Fuzzy Hash: b1e6a79c97b0ed776b23ec1d9e26e9a036ee2239b5ed50907169dc9aaf0a7c92
Instruction Fuzzy Hash: FA416B312043419FD720DF29D885B9BBBE4FB89324F548A1EE9A5D7391D770A904CB62

Function 008E4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,008ECC08,00000000,?,?,?,?), ref: 008E44AA
GetWindowLongW.USER32 ref: 008E44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008E44D7

Strings

SysTreeView32, xrefs: 008E447C

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 24d60d8f44ff96aef4608927a8bcd909a877369a3710eb9cec834bc2d2702216
Instruction ID: 60bc14742e32f8e455f1b6103a0bc16e8748f258c3d40fc2495922d3860b4868
Opcode Fuzzy Hash: 24d60d8f44ff96aef4608927a8bcd909a877369a3710eb9cec834bc2d2702216
Instruction Fuzzy Hash: AC319C31210685ABDB208E39DC85BEA7BA9FB0A338F205315F979E21E0D770AC519750

Function 008D304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008D335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,008D3077,?,?), ref: 008D3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 008D307A
_wcslen.LIBCMT ref: 008D309B
htons.WSOCK32(00000000,?,?,00000000), ref: 008D3106

Strings

255.255.255.255, xrefs: 008D3095, 008D309A

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 203bb9cb23ca23fd2a67d09a7a2919e0dd8bd72f9ab2418bd91c1e36e535d0f6
Instruction ID: 5ba215529f4d1a0717161c2eccb0d37de1352ec7bb35c6529e7a47e82bdf7228
Opcode Fuzzy Hash: 203bb9cb23ca23fd2a67d09a7a2919e0dd8bd72f9ab2418bd91c1e36e535d0f6
Instruction Fuzzy Hash: C031D539600206DFCB10DF68C585EA977E0FF14318F24826AE915DB392DB71DE45C762

Function 008E4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 008E4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 008E4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 008E471A

Strings

msctls_updown32, xrefs: 008E4684

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 878fb27e69ab35a9a13264bcee0616089b3ca86c06d9c9f230a3c6bbee14f75c
Instruction ID: e85d6610fedb600ec0c684276d55b7e15933390f13dd6442ecc0bd403d90dee5
Opcode Fuzzy Hash: 878fb27e69ab35a9a13264bcee0616089b3ca86c06d9c9f230a3c6bbee14f75c
Instruction Fuzzy Hash: 00216DB5600248AFDB10DF69DCC1DA737ADFB5B364B040049F905DB261CB30EC52DAA1

Function 008B95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008B961D

Strings

#notrayicon, xrefs: 008B95B7
#requireadmin, xrefs: 008B95D9
#OnAutoItStartRegister, xrefs: 008B95F3

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 57edde0e172e56dbede429e32f7581538f9f7cb21d67c2a79a2335a02db34735
Instruction ID: 5f27fe88e2b506c78e572b6a0907887cfa96640ed0946682ec1fee9fd7770b77
Opcode Fuzzy Hash: 57edde0e172e56dbede429e32f7581538f9f7cb21d67c2a79a2335a02db34735
Instruction Fuzzy Hash: 28213832144114A6C331AA299C02FFB73D8FFA2314F108026FBD9DB242EB55ED45C396

Function 008E37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 008E3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 008E3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 008E3876

Strings

Listbox, xrefs: 008E380F

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 5b9480b04785563286f7d3cc8b74772791b09d9d0f11c2c3027e8ab7d0b29076
Instruction ID: 56de9ab50c09d0d7ec40acc4c26c8bbaf780019025d35a853997fa21859d2980
Opcode Fuzzy Hash: 5b9480b04785563286f7d3cc8b74772791b09d9d0f11c2c3027e8ab7d0b29076
Instruction Fuzzy Hash: 01218E72610258BBEB218F56CC89EAB3B6AFF8A764F108124F914DB190C671DD5287A0

Function 008C49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008C4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 008C4A5C
SetErrorMode.KERNEL32(00000000,?,?,008ECC08), ref: 008C4AD0

Strings

%lu, xrefs: 008C4A6F

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 759fa9ee847b88a771572005b3d01eaec911e2a8e475dd2f2c2a2139f90c66ea
Instruction ID: 723be9871aa5b239c2872b410376d8c10193cad6c7eb68ad0913e8e7057999b4
Opcode Fuzzy Hash: 759fa9ee847b88a771572005b3d01eaec911e2a8e475dd2f2c2a2139f90c66ea
Instruction Fuzzy Hash: D1312F75A00119AFDB10DF58C885EAA77F8FF05308F1480A9E905DB252D771ED46CB61

Function 008E41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 008E424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 008E4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 008E4271

Strings

msctls_trackbar32, xrefs: 008E4226

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 1c0395cdc881ab7efde0594c97a4ed51c87366796460c1ce363fab0d67e4163e
Instruction ID: ef49ddc43e7b3a38dabc07453a1593c207801ae13f13e0c1fb3fcfbdb08ff4ca
Opcode Fuzzy Hash: 1c0395cdc881ab7efde0594c97a4ed51c87366796460c1ce363fab0d67e4163e
Instruction Fuzzy Hash: 1E11C631240288BEEF205F69CC46FAB7BACFF96B64F110524FA59E60A0D671DC619B10

Function 008B2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00856B57: _wcslen.LIBCMT ref: 00856B6A

Part of subcall function 008B2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 008B2DC5
Part of subcall function 008B2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 008B2DD6
Part of subcall function 008B2DA7: GetCurrentThreadId.KERNEL32 ref: 008B2DDD
Part of subcall function 008B2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 008B2DE4

GetFocus.USER32 ref: 008B2F78

Part of subcall function 008B2DEE: GetParent.USER32(00000000), ref: 008B2DF9

GetClassNameW.USER32(?,?,00000100), ref: 008B2FC3
EnumChildWindows.USER32(?,008B303B), ref: 008B2FEB

Strings

%s%d, xrefs: 008B2FFF

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 691f27d8042c4e5ed487a130d1b4b83549d5e3d580ad069a62c357865256be7d
Instruction ID: e9c9d02a5860daec09a8bfb4b648dcf5070a5f82d60ea20dee43f4455ed15eb5
Opcode Fuzzy Hash: 691f27d8042c4e5ed487a130d1b4b83549d5e3d580ad069a62c357865256be7d
Instruction Fuzzy Hash: 8B11D2716002096BCF007F688CC6EEE376AFF95315F044079BD09DB252EE34994A8B61

Function 008E5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008E58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008E58EE
DrawMenuBar.USER32(?), ref: 008E58FD

Strings

0, xrefs: 008E588F

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 9e7e0246b3350be02298e21531972e5f37a8e749497544a69f4fa456af1ed474
Instruction ID: 66a870e3e7681c7cb7d41d550bc75cc677316ff9155ea6a2505e0033fecefee1
Opcode Fuzzy Hash: 9e7e0246b3350be02298e21531972e5f37a8e749497544a69f4fa456af1ed474
Instruction Fuzzy Hash: A3015E31500258EEDB119F16EC44BAEBFB4FB46368F108099E949DA152DB308A94DF21

Function 008B007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ba90b045d2a4afd4f50803c0be18960972dcb9ee6dbdf5d9a9e96d3ceabde8d
Instruction ID: 4e2b5e6445165ceb007008dd3f82b1bf97336a453a43ca483e05d9b412d8e1ec
Opcode Fuzzy Hash: 1ba90b045d2a4afd4f50803c0be18960972dcb9ee6dbdf5d9a9e96d3ceabde8d
Instruction Fuzzy Hash: EAC12875A0021AAFDB15CFA8C898AAEB7B5FF48704F208598E505EB351D731EE45CF90

Function 00883E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00883F0B
__alldvrm.LIBCMT ref: 0088410C
__alldvrm.LIBCMT ref: 0088412E

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 7184b71edd25d2106d224fd628bddaecf2850ea796a7c47667b26dfd891e6f9d
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: B2A15676E047879FDB21EF18C8917AEBBE4FF61350F18416DE685DB282C6388981C791

Function 008D342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 008D3459
CoUninitialize.OLE32 ref: 008D3463
VariantInit.OLEAUT32(?), ref: 008D346E
VariantClear.OLEAUT32(?), ref: 008D371B

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: c1700926737d5ddd1a4e58452cf448f9bc4aaff21e996bec8625c4cec19e4d60
Instruction ID: e348e0e0da4672f170b40519fea63e055c76041684921ccdc630b608401e2412
Opcode Fuzzy Hash: c1700926737d5ddd1a4e58452cf448f9bc4aaff21e996bec8625c4cec19e4d60
Instruction Fuzzy Hash: 2CA137756047009FCB10DF28D485A2AB7E5FF88755F04895AF98ADB362DB30EE05CB92

Function 008B0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,008EFC08,?), ref: 008B05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,008EFC08,?), ref: 008B0608
CLSIDFromProgID.OLE32(?,?,00000000,008ECC40,000000FF,?,00000000,00000800,00000000,?,008EFC08,?), ref: 008B062D
_memcmp.LIBVCRUNTIME ref: 008B064E

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: aa3ce17bd7fad4023a236025b7e59176f91b64e6fc3ca845c418340034beff04
Instruction ID: 0977b0c2aa153922e7b03bc8d763db5e20bc712dfbb00db143b8f7b33d640ac1
Opcode Fuzzy Hash: aa3ce17bd7fad4023a236025b7e59176f91b64e6fc3ca845c418340034beff04
Instruction Fuzzy Hash: BF81D675A00209EFCB04DF98C984EEEB7B9FF89315B204558E516EB250DB71AE06CF60

Function 00891391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008914C0

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 7ee76b156ff04801eaa80a0622fa8b6fc6875a550f872a15e9848a9b140ec93e
Instruction ID: 9dfb2bcda4ff12a5ab7184897beae1129b2ea8b8d2c627fde8f9ef9ac4b353d1
Opcode Fuzzy Hash: 7ee76b156ff04801eaa80a0622fa8b6fc6875a550f872a15e9848a9b140ec93e
Instruction Fuzzy Hash: 57416D31A08106ABDF217BFD8C8DABE3AA6FF45370F2C4225F419D6293E67488415767

Function 008E6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00EFE450,?), ref: 008E62E2
ScreenToClient.USER32(?,?), ref: 008E6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 008E6382

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 9057aa74a4c0c7f4dc30afca3513e93946dd128080951805a02ff19e23359374
Instruction ID: 5455e658cd7a7c209f72a6e056275637364b6609ef916bb0b60cd26080ef0426
Opcode Fuzzy Hash: 9057aa74a4c0c7f4dc30afca3513e93946dd128080951805a02ff19e23359374
Instruction Fuzzy Hash: E3512D74900249EFCF14DF59D8809AE7BB6FB663A4F108159F915DB2A0E730ED91CB50

Function 008D1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 008D1AFD
WSAGetLastError.WSOCK32 ref: 008D1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 008D1B8A
WSAGetLastError.WSOCK32 ref: 008D1B94

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 64be82a7337f3176e2d2e75071bff8152fc861230ed6adffe8c886d6f7d6006d
Instruction ID: 1300ca8581f7316afa27d83025c266c8e04022054770e92d35a2178dd4aa7345
Opcode Fuzzy Hash: 64be82a7337f3176e2d2e75071bff8152fc861230ed6adffe8c886d6f7d6006d
Instruction Fuzzy Hash: 58416034640200AFEB20AF28C886F2A77A5FF44718F548559F955DF392D672ED418B91

Function 0088B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a4038549f843e87b643af207fbedca922c488f0ebfc29077cc0d8715f0f696
Instruction ID: c39f8443a74f67f786195dc15e403085f02fbaff86d3227362911abce7a0cd2c
Opcode Fuzzy Hash: 97a4038549f843e87b643af207fbedca922c488f0ebfc29077cc0d8715f0f696
Instruction Fuzzy Hash: 4F410675A00708AFD724BF7CCC42B6EBBA9FBC8710F10852AF546DB292D771A9018791

Function 008C56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 008C5783
GetLastError.KERNEL32(?,00000000), ref: 008C57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008C57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 008C57FA

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 114d875150a4e871d9ca29eda2ac267d30e80c870d6c5b35fe9404b3dc51fddc
Instruction ID: 1dc6258fe9975e2584c12809b6ba33917ea0b823819dd404f3f51218aae1aa94
Opcode Fuzzy Hash: 114d875150a4e871d9ca29eda2ac267d30e80c870d6c5b35fe9404b3dc51fddc
Instruction Fuzzy Hash: 8741F835600610DFCB11DF19C444A5ABBE1FF89321B19C498ED4A9B362DB30FD45CB92

Function 0088D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00876D71,00000000,00000000,008782D9,?,008782D9,?,00000001,00876D71,8BE85006,00000001,008782D9,008782D9), ref: 0088D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0088D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0088D9AB
__freea.LIBCMT ref: 0088D9B4

Part of subcall function 00883820: RtlAllocateHeap.NTDLL(00000000,?,00921444,?,0086FDF5,?,?,0085A976,00000010,00921440,008513FC,?,008513C6,?,00851129), ref: 00883852

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 89a3dc5862d47be5ceddd70b046d0b6d7d5879634b8ff240b4e36df12e331c1f
Instruction ID: 790d515a719136be9e3804c07f7ef9538451a2b71eca18c48ddbb8e6ae11234d
Opcode Fuzzy Hash: 89a3dc5862d47be5ceddd70b046d0b6d7d5879634b8ff240b4e36df12e331c1f
Instruction Fuzzy Hash: 9431BE72A0021AABDF25AF69DC85EAE7BA5FB41710F054168FC08DB290EB35CD51CB91

Function 008E52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 008E5352
GetWindowLongW.USER32(?,000000F0), ref: 008E5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008E5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008E53A8

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: e2a912ffdef1ce73ac39918a7eef0d0fafcd43fbcd257970e377f621de9075ec
Instruction ID: a02190f1c67056ce94fc09bc9247cb15ed188410efd0e5b61f9d66d62181ea57
Opcode Fuzzy Hash: e2a912ffdef1ce73ac39918a7eef0d0fafcd43fbcd257970e377f621de9075ec
Instruction Fuzzy Hash: 1C310434A55A8CEFEB309B16CC45BE93766FB07398F584001FA10D63E1C7B09D809B42

Function 008BAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 008BABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 008BAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 008BAC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 008BACC6

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 8660a462e602994edcc5c384caf5dfbf6d445ebdc98828c0e7a59223fd71df80
Instruction ID: 49b2399f27e035d7154c74e7b8d840a93ddc704a341e14bf0577c52880a97414
Opcode Fuzzy Hash: 8660a462e602994edcc5c384caf5dfbf6d445ebdc98828c0e7a59223fd71df80
Instruction Fuzzy Hash: BE311430A00258AFEF398B68C8657FE7FA5FB89310F04421AE481D63D1D374898587A2

Function 008E7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 008E769A
GetWindowRect.USER32(?,?), ref: 008E7710
PtInRect.USER32(?,?,008E8B89), ref: 008E7720
MessageBeep.USER32(00000000), ref: 008E778C

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 4e831064c016f1c2831b70bf3ab274852059bb574f81217d0c9a2a384265b980
Instruction ID: 342e7d3a257fd9b62e7ce280059b217a9e6e69a48e657112e1e579cde4d2e6e5
Opcode Fuzzy Hash: 4e831064c016f1c2831b70bf3ab274852059bb574f81217d0c9a2a384265b980
Instruction Fuzzy Hash: D4418B38A09294EFDB11CF5ADC94EA9B7F5FB5A314F1540A8E914DB261C730E982CF90

Function 008E16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 008E16EB

Part of subcall function 008B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 008B3A57
Part of subcall function 008B3A3D: GetCurrentThreadId.KERNEL32 ref: 008B3A5E
Part of subcall function 008B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008B25B3), ref: 008B3A65

GetCaretPos.USER32(?), ref: 008E16FF
ClientToScreen.USER32(00000000,?), ref: 008E174C
GetForegroundWindow.USER32 ref: 008E1752

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 6f69500e3fa35cbc2df4b86572cdf274556f32603e7a153c27450181db811247
Instruction ID: 64930c594db9472025a12b5e63be38c3894425062b8e4facf54de0a68781a818
Opcode Fuzzy Hash: 6f69500e3fa35cbc2df4b86572cdf274556f32603e7a153c27450181db811247
Instruction Fuzzy Hash: E8313071D00249AFCB00EFAAC885CEEB7F9FF49304B508069E415E7251EA319E45CFA1

Function 008BD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 008BD501
Process32FirstW.KERNEL32(00000000,?), ref: 008BD50F
Process32NextW.KERNEL32(00000000,?), ref: 008BD52F
CloseHandle.KERNEL32(00000000), ref: 008BD5DC

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: e8a2c864d1bbe5fc79ec6ed9e6db954ba68588f913a0cd7000d61c80cea9946e
Instruction ID: c4d486b6438b7f7d27cb95f925dcdddd3a17e5ad3f690480ffe88566046f5a9f
Opcode Fuzzy Hash: e8a2c864d1bbe5fc79ec6ed9e6db954ba68588f913a0cd7000d61c80cea9946e
Instruction Fuzzy Hash: A5317071108340AFD314EF54C881AAFBBE8FF99354F54092DF981C62A1EB719949CB93

Function 008E8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00869BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00869BB2

GetCursorPos.USER32(?), ref: 008E9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,008A7711,?,?,?,?,?), ref: 008E9016
GetCursorPos.USER32(?), ref: 008E905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,008A7711,?,?,?), ref: 008E9094

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: a9b56d9596b6bf8aabe46319aba05aa3ebdf535c138146f36a8f2addf8e72c2a
Instruction ID: ffbef91d5c84ff571b8240ff010d0e11089428e2f4b4f97302ea2e49ceaa932b
Opcode Fuzzy Hash: a9b56d9596b6bf8aabe46319aba05aa3ebdf535c138146f36a8f2addf8e72c2a
Instruction Fuzzy Hash: 3421EF36600558FFCB258F95C898EEA3BF9FB8A320F400055F9458B2A1C3719A91EB60

Function 008BD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,008ECB68), ref: 008BD2FB
GetLastError.KERNEL32 ref: 008BD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 008BD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,008ECB68), ref: 008BD376

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: a3e0cd17925359d32e10332e0f3ee901e5325875d34705de2fc72726937626a2
Instruction ID: 41567873323bccd561bbeb39b5cf508734cf36ea22b820ffc471233cef61fdfa
Opcode Fuzzy Hash: a3e0cd17925359d32e10332e0f3ee901e5325875d34705de2fc72726937626a2
Instruction Fuzzy Hash: 9A213070905301EF8710DF28C8814AA77E4FE5A765F504A1DF8A9C73A2F731994ACB93

Function 008B1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008B1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 008B102A
Part of subcall function 008B1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 008B1036
Part of subcall function 008B1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008B1045
Part of subcall function 008B1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 008B104C
Part of subcall function 008B1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008B1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008B15BE
_memcmp.LIBVCRUNTIME ref: 008B15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008B1617
HeapFree.KERNEL32(00000000), ref: 008B161E

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: f8795025a62bfd1640d5df4dfb0410772c7fa3afbf9bc843dda01a6cf2a73e28
Instruction ID: 921ad3b648adfb72947e2dc1dba4edc1a466fbc20881b9af891120bb6aa2e609
Opcode Fuzzy Hash: f8795025a62bfd1640d5df4dfb0410772c7fa3afbf9bc843dda01a6cf2a73e28
Instruction Fuzzy Hash: 64215731E00108ABDF10DFA4C959BEEB7B8FF55344F484459E441EB241E730AA05CBA0

Function 008E2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 008E280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 008E2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 008E2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 008E2840

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 25efb764088d93bd45077449aec0ecd2628459ea4887c1a8f4eaaf6dca4c0c47
Instruction ID: 0917d6dd8e0e2ae7e4d569de43e12525eb8640f12f4fcf8bffc5350606163a72
Opcode Fuzzy Hash: 25efb764088d93bd45077449aec0ecd2628459ea4887c1a8f4eaaf6dca4c0c47
Instruction Fuzzy Hash: 7521D6316041A5AFD7149B25CC45F6A7799FF46324F148158F826CB6E2CB71FC42C791

Function 008B78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 008B8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,008B790A,?,000000FF,?,008B8754,00000000,?,0000001C,?,?), ref: 008B8D8C
Part of subcall function 008B8D7D: lstrcpyW.KERNEL32(00000000,?), ref: 008B8DB2
Part of subcall function 008B8D7D: lstrcmpiW.KERNEL32(00000000,?,008B790A,?,000000FF,?,008B8754,00000000,?,0000001C,?,?), ref: 008B8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,008B8754,00000000,?,0000001C,?,?,00000000), ref: 008B7923
lstrcpyW.KERNEL32(00000000,?), ref: 008B7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,008B8754,00000000,?,0000001C,?,?,00000000), ref: 008B7984

Strings

cdecl, xrefs: 008B797B

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: ab3f8a44df6ed8d97d95b54068c0284698f45122f9d9beb52db4f97a761e1137
Instruction ID: a8a6b6ebe76e7df5474e4d91c409d460d21f905f4284eda8d32cefd2f6b68566
Opcode Fuzzy Hash: ab3f8a44df6ed8d97d95b54068c0284698f45122f9d9beb52db4f97a761e1137
Instruction Fuzzy Hash: A111E63A201342ABCB159F39D845DBA7BA9FF85350B50402AF946CB3A4EB35D811C7A1

Function 008E7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 008E7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 008E7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 008E7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,008CB7AD,00000000), ref: 008E7D6B

Part of subcall function 00869BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00869BB2

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 6d2e5611c8fee139bcd9ae53f49b5dc74446869a3c172cafd6af063d31bce4dc
Instruction ID: c1935ce43232743a4a0223c0f75365265e48505d717e8f90e59edf3824a93c45
Opcode Fuzzy Hash: 6d2e5611c8fee139bcd9ae53f49b5dc74446869a3c172cafd6af063d31bce4dc
Instruction Fuzzy Hash: 6811AE31614694AFCB108F29DC44A763BA4FF46360B154324FC35CB2F4D7308961DB40

Function 008E5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 008E56BB
_wcslen.LIBCMT ref: 008E56CD
_wcslen.LIBCMT ref: 008E56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 008E5816

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: bdb542f7c6d825e8066465b87529a0c732e608bcdc791745151cf050f830af34
Instruction ID: cf5040d80c2fce78b8892789ad20c0e0b563f5b318ea4b5cfeb9181afa944030
Opcode Fuzzy Hash: bdb542f7c6d825e8066465b87529a0c732e608bcdc791745151cf050f830af34
Instruction Fuzzy Hash: F311E971A00699A6DF20DF66DCC5AEE7B6CFF2276CF104026F915D6091E770C980CB65

Function 00881D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1846780fa3c79a6f511586edc48418020b8b87d5827e1242810b14f48dda4680
Instruction ID: ee3e63ace61131aa048c3366dfe85af021b06b1858898dac05740f173c504208
Opcode Fuzzy Hash: 1846780fa3c79a6f511586edc48418020b8b87d5827e1242810b14f48dda4680
Instruction Fuzzy Hash: 0E01ADB260961A7EFA2136786CC9F27661DFF813B8B310725F521E11D2DF608C025360

Function 008B1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 008B1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 008B1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 008B1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 008B1A8A

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 2adbf3e6bba5ffbec289ef3688dcee4925a08400e6115e761d80a322707f65bc
Instruction ID: f245e519c8afaf97a741aa936c41d09324e4566bd993b4a1fd294c6588209992
Opcode Fuzzy Hash: 2adbf3e6bba5ffbec289ef3688dcee4925a08400e6115e761d80a322707f65bc
Instruction Fuzzy Hash: 0E11153A901229BFEF109BA48985FADBB78FB08750F200091EA00BB290D6716E509B94

Function 008BE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 008BE1FD
MessageBoxW.USER32(?,?,?,?), ref: 008BE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 008BE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 008BE24D

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 0d1efc955e920188ef70ba543e63b164f62fcabaf5e2fb81e1ef7dd39a33a200
Instruction ID: 8c16f1faaabb1ede1862d84c98b77eec4a202417fad2a0a64f5194a31e45cffd
Opcode Fuzzy Hash: 0d1efc955e920188ef70ba543e63b164f62fcabaf5e2fb81e1ef7dd39a33a200
Instruction Fuzzy Hash: 3511ED72D08258AFC711DFA8AC49ADE7BADFB45321F108269F825E3391D6B0D90187A0

Function 0087D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0087CFF9,00000000,00000004,00000000), ref: 0087D218
GetLastError.KERNEL32 ref: 0087D224
__dosmaperr.LIBCMT ref: 0087D22B
ResumeThread.KERNEL32(00000000), ref: 0087D249

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 82e836a6cf7cc398969035c5288b7bebefe8200873ffd8e9e7302a784e318f13
Instruction ID: 5d4741c89e9a78144c870e1e85875e28a34077944dd34f0f3dc056b9daf341b3
Opcode Fuzzy Hash: 82e836a6cf7cc398969035c5288b7bebefe8200873ffd8e9e7302a784e318f13
Instruction Fuzzy Hash: E501D636815308BBC7116BA9DC45BAA7A79FF81731F208219F92DD61D6CF70D902C6A1

Function 0085600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0085604C
GetStockObject.GDI32(00000011), ref: 00856060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0085606A

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 07bc93668e89fd4e1c6a5c080c9084719296a2888f557a1e89ef429c1234d1d9
Instruction ID: ed320dcf6bc891fa925dbd85e6f8a06e997ea9a21bf25c9e2d2f4fd6a1fbaa4a
Opcode Fuzzy Hash: 07bc93668e89fd4e1c6a5c080c9084719296a2888f557a1e89ef429c1234d1d9
Instruction Fuzzy Hash: 3011A172501948BFEF124F94DC44EEA7BA9FF18365F440205FE04A6060D732DC65DB90

Function 00873B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00873B56

Part of subcall function 00873AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00873AD2
Part of subcall function 00873AA3: ___AdjustPointer.LIBCMT ref: 00873AED

_UnwindNestedFrames.LIBCMT ref: 00873B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00873B7C
CallCatchBlock.LIBVCRUNTIME ref: 00873BA4

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 833f23a3bb8fa1595a6b6a62637999087895f064b637459824081d22e8a8ce7e
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 25012D32100148BBDF115E99CC46DEB7B69FF59754F048018FE5C96125C732D961EBA2

Function 00883073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,008513C6,00000000,00000000,?,0088301A,008513C6,00000000,00000000,00000000,?,0088328B,00000006,FlsSetValue), ref: 008830A5
GetLastError.KERNEL32(?,0088301A,008513C6,00000000,00000000,00000000,?,0088328B,00000006,FlsSetValue,008F2290,FlsSetValue,00000000,00000364,?,00882E46), ref: 008830B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0088301A,008513C6,00000000,00000000,00000000,?,0088328B,00000006,FlsSetValue,008F2290,FlsSetValue,00000000), ref: 008830BF

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 08bdafe4cd43362f12ae7c069f6fb31a6a700c78290c2e16d37766bf2db7df8d
Instruction ID: bf3a31c743520a6f5c335036d0549457fefbf186527c076b0615f2a8b87e2647
Opcode Fuzzy Hash: 08bdafe4cd43362f12ae7c069f6fb31a6a700c78290c2e16d37766bf2db7df8d
Instruction Fuzzy Hash: D401F732712B26ABCB315BB99C849677B98FF45F61B100720FD05E7141C721D902C7E0

Function 008B7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 008B747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 008B7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 008B74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 008B74CA

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 05c81eabf9de3da55548aaa6784b45c82767267a667c4fb16f3882f9b23cdbbd
Instruction ID: a25f6a7099fae390d464714af95c96b16201c41b147d4f44aa450a2f57884088
Opcode Fuzzy Hash: 05c81eabf9de3da55548aaa6784b45c82767267a667c4fb16f3882f9b23cdbbd
Instruction Fuzzy Hash: D911A1B16053159BE7208F14DC48FD27BFCFB40B09F108569E626DA291D770E944DB94

Function 008BB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,008BACD3,?,00008000), ref: 008BB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,008BACD3,?,00008000), ref: 008BB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,008BACD3,?,00008000), ref: 008BB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,008BACD3,?,00008000), ref: 008BB126

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: cf71e34ed8b6a50369e34ccb47bdef9e1742c3c302b7d54be856fea54659061b
Instruction ID: 6023e570756c8133b675d87aa4d4e5df13e04ff7688f80e04b28405d574240b5
Opcode Fuzzy Hash: cf71e34ed8b6a50369e34ccb47bdef9e1742c3c302b7d54be856fea54659061b
Instruction Fuzzy Hash: F1115B31D0192DE7CF10AFE8E9986FEBF78FF0A711F114085D951B6281DBB096518B51

Function 008B2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 008B2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 008B2DD6
GetCurrentThreadId.KERNEL32 ref: 008B2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 008B2DE4

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 43b97782018ce64517dd6ad6639c821d21380225324a5e807591f37d51d096f3
Instruction ID: 0bce87649bcbd03d9cb074e7cbd70cd4ded8c5543f135814249fc8a9ebdcd1a6
Opcode Fuzzy Hash: 43b97782018ce64517dd6ad6639c821d21380225324a5e807591f37d51d096f3
Instruction Fuzzy Hash: 00E092B2901228BBDB201B739C4DFEB3E6CFF52BA1F040119F506D51909AA0C842C6B0

Function 008E8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00869639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00869693
Part of subcall function 00869639: SelectObject.GDI32(?,00000000), ref: 008696A2
Part of subcall function 00869639: BeginPath.GDI32(?), ref: 008696B9
Part of subcall function 00869639: SelectObject.GDI32(?,00000000), ref: 008696E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 008E8887
LineTo.GDI32(?,?,?), ref: 008E8894
EndPath.GDI32(?), ref: 008E88A4
StrokePath.GDI32(?), ref: 008E88B2

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: ee3d249101d4a21e26d00bec081b664645467debe93930c4ec03ce16e62e9dd5
Instruction ID: f49c5c64534f3b83a948acc54b06dff461b1c36c3875d1398a57a5256b570f89
Opcode Fuzzy Hash: ee3d249101d4a21e26d00bec081b664645467debe93930c4ec03ce16e62e9dd5
Instruction Fuzzy Hash: 9DF05E3A0456A8FADB125F94AC09FCE3F59BF16310F048000FE11A90E1C7755562DFE5

Function 008698B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008698CC
SetTextColor.GDI32(?,?), ref: 008698D6
SetBkMode.GDI32(?,00000001), ref: 008698E9
GetStockObject.GDI32(00000005), ref: 008698F1

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 94ae45cfbc17b9e4f6f5c7ef3e159ef433c93d1ba2d9c71290df89ac21e9e2e8
Instruction ID: 1c86dd9c04ce6599a6ca78e366e8957a4914268127658f9e438dc5bc46187c43
Opcode Fuzzy Hash: 94ae45cfbc17b9e4f6f5c7ef3e159ef433c93d1ba2d9c71290df89ac21e9e2e8
Instruction Fuzzy Hash: 19E06D31A44680AAEB215B78EC49BE83F20FB12336F048219F6FA980E1C3714641AB10

Function 008B162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 008B1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,008B11D9), ref: 008B163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008B11D9), ref: 008B1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,008B11D9), ref: 008B164F

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 71b53813ed9a38098270a9a188086c01dda442a580968031188b4f1924f35bf5
Instruction ID: c52dd3210b21d0e2c7a742e1057a549477e6a26c83ea3cb97519e0f7e15e765a
Opcode Fuzzy Hash: 71b53813ed9a38098270a9a188086c01dda442a580968031188b4f1924f35bf5
Instruction Fuzzy Hash: 59E08C32A02211EBDB201FA5AE4DB8A3B7CFF557A2F148808F645CD080E7349442CB60

Function 008AD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 008AD858
GetDC.USER32(00000000), ref: 008AD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 008AD882
ReleaseDC.USER32(?), ref: 008AD8A3

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b6c52a845500d1ec21709be52e16ddc727dc80237714926740d82d4b62a1a74f
Instruction ID: 4cf7e79d34f6af308c5279d1a6ad21f745ae5bae058c30da03ceb6b9bbaf124e
Opcode Fuzzy Hash: b6c52a845500d1ec21709be52e16ddc727dc80237714926740d82d4b62a1a74f
Instruction Fuzzy Hash: 99E01AB4C00304DFCF419FA4D84866EBBB1FB58311F108419E816EB260CB384902AF41

Function 008AD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 008AD86C
GetDC.USER32(00000000), ref: 008AD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 008AD882
ReleaseDC.USER32(?), ref: 008AD8A3

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b67fa97031a14e90ce505c3c475fe0abbeee0842b3d31a1938256e05549bd5ac
Instruction ID: 9350f812a44680aab53b9c9d898d9a0d134cf0293af120683e8bc5ace524e9bb
Opcode Fuzzy Hash: b67fa97031a14e90ce505c3c475fe0abbeee0842b3d31a1938256e05549bd5ac
Instruction Fuzzy Hash: DFE012B4C00204EFCF40AFA4D88866EBBB1FB58311B108408E81AEB260CB385902AF40

Function 008C4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00857620: _wcslen.LIBCMT ref: 00857625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 008C4ED4

Strings

*, xrefs: 008C4E10
LPT, xrefs: 008C4DFB

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 98543bf68f03ddd161b414251d0eb0d7fabd228647ab78a26b76fbd9772031b3
Instruction ID: 8e17b23008c1a0442093456f51a666f2b35e24aa17b7fd191926d96e120278ea
Opcode Fuzzy Hash: 98543bf68f03ddd161b414251d0eb0d7fabd228647ab78a26b76fbd9772031b3
Instruction Fuzzy Hash: 1C914A75A002049FDB14DF58C494EAABBF1FF44318F19909DE84A9B3A2DB31ED85CB91

Function 0087E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0087E30D

Strings

pow, xrefs: 0087E2E5, 0087E302

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 0f8c0280bf88f724b0b714ffb9165bb4cd6392db09b4536133e9423b67f8413f
Instruction ID: 9666cf0723e456e1e6490ac08e2e3b12c6dfd5ee4b7cc7b0a647490a7a4ef3d0
Opcode Fuzzy Hash: 0f8c0280bf88f724b0b714ffb9165bb4cd6392db09b4536133e9423b67f8413f
Instruction Fuzzy Hash: 28514961A1C20696DB217728C9417793BB4FB54B40F34C9E8E099C33AEEB35CC91DB46

Function 0086E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0086E1B1

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 2c6f2acf833a99c46d877844411ca82067388ccc61044115af209d504887352f
Instruction ID: 0767bd247a8b1fca43cf82c065a745ea953930dcbbfd804f1fbadb444340f50f
Opcode Fuzzy Hash: 2c6f2acf833a99c46d877844411ca82067388ccc61044115af209d504887352f
Instruction Fuzzy Hash: 1451657990424ADFEB15DF28C491ABA7BA5FF16310F244415FC91DB2C0DB349D46CBA1

Function 0086F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0086F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0086F2BB

Strings

@, xrefs: 0086F2AF

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 2713fff3a89a6c56187c602e1913db5f6fe93147be44eccae12cfdfd2a566391
Instruction ID: 20ba8ba38d72678ebad36ba6fbd276e1d2d7ed96ed5b9a5ceafd0b8d91c296d6
Opcode Fuzzy Hash: 2713fff3a89a6c56187c602e1913db5f6fe93147be44eccae12cfdfd2a566391
Instruction Fuzzy Hash: 5D5125714187449BD320AF14EC86BAFBBF8FB84301F81885DF6D9811A5EB708529CB67

Function 008D5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 008D57E0
_wcslen.LIBCMT ref: 008D57EC

Strings

CALLARGARRAY, xrefs: 008D57E6, 008D57EB

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 824241be3cc55a1967de8666b7286f8ed560af378f6d5897a3810f60225a45ca
Instruction ID: 088d2e3f56eb6650d534ce2a22b0900a43f2a60c1ad854fdad74a8f5c216a871
Opcode Fuzzy Hash: 824241be3cc55a1967de8666b7286f8ed560af378f6d5897a3810f60225a45ca
Instruction Fuzzy Hash: 9341AE31E002099FCB14DFA9C8819AEBBB5FF59724F10416BE505E7351EB309D81DB91

Function 008CD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008CD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 008CD13A

Strings

|, xrefs: 008CD10B

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 2f4e7769bd29b1325c4d0f3a4914bb6b82b1a2817c37f76974f848406d444886
Instruction ID: 7dc2eeb60c93f5507c4f6eed4806ccc6abc55a5dade9ab160992fdd100ac9f21
Opcode Fuzzy Hash: 2f4e7769bd29b1325c4d0f3a4914bb6b82b1a2817c37f76974f848406d444886
Instruction Fuzzy Hash: 33310A71D01219ABCF15EFA4CC85EEEBFBAFF04304F100029F815A6166E731AA56CB51

Function 008E356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 008E3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 008E365C

Strings

static, xrefs: 008E35BC

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 0d00b777f1d58fdd7c7c2e1d98b7748d7f7f243553bee3cc0d4858681be871a7
Instruction ID: 0856bc11d60ba6f85c7ab6fc81564553f4ef6b5052e9a61defdc90070d3c612d
Opcode Fuzzy Hash: 0d00b777f1d58fdd7c7c2e1d98b7748d7f7f243553bee3cc0d4858681be871a7
Instruction Fuzzy Hash: 0031BC71100644AEDB209F39DC84EFB73A9FF99720F008619F8A5D7290DA30ED92DB60

Function 008E4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 008E461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 008E4634

Strings

', xrefs: 008E458E

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 675226e9a59675336e5dd7dd1fc4420296139e6afbe106b5d2fd51173d9b707b
Instruction ID: b386106ef0f2c2bf80e5f0837f15e016a581973e41683d9916898790c3a085f7
Opcode Fuzzy Hash: 675226e9a59675336e5dd7dd1fc4420296139e6afbe106b5d2fd51173d9b707b
Instruction Fuzzy Hash: 1D313974A0034A9FDB14CF6AC980BDA7BB5FF1A300F105169E908EB351D770A941CF90

Function 008E31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 008E327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008E3287

Strings

Combobox, xrefs: 008E3249

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 7b7414bfed43de578d659e040e11aca0f9edc9a9d5f86df08f68efe1a76daec1
Instruction ID: 57a073bd3db8e42f8d615249a8ceb9d1d2713faf1fa092ea4eda238a66cdc92a
Opcode Fuzzy Hash: 7b7414bfed43de578d659e040e11aca0f9edc9a9d5f86df08f68efe1a76daec1
Instruction Fuzzy Hash: EE11E2713002487FEF219E95DC88EBB37AAFB96365F100128FA58E7290D6319D618760

Function 008E3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0085600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0085604C
Part of subcall function 0085600E: GetStockObject.GDI32(00000011), ref: 00856060
Part of subcall function 0085600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0085606A

GetWindowRect.USER32(00000000,?), ref: 008E377A
GetSysColor.USER32(00000012), ref: 008E3794

Strings

static, xrefs: 008E3757

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 62edcac84d7f59d3e27a2d1826d92e3e01e5ee40dd80f2560b8d28f7cc24f9f8
Instruction ID: d67a3db05cdc68d824b7d2527f4c4e077ac80720ab9926c6b52cd9f99245e6bb
Opcode Fuzzy Hash: 62edcac84d7f59d3e27a2d1826d92e3e01e5ee40dd80f2560b8d28f7cc24f9f8
Instruction Fuzzy Hash: 631129B2610249AFDF10DFA8CC49AFA7BB8FB09314F004524FD55E3250E735E9619B50

Function 008CCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 008CCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 008CCDA6

Strings

<local>, xrefs: 008CCD66

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: f0700eaec3e808fd7969253eed95fa5af3e32f9fc0ca836268172dce5ad56bf2
Instruction ID: 1d0375425d261946257ea61142d0b4e68478a2a35f4c378af0b20f6adc3a32b2
Opcode Fuzzy Hash: f0700eaec3e808fd7969253eed95fa5af3e32f9fc0ca836268172dce5ad56bf2
Instruction Fuzzy Hash: 9611A371605636BAD7244A669C85FE7BE78FB127A8F00422AF20EC6080D670D841D6F0

Function 008E3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 008E34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 008E34BA

Strings

edit, xrefs: 008E348F

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 85480043936409ec573aa4cdf6b943c1438986f2cee36d98d848304cf3bfbfb5
Instruction ID: 5cdaa2ccb311d1c0bd24d3f9a28a8a0acef8c29ba25c8da699be42bb40d587a4
Opcode Fuzzy Hash: 85480043936409ec573aa4cdf6b943c1438986f2cee36d98d848304cf3bfbfb5
Instruction Fuzzy Hash: 7611BF71500188ABEB124E65DC88AAB376AFB26378F504324F960D71E0C731DD519B58

Function 008B6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00859CB3: _wcslen.LIBCMT ref: 00859CBD

CharUpperBuffW.USER32(?,?,?), ref: 008B6CB6
_wcslen.LIBCMT ref: 008B6CC2

Strings

STOP, xrefs: 008B6CBC, 008B6CC1

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: c78df9ab7bcfc0c7ef5efdf584c8565c3a07f1902f9d8d6b868a352442e8ec74
Instruction ID: 05df72986cc0eba8acba7be135f9a359a0e8bc9fb14237a3e20ba82e346ae826
Opcode Fuzzy Hash: c78df9ab7bcfc0c7ef5efdf584c8565c3a07f1902f9d8d6b868a352442e8ec74
Instruction Fuzzy Hash: 92010832A005268BCB209FBDCCA19FF3BA5FB617107010524E862D62A0FB35DD14C650

Function 008B1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00859CB3: _wcslen.LIBCMT ref: 00859CBD

Part of subcall function 008B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008B3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 008B1D4C

Strings

ComboBox, xrefs: 008B1CEB
ListBox, xrefs: 008B1D16

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 33dfec090271178b9a7c77a69205d39c2a93740433ef3cb1cc003f2747844e7e
Instruction ID: 920a37a954415bc1a5c513ab9b07b3abbf235bef44c3967192b76c88b70f002a
Opcode Fuzzy Hash: 33dfec090271178b9a7c77a69205d39c2a93740433ef3cb1cc003f2747844e7e
Instruction Fuzzy Hash: E001D875641218EB8F04EBA8CC65CFE7769FB56350B540919FC62DB3D1EA30590C8661

Function 008B1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00859CB3: _wcslen.LIBCMT ref: 00859CBD

Part of subcall function 008B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008B3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 008B1C46

Strings

ComboBox, xrefs: 008B1BE5
ListBox, xrefs: 008B1C10

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: dd5dc8c799bb56903c3c92be88e6e9f1657289cf08af46eca92a0778ac3bb452
Instruction ID: 65a2eab52de55c9b4b2e188c13f450380a0c373d3c8a930270fa78496be0f277
Opcode Fuzzy Hash: dd5dc8c799bb56903c3c92be88e6e9f1657289cf08af46eca92a0778ac3bb452
Instruction Fuzzy Hash: C901AC75781108A7CF04E794C9769FF7BA8FB51340F540019E846E7382EA209F0CC672

Function 008B1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00859CB3: _wcslen.LIBCMT ref: 00859CBD

Part of subcall function 008B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008B3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 008B1CC8

Strings

ComboBox, xrefs: 008B1C69
ListBox, xrefs: 008B1C94

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 657c915a38b8b45022f6dac974eae76079cdee00031e1a6c3bbb248f341b7222
Instruction ID: d0c39bacb562a26f8795d4e378b1cb1dac7045d82f001de561208c625748cbba
Opcode Fuzzy Hash: 657c915a38b8b45022f6dac974eae76079cdee00031e1a6c3bbb248f341b7222
Instruction Fuzzy Hash: 36016775781118A7CF14E798CA65AFE7BA8FB51340B550415BC41F7381EA619F0CC672

Function 008B1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00859CB3: _wcslen.LIBCMT ref: 00859CBD

Part of subcall function 008B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008B3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 008B1DD3

Strings

ComboBox, xrefs: 008B1D75
ListBox, xrefs: 008B1DA0

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: a13e67e2d6e3fd95f90bfcece4cc2ef981be9a9c0900948f986e7117ffea9483
Instruction ID: d54aaf798784f5cd9fe57d2281a273a4abd09b0b5382fc9fff3ce736c76c9b30
Opcode Fuzzy Hash: a13e67e2d6e3fd95f90bfcece4cc2ef981be9a9c0900948f986e7117ffea9483
Instruction Fuzzy Hash: 25F0A475B41218A6DB14E7A8CC66AFF7778FB41354F980919F862E73C2DE605A0C8261

Function 008D747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008D7493
_wcslen.LIBCMT ref: 008D74B9

Strings

3, 3, 16, 1, xrefs: 008D7483

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 01ed54c97d225c605f8d14ea9e9ae8d1ebc4cc96758ee347e72e0cb2dd85c8b5
Instruction ID: 8a9bb23f756062fed75b17ae845a378c7f78ab6459a903e9ced43f8071880794
Opcode Fuzzy Hash: 01ed54c97d225c605f8d14ea9e9ae8d1ebc4cc96758ee347e72e0cb2dd85c8b5
Instruction Fuzzy Hash: 86E02301304210115232127D9CC167F5B8AFFC5750710141BF645C237EF754CD9153A6

Function 008B0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 008B0B23

Strings

AutoIt, xrefs: 008B0B17
Error allocating memory., xrefs: 008B0B1C

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: cb9f259835aec427f2953d17569825cfdef3888e544c22525786f61ee7fe5edc
Instruction ID: 3befdbd6fe72ad53bf5e5195c58d9d37c3b17f3cf7fd6baa1d70352d50338467
Opcode Fuzzy Hash: cb9f259835aec427f2953d17569825cfdef3888e544c22525786f61ee7fe5edc
Instruction Fuzzy Hash: 8DE0D83228434826D214369D7C03FC97E84FF06B65F100426FB98D95C38BE2689006AA

Function 00870D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0086F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00870D71,?,?,?,0085100A), ref: 0086F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0085100A), ref: 00870D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0085100A), ref: 00870D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00870D7F

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 9d819b89a017abce074fb6da11c12f799203e725deb551b29c843271d127d0e3
Instruction ID: 6a52fe76cf87ea2827d327f7b2234c08e36d41cfb9376e214eeef905e9548151
Opcode Fuzzy Hash: 9d819b89a017abce074fb6da11c12f799203e725deb551b29c843271d127d0e3
Instruction Fuzzy Hash: 55E06D702007828FD3309FBDE4443427BE0FB10744F008A2DE696CA656DBB4E4498F91

Function 008AD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 008AD220

Strings

%.3d, xrefs: 008AD22B
X64, xrefs: 008AD2A8

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 8212fa6688e4e22b75a1b64b63a2a51cfeaa382ad0dd770a10b4558eb23bb468
Instruction ID: 9ace01d34ae698e0ec8b8dcb274019ee137873a7cfa4605919ee8abbcb2024a7
Opcode Fuzzy Hash: 8212fa6688e4e22b75a1b64b63a2a51cfeaa382ad0dd770a10b4558eb23bb468
Instruction Fuzzy Hash: 2ED012A1C0830DE9DB5096D0DC45AF9B37CFB09305F508452F907D1841D624E549E762

Function 008E2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008E232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 008E233F

Part of subcall function 008BE97B: Sleep.KERNEL32 ref: 008BE9F3

Strings

Shell_TrayWnd, xrefs: 008E2325

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 2be9fa8bf12fef6ac98013ca13dec6aa0d0ca012b3df94407bf01074b13db244
Instruction ID: 7704fd12da13e57f9370dd799287409391d93a974ba17f82e9e0448b437dc901
Opcode Fuzzy Hash: 2be9fa8bf12fef6ac98013ca13dec6aa0d0ca012b3df94407bf01074b13db244
Instruction Fuzzy Hash: 38D0C936B95350BAE6A4A7709C8FFC66A14BB50B14F00491A7645AA1E0C9A0A8468A54

Function 008E2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008E236C
PostMessageW.USER32(00000000), ref: 008E2373

Part of subcall function 008BE97B: Sleep.KERNEL32 ref: 008BE9F3

Strings

Shell_TrayWnd, xrefs: 008E2365

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: b78613106a885236e493a280d7f994bf49c1b69e1706aae57ef55a5762c520c5
Instruction ID: 46e9d2f6e3b6a61abfb5c284b06752457c22bb2270c868ce94f0250efab123cb
Opcode Fuzzy Hash: b78613106a885236e493a280d7f994bf49c1b69e1706aae57ef55a5762c520c5
Instruction Fuzzy Hash: 5CD0C936B81350BAE6A4A7709C8FFC66A14BB54B14F00491A7645EA1E0C9A0B8468A54

Function 0088BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0088BE93
GetLastError.KERNEL32 ref: 0088BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0088BEFC

Memory Dump Source

Source File: 00000000.00000002.2195267176.0000000000851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true

Associated: 00000000.00000002.2195253073.0000000000850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.00000000008EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195318191.0000000000912000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195761184.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2195785263.0000000000924000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_850000_shipping advice.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 993afbc7c32672336e49e07bf01cd8cb33913265c3c70fc620d59f39c1689535
Instruction ID: 40ab63165cdcc5b8642934a478c1f0288f5fd5ede77b3850593f60d17a2c3b12
Opcode Fuzzy Hash: 993afbc7c32672336e49e07bf01cd8cb33913265c3c70fc620d59f39c1689535
Instruction Fuzzy Hash: C141E735604206AFCF31AFA9CC44ABA7BA5FF82710F244169FA59DB1A1DF309D01DB61

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report shipping advice.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut9A2F.tmp

C:\Users\user\AppData\Local\Temp\aut9A5F.tmp

C:\Users\user\AppData\Local\Temp\orographically

C:\Users\user\AppData\Local\Temp\starbright

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
shipping advice.exe

Function 008542DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 008542A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00892BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00852CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0089065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0085344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00852B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00853170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 00888D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 01BE2600 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00852C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01BE23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 153
fileCOMMON

Function 008C2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Function 008510F3 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153
comCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre