Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe

Overview

General Information

Sample name:COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe
Analysis ID:1517910
MD5:e2d52dffb1c3a06edb70b5767f181fb2
SHA1:61586c4d2f728916fd3308e30bdbece74e2d8a56
SHA256:d35aa260122d0e628100a616e9a144fcea5dc667f4108fe847fcf49db479af90
Tags:AgentTeslaexeTNTuser-abuse_ch
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
AI detected suspicious sample
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe (PID: 7972 cmdline: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe" MD5: E2D52DFFB1C3A06EDB70B5767F181FB2)
    • RegSvcs.exe (PID: 8160 cmdline: "C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • KaGeys.exe (PID: 6036 cmdline: "C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • conhost.exe (PID: 5632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • KaGeys.exe (PID: 4052 cmdline: "C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • conhost.exe (PID: 7492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.laboratoriosvilla.com.mx", "Username": "compras@laboratoriosvilla.com.mx", "Password": "WZ,2pliw#L)D"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.3763081663.00000000031B3000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000002.3763081663.000000000319D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.3763081663.0000000003175000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000002.00000002.3763081663.0000000003175000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.1398600661.0000000003060000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe.3060000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe.3060000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe.3060000.1.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x328e2:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x32954:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x329de:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x32a70:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x32ada:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x32b4c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x32be2:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x32c72:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe.3060000.1.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe.3060000.1.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    Click to see the 6 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 8160, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KaGeys
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 216.194.161.167, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 8160, Protocol: tcp, SourceIp: 192.168.2.10, SourceIsIpv6: false, SourcePort: 49708

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeAvira: detected
                    Found malware configuration
                    Source: 2.2.RegSvcs.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.laboratoriosvilla.com.mx", "Username": "compras@laboratoriosvilla.com.mx", "Password": "WZ,2pliw#L)D"}
                    Multi AV Scanner detection for submitted file
                    Source: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeReversingLabs: Detection: 66%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                    Machine Learning detection for sample
                    Source: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeJoe Sandbox ML: detected
                    Source: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.10:49706 version: TLS 1.2
                    Source: Binary string: RegSvcs.pdb, source: KaGeys.exe, 00000004.00000000.1498253090.00000000009F2000.00000002.00000001.01000000.00000006.sdmp, KaGeys.exe.2.dr
                    Source: Binary string: wntdll.pdbUGP source: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe, 00000000.00000003.1395470771.0000000004680000.00000004.00001000.00020000.00000000.sdmp, COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe, 00000000.00000003.1390220034.00000000044E0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe, 00000000.00000003.1395470771.0000000004680000.00000004.00001000.00020000.00000000.sdmp, COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe, 00000000.00000003.1390220034.00000000044E0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: RegSvcs.pdb source: KaGeys.exe, 00000004.00000000.1498253090.00000000009F2000.00000002.00000001.01000000.00000006.sdmp, KaGeys.exe.2.dr
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe.3060000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1398600661.0000000003060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: global trafficTCP traffic: 192.168.2.10:49708 -> 216.194.161.167:587
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                    Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                    Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                    Source: Joe Sandbox ViewASN Name: IMH-WESTUS IMH-WESTUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: ip-api.com
                    Source: global trafficTCP traffic: 192.168.2.10:49708 -> 216.194.161.167:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_004422FE InternetQueryDataAvailable,InternetReadFile,0_2_004422FE
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: mail.laboratoriosvilla.com.mx
                    Source: RegSvcs.exe, 00000002.00000002.3763081663.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe, 00000000.00000002.1398600661.0000000003060000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3761778897.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3763081663.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: RegSvcs.exe, 00000002.00000002.3763081663.000000000319D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://laboratoriosvilla.com.mx
                    Source: RegSvcs.exe, 00000002.00000002.3763081663.000000000319D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.laboratoriosvilla.com.mx
                    Source: RegSvcs.exe, 00000002.00000002.3765369615.00000000065D0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3762420170.0000000001461000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3765369615.0000000006666000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3763081663.000000000319D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r11.i.lencr.org/0
                    Source: RegSvcs.exe, 00000002.00000002.3765369615.00000000065D0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3762420170.0000000001461000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3765369615.0000000006666000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3763081663.000000000319D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r11.o.lencr.org0#
                    Source: RegSvcs.exe, 00000002.00000002.3763081663.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: RegSvcs.exe, 00000002.00000002.3762420170.000000000147B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3762420170.0000000001461000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3765369615.0000000006666000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3763081663.000000000319D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: RegSvcs.exe, 00000002.00000002.3762420170.000000000147B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3762420170.0000000001461000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3765369615.0000000006666000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3763081663.000000000319D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe, 00000000.00000002.1398600661.0000000003060000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3761778897.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe, 00000000.00000002.1398600661.0000000003060000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3763081663.0000000003111000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3761778897.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: RegSvcs.exe, 00000002.00000002.3763081663.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: RegSvcs.exe, 00000002.00000002.3763081663.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.10:49706 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe.3060000.1.raw.unpack, NmHr1WHWKO.cs.Net Code: lsx2fUddI
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046DC80
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,0_2_0044C37A
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0047C81C

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe.3060000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe.3060000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 00000000.00000002.1398600661.0000000003060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00431BE8
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00446313
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_004096A00_2_004096A0
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0042200C0_2_0042200C
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0041A2170_2_0041A217
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_004122160_2_00412216
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0042435D0_2_0042435D
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_004033C00_2_004033C0
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_004125E80_2_004125E8
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0044663B0_2_0044663B
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_004138010_2_00413801
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0042096F0_2_0042096F
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_004129D00_2_004129D0
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_004119E30_2_004119E3
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0041C9AE0_2_0041C9AE
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0047EA6F0_2_0047EA6F
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0040FA100_2_0040FA10
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_00423C810_2_00423C81
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_00411E780_2_00411E78
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_00442E0C0_2_00442E0C
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_00420EC00_2_00420EC0
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0044CF170_2_0044CF17
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_00444FD20_2_00444FD2
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_03FBA6A00_2_03FBA6A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01794AD82_2_01794AD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01793EC02_2_01793EC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_017942082_2_01794208
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0179BAF02_2_0179BAF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06D6BCEC2_2_06D6BCEC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06D6A6B82_2_06D6A6B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06D6CE182_2_06D6CE18
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06D6EC102_2_06D6EC10
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06D8B2072_2_06D8B207
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06D830682_2_06D83068
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06D861D82_2_06D861D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06D851A02_2_06D851A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06D858CB2_2_06D858CB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06D879682_2_06D87968
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06D872882_2_06D87288
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06D8E3882_2_06D8E388
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06D823402_2_06D82340
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06D800402_2_06D80040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06D800072_2_06D80007
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: String function: 004115D7 appears 36 times
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: String function: 00416C70 appears 39 times
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: String function: 00445AE0 appears 65 times
                    Source: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe, 00000000.00000003.1394969556.0000000004603000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe
                    Source: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe, 00000000.00000003.1393995248.00000000047AD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe
                    Source: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe, 00000000.00000002.1398600661.0000000003060000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename0dc05c25-f673-4789-ade7-dd3770f175cc.exe4 vs COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe
                    Source: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: 0.2.COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe.3060000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe.3060000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 00000000.00000002.1398600661.0000000003060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe.3060000.1.raw.unpack, ISZbPXDvPz.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe.3060000.1.raw.unpack, ISZbPXDvPz.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe.3060000.1.raw.unpack, nAXAT51m.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe.3060000.1.raw.unpack, nAXAT51m.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe.3060000.1.raw.unpack, nAXAT51m.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe.3060000.1.raw.unpack, nAXAT51m.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe.3060000.1.raw.unpack, YpS.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe.3060000.1.raw.unpack, YpS.csCryptographic APIs: 'TransformFinalBlock'
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@3/3
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0044AF6C GetLastError,FormatMessageW,0_2_0044AF6C
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464EAE
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D619
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,0_2_004755C4
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0046CB5F OleInitialize,CLSIDFromProgID,CLSIDFromString,CoCreateInstance,CoInitializeSecurity,_wcslen,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_0046CB5F
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043305F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\KaGeysJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7492:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5632:120:WilError_03
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeFile created: C:\Users\user\AppData\Local\Temp\supergroupsJump to behavior
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCommand line argument: Mw0_2_0040D6B0
                    Source: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeReversingLabs: Detection: 66%
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeFile read: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe "C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe"
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe "C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe"
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe "C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe"
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeSection loaded: msdart.dllJump to behavior
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeStatic file information: File size 1165309 > 1048576
                    Source: Binary string: RegSvcs.pdb, source: KaGeys.exe, 00000004.00000000.1498253090.00000000009F2000.00000002.00000001.01000000.00000006.sdmp, KaGeys.exe.2.dr
                    Source: Binary string: wntdll.pdbUGP source: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe, 00000000.00000003.1395470771.0000000004680000.00000004.00001000.00020000.00000000.sdmp, COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe, 00000000.00000003.1390220034.00000000044E0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe, 00000000.00000003.1395470771.0000000004680000.00000004.00001000.00020000.00000000.sdmp, COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe, 00000000.00000003.1390220034.00000000044E0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: RegSvcs.pdb source: KaGeys.exe, 00000004.00000000.1498253090.00000000009F2000.00000002.00000001.01000000.00000006.sdmp, KaGeys.exe.2.dr
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
                    Source: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeStatic PE information: real checksum: 0xa961f should be: 0x1219c8
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_00416CB5 push ecx; ret 0_2_00416CC8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0179EFB0 push esp; ret 2_2_0179F379
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01790C53 push ebx; retf 2_2_01790C52
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01790C45 push ebx; retf 2_2_01790C52
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06D66410 push es; ret 2_2_06D66400
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06D663F0 push es; ret 2_2_06D66400
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeFile created: \commercail invoice and tnt awb tracking invoice.exe
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeFile created: \commercail invoice and tnt awb tracking invoice.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KaGeysJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KaGeysJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_0047A330
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe PID: 7972, type: MEMORYSTR
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeAPI/Special instruction interceptor: Address: 3FBA2C4
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe, 00000000.00000002.1398600661.0000000003060000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3763081663.0000000003175000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3761778897.0000000000402000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeMemory allocated: 1020000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeMemory allocated: 2DB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeMemory allocated: 2B50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeMemory allocated: EF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeMemory allocated: 2B20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeMemory allocated: 2940000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599308Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598969Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595797Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595688Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595575Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593956Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7549Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2280Jump to behavior
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-85557
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeAPI coverage: 3.7 %
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe TID: 2968Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe TID: 7920Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599308Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598969Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99887Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99343Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99015Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98795Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98687Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98349Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97944Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97706Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97344Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595797Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595688Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595575Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593956Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: RegSvcs.exe, 00000002.00000002.3763081663.0000000003175000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                    Source: RegSvcs.exe, 00000002.00000002.3761778897.0000000000402000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: vmware
                    Source: RegSvcs.exe, 00000002.00000002.3761778897.0000000000402000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: VMwareVBox
                    Source: RegSvcs.exe, 00000002.00000002.3765369615.00000000065D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeAPI call chain: ExitProcess graph end nodegraph_0-84687

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01797818 CheckRemoteDebuggerPresent,2_2_01797818
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0045A370 BlockInput,0_2_0045A370
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_03FBA590 mov eax, dword ptr fs:[00000030h]0_2_03FBA590
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_03FBA530 mov eax, dword ptr fs:[00000030h]0_2_03FBA530
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_03FB8EF0 mov eax, dword ptr fs:[00000030h]0_2_03FB8EF0
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_004238DA RpcServerRegisterIf3,__lseeki64_nolock,RpcServerRegisterIf3,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_004238DA
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0041F250 SetUnhandledExceptionFilter,0_2_0041F250
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041A208
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00417DAA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: EA3008Jump to behavior
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_00436CD7 LogonUserW,0_2_00436CD7
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_0043333C
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00446124
                    Source: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeBinary or memory string: Shell_TrayWnd
                    Source: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeQueries volume information: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeQueries volume information: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,0_2_004720DB
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_00472C3F GetUserNameW,0_2_00472C3F
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_0041E364
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe.3060000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe.3060000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.3763081663.00000000031B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3763081663.000000000319D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3763081663.0000000003175000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1398600661.0000000003060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3761778897.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe PID: 7972, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8160, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeBinary or memory string: WIN_XP
                    Source: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
                    Source: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeBinary or memory string: WIN_XPe
                    Source: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeBinary or memory string: WIN_VISTA
                    Source: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeBinary or memory string: WIN_7
                    Source: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeBinary or memory string: WIN_8
                    Source: Yara matchFile source: 0.2.COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe.3060000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe.3060000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.3763081663.0000000003175000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1398600661.0000000003060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3761778897.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe PID: 7972, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8160, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe.3060000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe.3060000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.3763081663.00000000031B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3763081663.000000000319D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3763081663.0000000003175000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1398600661.0000000003060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3761778897.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe PID: 7972, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8160, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_004652BE
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00476619
                    Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeCode function: 0_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0046CEF3

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire Infrastructure2
                    Valid Accounts                    		221
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    Exploitation for Privilege Escalation                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		2
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts2
                    Native API                    		2
                    Valid Accounts                    		1
                    DLL Side-Loading                    		11
                    Deobfuscate/Decode Files or Information                    		121
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts2
                    Command and Scripting Interpreter                    		1
                    Registry Run Keys / Startup Folder                    		2
                    Valid Accounts                    		2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		2
                    File and Directory Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                    Access Token Manipulation                    		1
                    DLL Side-Loading                    		NTDS128
                    System Information Discovery                    		Distributed Component Object Model121
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                    Process Injection                    		1
                    Masquerading                    		LSA Secrets641
                    Security Software Discovery                    		SSH3
                    Clipboard Data                    		23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                    Registry Run Keys / Startup Folder                    		2
                    Valid Accounts                    		Cached Domain Credentials251
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items251
                    Virtualization/Sandbox Evasion                    		DCSync2
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                    Access Token Manipulation                    		Proc Filesystem11
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
                    Process Injection                    		/etc/passwd and /etc/shadow1
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                    Hidden Files and Directories                    		Network Sniffing1
                    System Network Configuration Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1517910 Sample: COMMERCAIL INVOICE AND TNT ... Startdate: 25/09/2024 Architecture: WINDOWS Score: 100 25 mail.laboratoriosvilla.com.mx 2->25 27 laboratoriosvilla.com.mx 2->27 29 2 other IPs or domains 2->29 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 10 other signatures 2->51 7 COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe 1 2->7         started        10 KaGeys.exe 2 2->10         started        12 KaGeys.exe 1 2->12         started        signatures3 process4 signatures5 53 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->53 55 Writes to foreign memory regions 7->55 57 Maps a DLL or memory area into another process 7->57 14 RegSvcs.exe 17 4 7->14         started        19 conhost.exe 10->19         started        21 conhost.exe 12->21         started        process6 dnsIp7 31 ip-api.com 208.95.112.1, 49707, 80 TUT-ASUS United States 14->31 33 laboratoriosvilla.com.mx 216.194.161.167, 49708, 587 IMH-WESTUS United States 14->33 35 api.ipify.org 104.26.12.205, 443, 49706 CLOUDFLARENETUS United States 14->35 23 C:\Users\user\AppData\Roaming\...\KaGeys.exe, PE32 14->23 dropped 37 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->37 39 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->39 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->41 43 5 other signatures 14->43 file8 signatures9

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe67%ReversingLabsWin32.Trojan.ShellcodeCrypter
                    COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe100%AviraHEUR/AGEN.1321671
                    COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe0%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://api.ipify.org/0%URL Reputationsafe
                    https://api.ipify.org0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    http://x1.c.lencr.org/00%URL Reputationsafe
                    http://x1.i.lencr.org/00%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
                    http://mail.laboratoriosvilla.com.mx0%Avira URL Cloudsafe
                    http://r11.o.lencr.org0#0%Avira URL Cloudsafe
                    https://api.ipify.org/t0%Avira URL Cloudsafe
                    http://r11.i.lencr.org/00%Avira URL Cloudsafe
                    http://ip-api.com0%Avira URL Cloudsafe
                    http://laboratoriosvilla.com.mx0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    laboratoriosvilla.com.mx
                    		216.194.161.167
                    		truetrue
                      		unknown
                      api.ipify.org
                      		104.26.12.205
                      		truefalse
                        		unknown
                        ip-api.com
                        		208.95.112.1
                        		truetrue
                          		unknown
                          mail.laboratoriosvilla.com.mx
                          		unknown
                          		unknowntrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://api.ipify.org/false
                            • URL Reputation: safe
                            		unknown
                            http://ip-api.com/line/?fields=hostingfalse
                            • URL Reputation: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://api.ipify.orgCOMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe, 00000000.00000002.1398600661.0000000003060000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3763081663.0000000003111000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3761778897.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://account.dyn.com/COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe, 00000000.00000002.1398600661.0000000003060000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3761778897.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://r11.o.lencr.org0#RegSvcs.exe, 00000002.00000002.3765369615.00000000065D0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3762420170.0000000001461000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3765369615.0000000006666000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3763081663.000000000319D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://mail.laboratoriosvilla.com.mxRegSvcs.exe, 00000002.00000002.3763081663.000000000319D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://x1.c.lencr.org/0RegSvcs.exe, 00000002.00000002.3762420170.000000000147B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3762420170.0000000001461000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3765369615.0000000006666000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3763081663.000000000319D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://x1.i.lencr.org/0RegSvcs.exe, 00000002.00000002.3762420170.000000000147B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3762420170.0000000001461000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3765369615.0000000006666000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3763081663.000000000319D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://ip-api.comRegSvcs.exe, 00000002.00000002.3763081663.0000000003161000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://laboratoriosvilla.com.mxRegSvcs.exe, 00000002.00000002.3763081663.000000000319D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.ipify.org/tRegSvcs.exe, 00000002.00000002.3763081663.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000002.00000002.3763081663.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://r11.i.lencr.org/0RegSvcs.exe, 00000002.00000002.3765369615.00000000065D0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3762420170.0000000001461000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3765369615.0000000006666000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3763081663.000000000319D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            208.95.112.1
                            		ip-api.comUnited States
                            		53334TUT-ASUStrue
                            104.26.12.205
                            		api.ipify.orgUnited States
                            		13335CLOUDFLARENETUSfalse
                            216.194.161.167
                            		laboratoriosvilla.com.mxUnited States
                            		22611IMH-WESTUStrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1517910
                            Start date and time:2024-09-25 09:05:27 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 8m 42s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:11
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@7/5@3/3
                            EGA Information:
                            • Successful, ratio: 50%
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 54
                            • Number of non-executed functions: 309
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Execution Graph export aborted for target KaGeys.exe, PID 4052 because it is empty
                            • Execution Graph export aborted for target KaGeys.exe, PID 6036 because it is empty
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size exceeded maximum capacity and may have missing disassembly code.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            03:06:34API Interceptor10667449x Sleep call for process: RegSvcs.exe modified
                            09:06:35AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run KaGeys C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe
                            09:06:43AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run KaGeys C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            208.95.112.1PO Invoice XJ210821Q.PDF.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            PO Invoice XJ210821Q.PDF.scr.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            comprobante_HSBC_765543465768798086756458665345768.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            Company profile.jsGet hashmaliciousPXRECVOWEIWOEI Stealer, PureLog StealerBrowse
                            • ip-api.com/line/?fields=hosting
                            SecuriteInfo.com.Win32.SpywareX-gen.28752.22116.exeGet hashmaliciousPureLog StealerBrowse
                            • ip-api.com/json/
                            SecuriteInfo.com.Win32.SpywareX-gen.28752.22116.exeGet hashmaliciousPureLog StealerBrowse
                            • ip-api.com/json/
                            tQthxQV78N.exeGet hashmaliciousClipboard Hijacker, QuasarBrowse
                            • ip-api.com/json/
                            ELcnK80Ehf.exeGet hashmaliciousClipboard Hijacker, QuasarBrowse
                            • ip-api.com/json/
                            22.09.2024-22.09.2024.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            EgjKf0gmd1.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            104.26.12.205file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                            • api.ipify.org/
                            file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                            • api.ipify.org/
                            file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                            • api.ipify.org/
                            file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                            • api.ipify.org/
                            file.exeGet hashmaliciousUnknownBrowse
                            • api.ipify.org/
                            file.exeGet hashmaliciousUnknownBrowse
                            • api.ipify.org/
                            file.exeGet hashmaliciousUnknownBrowse
                            • api.ipify.org/
                            file.exeGet hashmaliciousLummaC, VidarBrowse
                            • api.ipify.org/
                            file.exeGet hashmaliciousLummaC, VidarBrowse
                            • api.ipify.org/
                            file.exeGet hashmaliciousLummaC, VidarBrowse
                            • api.ipify.org/

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            ip-api.comhttp://getcloudapp.comGet hashmaliciousUnknownBrowse
                            • 208.95.112.2
                            PO Invoice XJ210821Q.PDF.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            PO Invoice XJ210821Q.PDF.scr.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            comprobante_HSBC_765543465768798086756458665345768.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            Company profile.jsGet hashmaliciousPXRECVOWEIWOEI Stealer, PureLog StealerBrowse
                            • 208.95.112.1
                            SecuriteInfo.com.Win32.SpywareX-gen.28752.22116.exeGet hashmaliciousPureLog StealerBrowse
                            • 208.95.112.1
                            SecuriteInfo.com.Win32.SpywareX-gen.28752.22116.exeGet hashmaliciousPureLog StealerBrowse
                            • 208.95.112.1
                            tQthxQV78N.exeGet hashmaliciousClipboard Hijacker, QuasarBrowse
                            • 208.95.112.1
                            ELcnK80Ehf.exeGet hashmaliciousClipboard Hijacker, QuasarBrowse
                            • 208.95.112.1
                            https://user1logs91597.ac-page.com/visiomvaxer-0394875348488574279595784543Get hashmaliciousUnknownBrowse
                            • 51.77.64.70
                            api.ipify.orghttp://pub-647efec841f2469ea102ef18827f7780.r2.dev/secure_response.htmlGet hashmaliciousGreatness Phishing Kit, HTMLPhisherBrowse
                            • 104.26.12.205
                            http://pub-afa55f53401b48e6ad155daf536ad34c.r2.dev/utility_base.htmlGet hashmaliciousGreatness Phishing Kit, HTMLPhisherBrowse
                            • 104.26.13.205
                            http://pub-4d560104a89740f899e90e13245f1971.r2.dev/secure_response.htmlGet hashmaliciousGreatness Phishing Kit, HTMLPhisherBrowse
                            • 172.67.74.152
                            http://pub-853a8c6d224746258050ceb1dd4dc8c3.r2.dev/response_auth.htmlGet hashmaliciousGreatness Phishing Kit, HTMLPhisherBrowse
                            • 172.67.74.152
                            http://pub-382f9bec371e490e8d86f2689f3915b0.r2.dev/response_start.htmlGet hashmaliciousUnknownBrowse
                            • 104.26.12.205
                            http://pub-8cc4fdf972304092b2aa97a68f50cd88.r2.dev/secure_response.htmlGet hashmaliciousGreatness Phishing Kit, HTMLPhisherBrowse
                            • 104.26.13.205
                            https://check-smulti-9635.pages.dev/robots.txt/Get hashmaliciousHTMLPhisherBrowse
                            • 104.26.13.205
                            file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                            • 104.26.12.205
                            xmr_linux_amd64 (3).elfGet hashmaliciousXmrigBrowse
                            • 104.26.13.205
                            https://check-smulti-99341101.pages.dev/help/contact/316584597856398/Get hashmaliciousHTMLPhisherBrowse
                            • 104.26.12.205

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            CLOUDFLARENETUSDocument.xlsGet hashmaliciousUnknownBrowse
                            • 188.114.96.3
                            Payment_Advise.exeGet hashmaliciousGuLoaderBrowse
                            • 172.67.146.197
                            Document.xlsGet hashmaliciousUnknownBrowse
                            • 188.114.97.3
                            New_Document-0706282.jsGet hashmaliciousUnknownBrowse
                            • 188.114.96.3
                            SPEC.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                            • 188.114.96.3
                            https://download.devscope.net/setups/PowerBITiles/PowerBITilesDesktopPowerPoint.zipGet hashmaliciousUnknownBrowse
                            • 1.1.1.1
                            New_Document-0706282.jsGet hashmaliciousUnknownBrowse
                            • 188.114.97.3
                            QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                            • 188.114.96.3
                            TT copy for SO-2409-032.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                            • 188.114.96.3
                            PI-96328635,PDF.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                            • 188.114.96.3
                            IMH-WESTUSbF9JDHS47l.vbsGet hashmaliciousRemcosBrowse
                            • 199.250.212.228
                            Nuovo Ordine.vbsGet hashmaliciousUnknownBrowse
                            • 199.250.212.228
                            Duclot Collections.batGet hashmaliciousRemcos, DBatLoaderBrowse
                            • 144.208.71.134
                            SKMBT_77122024816310TD01_20220128_17311 .vbsGet hashmaliciousRemcosBrowse
                            • 199.250.212.228
                            https://ar4download.com/Get hashmaliciousUnknownBrowse
                            • 173.231.197.194
                            https://sinintermediarios.uy/bc/blockchain.com/email/Get hashmaliciousUnknownBrowse
                            • 173.247.253.88
                            https://elc-path.com/pdfglobal2/docs89q9eqwwe/login.php#wa=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.6737.0&wp=MBI_SSL&wreply=https%3a%2f%2foutlook.live.com%2fowa%2f%3fnlp%3d1%26RpsCsrfState%3d715d44a2-2f11-4282-f625-a066679e96e2&id=292841&CBCXT=out&lw=1&fl=dob%2cflname%2cwld&cobrandid=90015Get hashmaliciousHTMLPhisherBrowse
                            • 192.249.123.145
                            AG Uncorked IRMI Wine Mixer Invite.pdfGet hashmaliciousHTMLPhisherBrowse
                            • 205.134.254.189
                            z2PURCHASEORDER.exeGet hashmaliciousSnake KeyloggerBrowse
                            • 216.194.161.167
                            https://aquafish.net/pagecon/pagecon.cgi?no=13&page=%20%20http://nanaar4qwlkdcvklaadffkl4gdfbfkla34t6klaad4te3.s3-website-ap-northeast-1.amazonaws.comGet hashmaliciousUnknownBrowse
                            • 74.124.218.149
                            TUT-ASUShttp://getcloudapp.comGet hashmaliciousUnknownBrowse
                            • 208.95.112.2
                            PO Invoice XJ210821Q.PDF.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            PO Invoice XJ210821Q.PDF.scr.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            comprobante_HSBC_765543465768798086756458665345768.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            Company profile.jsGet hashmaliciousPXRECVOWEIWOEI Stealer, PureLog StealerBrowse
                            • 208.95.112.1
                            SecuriteInfo.com.Win32.SpywareX-gen.28752.22116.exeGet hashmaliciousPureLog StealerBrowse
                            • 208.95.112.1
                            SecuriteInfo.com.Win32.SpywareX-gen.28752.22116.exeGet hashmaliciousPureLog StealerBrowse
                            • 208.95.112.1
                            tQthxQV78N.exeGet hashmaliciousClipboard Hijacker, QuasarBrowse
                            • 208.95.112.1
                            ELcnK80Ehf.exeGet hashmaliciousClipboard Hijacker, QuasarBrowse
                            • 208.95.112.1
                            22.09.2024-22.09.2024.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1

                            JA3 Fingerprints

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            3b5074b1b5d032e5620f69f9f700ff0eQUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                            • 104.26.12.205
                            TT copy for SO-2409-032.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                            • 104.26.12.205
                            PI-96328635,PDF.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                            • 104.26.12.205
                            http://pub-578040898e97448fab462cfa3f671292.r2.dev/gytdindex.htmlGet hashmaliciousHTMLPhisherBrowse
                            • 104.26.12.205
                            http://pub-28b78cc368104fdfb2ea280368fa70b5.r2.dev/ihil.htmlGet hashmaliciousHTMLPhisherBrowse
                            • 104.26.12.205
                            http://short-argument-future.on-fleek.app/peaceprofiledocument.htmlGet hashmaliciousUnknownBrowse
                            • 104.26.12.205
                            http://pub-f7c4e07e581b476e9fb4f4b237e77a89.r2.dev/IndexProject09XX09n/008XnbBse12.htmlGet hashmaliciousHTMLPhisherBrowse
                            • 104.26.12.205
                            http://cbase-perrologinns.gitbook.io/us/Get hashmaliciousHTMLPhisherBrowse
                            • 104.26.12.205
                            http://pub-d64d63bc9b0049929bfeb3afd89bfb4d.r2.dev/file.htmlGet hashmaliciousHTMLPhisherBrowse
                            • 104.26.12.205
                            http://pub-afa55f53401b48e6ad155daf536ad34c.r2.dev/utility_base.htmlGet hashmaliciousGreatness Phishing Kit, HTMLPhisherBrowse
                            • 104.26.12.205

                            Dropped Files

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exeDHL- CBJ520818836689.pdf.exeGet hashmaliciousAgentTeslaBrowse
                              DHL- CBJ520818836689.exeGet hashmaliciousAgentTeslaBrowse
                                Shipping documents.exeGet hashmaliciousAgentTeslaBrowse
                                  Shipping doc.exeGet hashmaliciousAgentTeslaBrowse
                                    80c619d931fa4e5c89fe87aac0b6b143.exeGet hashmaliciousXWormBrowse
                                      Rejected Shipping Documents compiled PL pdf.exeGet hashmaliciousAgentTeslaBrowse
                                        Public Holiday mem_Notice 2024.exeGet hashmaliciousAgentTeslaBrowse
                                          D65youPyf5.exeGet hashmaliciousXWormBrowse
                                            81WOMYtzK3.exeGet hashmaliciousAgentTeslaBrowse
                                              AN.exeGet hashmaliciousAgentTeslaBrowse

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KaGeys.exe.log

                                                Download File
                                                Process:C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:modified
                                                Size (bytes):142
                                                Entropy (8bit):5.090621108356562
                                                Encrypted:false
                                                SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                MD5:8C0458BB9EA02D50565175E38D577E35
                                                SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                C:\Users\user\AppData\Local\Temp\supergroups

                                                Download File
                                                Process:C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):244736
                                                Entropy (8bit):6.672700311081153
                                                Encrypted:false
                                                SSDEEP:6144:hLN9dtTMzInTHKwX0UXgxQwrV4lQEsJDiG7nJmc34Q3oQ:hXMzITRXCDFnT3R
                                                MD5:097B571FBAFDF599ABD54BA52B533C57
                                                SHA1:ECE0B522E9A781856EEFFDC65E9E45513907849E
                                                SHA-256:EAF80A40B74DF816404C5748236B2428F0E31AF4C8E747A72E069C8B2179196A
                                                SHA-512:3302C9842A8CAF738C35F53D962E68BFF343DF837AC01FC6A4DCB549F94BD9132A6113ACF43A82E991BD82F09B8E3DBD1FBE69CD17DFB0B3964F8CA2EF000630
                                                Malicious:false
                                                Reputation:low
                                                Preview:...20T2JV4S5..LY.YPCRDHDr3T2JR4S5R5LYEYPCRDHD23T2JR4S5R5LYEY.CRDF[.=T.C...4..m.-0#c"6'#@R9.)3Z=Z&..<e+%-r-&dv|..'=P6._8F}EYPCRDH.w3T~KQ4..PLYEYPCRD.D02_3AR4.6R5DYEYPCR.G23t2JR.P5R5.YEyPCRFHD63T2JR4S1R5LYEYPCr@HD03T2JR4Q5..LYUYPSRDHD"3T"JR4S5R%LYEYPCRDHD2c.1J.4S5R.OY.\PCRDHD23T2JR4S5R5LYE]PORDHD23T2JR4S5R5LYEYPCRDHD23T2JR4S5R5LYEYPCRDHD23T2JR.S5Z5LYEYPCRDHD:.T2.R4S5R5LYEYPm&!0023T..Q4S.R5L.FYPARDHD23T2JR4S5R.LY%w"0 'HD2uQ2JR.P5R3LYE.SCRDHD23T2JR4SuR5.w7<<,1DHH23T2JV4S7R5L.FYPCRDHD23T2JRtS5.5LYEYPCRDHD23T2J..P5R5LY.YPCPDMD:.V2.e5S6R5LXEYVCRDHD23T2JR4S5R5LYEYPCRDHD23T2JR4S5R5LYEYPCRDHD2.........HrS'^.e.#.G.G..+..:. ."Q...I.....?T..5.:|..Y...1.;QKK......,R4W8.%kG%......rA.~._+.*...6v.]R..{...t....._7....F..Q%?.2E"Y)w.86" -.F.2T2JR.......0(..iKK,.FJ.....f'4....,DHDV3T28R4STR5L.EYP,RDH*23TLJR4-5R5.YEY.CRD.D23q2JRYS5R.LYE'PCR.5K=...#!..5R5LYp..s.)..l....eD.K.;}...6...h6..E:.$v.r..K.(.._.Y5w|.U5U1W7K]FUmM.....1P6OP3W6^.B....b.b.....;.f(.0YEYPCR.HD.3T2..4.5R5.Y.Y..RDH..3.2.R..R

                                                C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:modified
                                                Size (bytes):45984
                                                Entropy (8bit):6.16795797263964
                                                Encrypted:false
                                                SSDEEP:768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
                                                MD5:9D352BC46709F0CB5EC974633A0C3C94
                                                SHA1:1969771B2F022F9A86D77AC4D4D239BECDF08D07
                                                SHA-256:2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
                                                SHA-512:13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
                                                Malicious:false
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Joe Sandbox View:
                                                • Filename: DHL- CBJ520818836689.pdf.exe, Detection: malicious, Browse
                                                • Filename: DHL- CBJ520818836689.exe, Detection: malicious, Browse
                                                • Filename: Shipping documents.exe, Detection: malicious, Browse
                                                • Filename: Shipping doc.exe, Detection: malicious, Browse
                                                • Filename: 80c619d931fa4e5c89fe87aac0b6b143.exe, Detection: malicious, Browse
                                                • Filename: Rejected Shipping Documents compiled PL pdf.exe, Detection: malicious, Browse
                                                • Filename: Public Holiday mem_Notice 2024.exe, Detection: malicious, Browse
                                                • Filename: D65youPyf5.exe, Detection: malicious, Browse
                                                • Filename: 81WOMYtzK3.exe, Detection: malicious, Browse
                                                • Filename: AN.exe, Detection: malicious, Browse
                                                Reputation:moderate, very likely benign file
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

                                                \Device\ConDrv

                                                Download File
                                                Process:C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1141
                                                Entropy (8bit):4.442398121585593
                                                Encrypted:false
                                                SSDEEP:24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
                                                MD5:6FB4D27A716A8851BC0505666E7C7A10
                                                SHA1:AD2A232C6E709223532C4D1AB892303273D8C814
                                                SHA-256:1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE
                                                SHA-512:3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB
                                                Malicious:false
                                                Preview:Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):7.414117789887869
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe
                                                File size:1'165'309 bytes
                                                MD5:e2d52dffb1c3a06edb70b5767f181fb2
                                                SHA1:61586c4d2f728916fd3308e30bdbece74e2d8a56
                                                SHA256:d35aa260122d0e628100a616e9a144fcea5dc667f4108fe847fcf49db479af90
                                                SHA512:c511f74aec0e63e595cde98ca2cf159c8292ffe73e3723a68a0e24231b8f0c2d0d3a7eadf2f785d33b45be5c6f8ab72d999affa135f81701cbde02127a5c7bd1
                                                SSDEEP:24576:uRmJkcoQricOIQxiZY1iaC2ZMAcO94p8IPKI9YUiPPF1:7JZoQrbTFZY1iaCBEq3PKcfiXF1
                                                TLSH:D345E122F5C58036C2F323B19E7EF7AA9A3D79361336D19B23C41E215E605816B29773
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

                                                File Icon

                                                Icon Hash:1733312925935517

                                                Static PE Info

                                                General

                                                Entrypoint:0x4165c1
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                DLL Characteristics:TERMINAL_SERVER_AWARE
                                                Time Stamp:0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:5
                                                OS Version Minor:0
                                                File Version Major:5
                                                File Version Minor:0
                                                Subsystem Version Major:5
                                                Subsystem Version Minor:0
                                                Import Hash:d3bf8a7746a8d1ee8f6e5960c3f69378

                                                Entrypoint Preview

                                                Instruction
                                                call 00007F93F4847FDBh
                                                jmp 00007F93F483EE4Eh
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                push ebp
                                                mov ebp, esp
                                                push edi
                                                push esi
                                                mov esi, dword ptr [ebp+0Ch]
                                                mov ecx, dword ptr [ebp+10h]
                                                mov edi, dword ptr [ebp+08h]
                                                mov eax, ecx
                                                mov edx, ecx
                                                add eax, esi
                                                cmp edi, esi
                                                jbe 00007F93F483EFCAh
                                                cmp edi, eax
                                                jc 00007F93F483F166h
                                                cmp ecx, 00000080h
                                                jc 00007F93F483EFDEh
                                                cmp dword ptr [004A9724h], 00000000h
                                                je 00007F93F483EFD5h
                                                push edi
                                                push esi
                                                and edi, 0Fh
                                                and esi, 0Fh
                                                cmp edi, esi
                                                pop esi
                                                pop edi
                                                jne 00007F93F483EFC7h
                                                jmp 00007F93F483F3A2h
                                                test edi, 00000003h
                                                jne 00007F93F483EFD6h
                                                shr ecx, 02h
                                                and edx, 03h
                                                cmp ecx, 08h
                                                jc 00007F93F483EFEBh
                                                rep movsd
                                                jmp dword ptr [00416740h+edx*4]
                                                mov eax, edi
                                                mov edx, 00000003h
                                                sub ecx, 04h
                                                jc 00007F93F483EFCEh
                                                and eax, 03h
                                                add ecx, eax
                                                jmp dword ptr [00416654h+eax*4]
                                                jmp dword ptr [00416750h+ecx*4]
                                                nop
                                                jmp dword ptr [004166D4h+ecx*4]
                                                nop
                                                inc cx
                                                add byte ptr [eax-4BFFBE9Ah], dl
                                                inc cx
                                                add byte ptr [ebx], ah
                                                ror dword ptr [edx-75F877FAh], 1
                                                inc esi
                                                add dword ptr [eax+468A0147h], ecx
                                                add al, cl
                                                jmp 00007F93F6CB77C7h
                                                add esi, 03h
                                                add edi, 03h
                                                cmp ecx, 08h
                                                jc 00007F93F483EF8Eh
                                                rep movsd
                                                jmp dword ptr [00000000h+edx*4]

                                                Rich Headers

                                                Programming Language:
                                                • [ C ] VS2010 SP1 build 40219
                                                • [C++] VS2010 SP1 build 40219
                                                • [ C ] VS2008 SP1 build 30729
                                                • [IMP] VS2008 SP1 build 30729
                                                • [ASM] VS2010 SP1 build 40219
                                                • [RES] VS2010 SP1 build 40219
                                                • [LNK] VS2010 SP1 build 40219

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x8d41c0x154.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x9328.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x820000x844.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x8061c0x8080061ffce4768976fa0dd2a8f6a97b1417aFalse0.5583182605787937data6.684690148171278IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rdata0x820000xdfc00xe0000354bc5f2376b5e9a4a3ba38b682dff1False0.36085728236607145data4.799741132252136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0x900000x1a7580x68008033f5a38941b4685bc2299e78f31221False0.15324519230769232data2.1500715391677487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .rsrc0xab0000x93280x9400495451d7eb8326bd9fa2714869ea6de8False0.49002322635135137data5.541804843154628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                RT_ICON0xab9400x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
                                                RT_ICON0xabfa80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
                                                RT_ICON0xac2900x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
                                                RT_ICON0xac3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
                                                RT_ICON0xad2600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
                                                RT_ICON0xadb080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
                                                RT_ICON0xae0700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
                                                RT_ICON0xb06180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
                                                RT_ICON0xb16c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
                                                RT_MENU0xb1b280x50dataEnglishGreat Britain0.9
                                                RT_DIALOG0xb1b780xfcdataEnglishGreat Britain0.6507936507936508
                                                RT_STRING0xb1c780x530dataEnglishGreat Britain0.33960843373493976
                                                RT_STRING0xb21a80x690dataEnglishGreat Britain0.26964285714285713
                                                RT_STRING0xb28380x4d0dataEnglishGreat Britain0.36363636363636365
                                                RT_STRING0xb2d080x5fcdataEnglishGreat Britain0.3087467362924282
                                                RT_STRING0xb33080x65cdataEnglishGreat Britain0.34336609336609336
                                                RT_STRING0xb39680x388dataEnglishGreat Britain0.377212389380531
                                                RT_STRING0xb3cf00x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                                                RT_GROUP_ICON0xb3e480x84dataEnglishGreat Britain0.6439393939393939
                                                RT_GROUP_ICON0xb3ed00x14dataEnglishGreat Britain1.15
                                                RT_GROUP_ICON0xb3ee80x14dataEnglishGreat Britain1.25
                                                RT_GROUP_ICON0xb3f000x14dataEnglishGreat Britain1.25
                                                RT_VERSION0xb3f180x19cdataEnglishGreat Britain0.5339805825242718
                                                RT_MANIFEST0xb40b80x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                                Imports

                                                DLLImport
                                                WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                                                VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                                WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                                                MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                                                WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                                                PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                                                USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                                                KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
                                                USER32.dllGetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
                                                GDI32.dllDeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
                                                COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
                                                SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
                                                OLEAUT32.dllVariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                EnglishGreat Britain
                                                EnglishUnited States

                                                Network Behavior

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Sep 25, 2024 09:06:34.211105108 CEST49706443192.168.2.10104.26.12.205
                                                Sep 25, 2024 09:06:34.211159945 CEST44349706104.26.12.205192.168.2.10
                                                Sep 25, 2024 09:06:34.211230993 CEST49706443192.168.2.10104.26.12.205
                                                Sep 25, 2024 09:06:34.218472958 CEST49706443192.168.2.10104.26.12.205
                                                Sep 25, 2024 09:06:34.218488932 CEST44349706104.26.12.205192.168.2.10
                                                Sep 25, 2024 09:06:34.691612005 CEST44349706104.26.12.205192.168.2.10
                                                Sep 25, 2024 09:06:34.691873074 CEST49706443192.168.2.10104.26.12.205
                                                Sep 25, 2024 09:06:34.696063995 CEST49706443192.168.2.10104.26.12.205
                                                Sep 25, 2024 09:06:34.696079969 CEST44349706104.26.12.205192.168.2.10
                                                Sep 25, 2024 09:06:34.696537018 CEST44349706104.26.12.205192.168.2.10
                                                Sep 25, 2024 09:06:34.738420010 CEST49706443192.168.2.10104.26.12.205
                                                Sep 25, 2024 09:06:34.748938084 CEST49706443192.168.2.10104.26.12.205
                                                Sep 25, 2024 09:06:34.791416883 CEST44349706104.26.12.205192.168.2.10
                                                Sep 25, 2024 09:06:34.853704929 CEST44349706104.26.12.205192.168.2.10
                                                Sep 25, 2024 09:06:34.853868008 CEST44349706104.26.12.205192.168.2.10
                                                Sep 25, 2024 09:06:34.854260921 CEST49706443192.168.2.10104.26.12.205
                                                Sep 25, 2024 09:06:34.862498045 CEST49706443192.168.2.10104.26.12.205
                                                Sep 25, 2024 09:06:34.875976086 CEST4970780192.168.2.10208.95.112.1
                                                Sep 25, 2024 09:06:34.881009102 CEST8049707208.95.112.1192.168.2.10
                                                Sep 25, 2024 09:06:34.881146908 CEST4970780192.168.2.10208.95.112.1
                                                Sep 25, 2024 09:06:34.881268024 CEST4970780192.168.2.10208.95.112.1
                                                Sep 25, 2024 09:06:34.886126041 CEST8049707208.95.112.1192.168.2.10
                                                Sep 25, 2024 09:06:35.346182108 CEST8049707208.95.112.1192.168.2.10
                                                Sep 25, 2024 09:06:35.394409895 CEST4970780192.168.2.10208.95.112.1
                                                Sep 25, 2024 09:06:35.977298975 CEST4970780192.168.2.10208.95.112.1
                                                Sep 25, 2024 09:06:35.982738018 CEST8049707208.95.112.1192.168.2.10
                                                Sep 25, 2024 09:06:35.982847929 CEST4970780192.168.2.10208.95.112.1
                                                Sep 25, 2024 09:06:36.368278027 CEST49708587192.168.2.10216.194.161.167
                                                Sep 25, 2024 09:06:36.373193979 CEST58749708216.194.161.167192.168.2.10
                                                Sep 25, 2024 09:06:36.373377085 CEST49708587192.168.2.10216.194.161.167
                                                Sep 25, 2024 09:06:36.921751976 CEST58749708216.194.161.167192.168.2.10
                                                Sep 25, 2024 09:06:36.921957016 CEST49708587192.168.2.10216.194.161.167
                                                Sep 25, 2024 09:06:36.926817894 CEST58749708216.194.161.167192.168.2.10
                                                Sep 25, 2024 09:06:37.079845905 CEST58749708216.194.161.167192.168.2.10
                                                Sep 25, 2024 09:06:37.080028057 CEST49708587192.168.2.10216.194.161.167
                                                Sep 25, 2024 09:06:37.084830999 CEST58749708216.194.161.167192.168.2.10
                                                Sep 25, 2024 09:06:37.239041090 CEST58749708216.194.161.167192.168.2.10
                                                Sep 25, 2024 09:06:37.239463091 CEST49708587192.168.2.10216.194.161.167
                                                Sep 25, 2024 09:06:37.244280100 CEST58749708216.194.161.167192.168.2.10
                                                Sep 25, 2024 09:06:37.404855013 CEST58749708216.194.161.167192.168.2.10
                                                Sep 25, 2024 09:06:37.404876947 CEST58749708216.194.161.167192.168.2.10
                                                Sep 25, 2024 09:06:37.404891968 CEST58749708216.194.161.167192.168.2.10
                                                Sep 25, 2024 09:06:37.404980898 CEST49708587192.168.2.10216.194.161.167
                                                Sep 25, 2024 09:06:37.440112114 CEST49708587192.168.2.10216.194.161.167
                                                Sep 25, 2024 09:06:37.445002079 CEST58749708216.194.161.167192.168.2.10
                                                Sep 25, 2024 09:06:37.598170996 CEST58749708216.194.161.167192.168.2.10
                                                Sep 25, 2024 09:06:37.622601032 CEST49708587192.168.2.10216.194.161.167
                                                Sep 25, 2024 09:06:37.628452063 CEST58749708216.194.161.167192.168.2.10
                                                Sep 25, 2024 09:06:37.780728102 CEST58749708216.194.161.167192.168.2.10
                                                Sep 25, 2024 09:06:37.785212994 CEST49708587192.168.2.10216.194.161.167
                                                Sep 25, 2024 09:06:37.790061951 CEST58749708216.194.161.167192.168.2.10
                                                Sep 25, 2024 09:06:37.946461916 CEST58749708216.194.161.167192.168.2.10
                                                Sep 25, 2024 09:06:37.948947906 CEST49708587192.168.2.10216.194.161.167
                                                Sep 25, 2024 09:06:37.955615044 CEST58749708216.194.161.167192.168.2.10
                                                Sep 25, 2024 09:06:38.110440969 CEST58749708216.194.161.167192.168.2.10
                                                Sep 25, 2024 09:06:38.129617929 CEST49708587192.168.2.10216.194.161.167
                                                Sep 25, 2024 09:06:38.134443045 CEST58749708216.194.161.167192.168.2.10
                                                Sep 25, 2024 09:06:38.287324905 CEST58749708216.194.161.167192.168.2.10
                                                Sep 25, 2024 09:06:38.287544966 CEST49708587192.168.2.10216.194.161.167
                                                Sep 25, 2024 09:06:38.293014050 CEST58749708216.194.161.167192.168.2.10
                                                Sep 25, 2024 09:06:38.495870113 CEST58749708216.194.161.167192.168.2.10
                                                Sep 25, 2024 09:06:38.496170998 CEST49708587192.168.2.10216.194.161.167
                                                Sep 25, 2024 09:06:38.501363039 CEST58749708216.194.161.167192.168.2.10
                                                Sep 25, 2024 09:06:38.654262066 CEST58749708216.194.161.167192.168.2.10
                                                Sep 25, 2024 09:06:38.656984091 CEST49708587192.168.2.10216.194.161.167
                                                Sep 25, 2024 09:06:38.657078981 CEST49708587192.168.2.10216.194.161.167
                                                Sep 25, 2024 09:06:38.657254934 CEST49708587192.168.2.10216.194.161.167
                                                Sep 25, 2024 09:06:38.657299995 CEST49708587192.168.2.10216.194.161.167
                                                Sep 25, 2024 09:06:38.657403946 CEST49708587192.168.2.10216.194.161.167
                                                Sep 25, 2024 09:06:38.657438040 CEST49708587192.168.2.10216.194.161.167
                                                Sep 25, 2024 09:06:38.657545090 CEST49708587192.168.2.10216.194.161.167
                                                Sep 25, 2024 09:06:38.661860943 CEST58749708216.194.161.167192.168.2.10
                                                Sep 25, 2024 09:06:38.661983013 CEST58749708216.194.161.167192.168.2.10
                                                Sep 25, 2024 09:06:38.662077904 CEST58749708216.194.161.167192.168.2.10
                                                Sep 25, 2024 09:06:38.662147045 CEST58749708216.194.161.167192.168.2.10
                                                Sep 25, 2024 09:06:38.662276030 CEST58749708216.194.161.167192.168.2.10
                                                Sep 25, 2024 09:06:38.662411928 CEST58749708216.194.161.167192.168.2.10
                                                Sep 25, 2024 09:06:38.917346001 CEST58749708216.194.161.167192.168.2.10
                                                Sep 25, 2024 09:06:38.972534895 CEST49708587192.168.2.10216.194.161.167
                                                Sep 25, 2024 09:08:16.004096985 CEST49708587192.168.2.10216.194.161.167
                                                Sep 25, 2024 09:08:16.010762930 CEST58749708216.194.161.167192.168.2.10
                                                Sep 25, 2024 09:08:16.164052963 CEST58749708216.194.161.167192.168.2.10
                                                Sep 25, 2024 09:08:16.164711952 CEST49708587192.168.2.10216.194.161.167

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Sep 25, 2024 09:06:34.198111057 CEST4950953192.168.2.101.1.1.1
                                                Sep 25, 2024 09:06:34.204905987 CEST53495091.1.1.1192.168.2.10
                                                Sep 25, 2024 09:06:34.867789030 CEST5948553192.168.2.101.1.1.1
                                                Sep 25, 2024 09:06:34.875097036 CEST53594851.1.1.1192.168.2.10
                                                Sep 25, 2024 09:06:35.977850914 CEST5437653192.168.2.101.1.1.1
                                                Sep 25, 2024 09:06:36.367151976 CEST53543761.1.1.1192.168.2.10

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Sep 25, 2024 09:06:34.198111057 CEST192.168.2.101.1.1.10xf23aStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                Sep 25, 2024 09:06:34.867789030 CEST192.168.2.101.1.1.10x30c8Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                Sep 25, 2024 09:06:35.977850914 CEST192.168.2.101.1.1.10x1897Standard query (0)mail.laboratoriosvilla.com.mxA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Sep 25, 2024 09:06:34.204905987 CEST1.1.1.1192.168.2.100xf23aNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                Sep 25, 2024 09:06:34.204905987 CEST1.1.1.1192.168.2.100xf23aNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                Sep 25, 2024 09:06:34.204905987 CEST1.1.1.1192.168.2.100xf23aNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                Sep 25, 2024 09:06:34.875097036 CEST1.1.1.1192.168.2.100x30c8No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                Sep 25, 2024 09:06:36.367151976 CEST1.1.1.1192.168.2.100x1897No error (0)mail.laboratoriosvilla.com.mxlaboratoriosvilla.com.mxCNAME (Canonical name)IN (0x0001)false
                                                Sep 25, 2024 09:06:36.367151976 CEST1.1.1.1192.168.2.100x1897No error (0)laboratoriosvilla.com.mx216.194.161.167A (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • api.ipify.org
                                                • ip-api.com

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.1049707208.95.112.1808160C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                TimestampBytes transferredDirectionData
                                                Sep 25, 2024 09:06:34.881268024 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                Host: ip-api.com
                                                Connection: Keep-Alive
                                                Sep 25, 2024 09:06:35.346182108 CEST175INHTTP/1.1 200 OK
                                                Date: Wed, 25 Sep 2024 07:06:34 GMT
                                                Content-Type: text/plain; charset=utf-8
                                                Content-Length: 6
                                                Access-Control-Allow-Origin: *
                                                X-Ttl: 60
                                                X-Rl: 44
                                                Data Raw: 66 61 6c 73 65 0a
                                                Data Ascii: false


                                                HTTPS Proxied Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.1049706104.26.12.2054438160C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                TimestampBytes transferredDirectionData
                                                2024-09-25 07:06:34 UTC155OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                Host: api.ipify.org
                                                Connection: Keep-Alive
                                                2024-09-25 07:06:34 UTC211INHTTP/1.1 200 OK
                                                Date: Wed, 25 Sep 2024 07:06:34 GMT
                                                Content-Type: text/plain
                                                Content-Length: 11
                                                Connection: close
                                                Vary: Origin
                                                CF-Cache-Status: DYNAMIC
                                                Server: cloudflare
                                                CF-RAY: 8c892c1f782dc402-EWR
                                                2024-09-25 07:06:34 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                                Data Ascii: 8.46.123.33


                                                SMTP Packets

                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                Sep 25, 2024 09:06:36.921751976 CEST58749708216.194.161.167192.168.2.10220-server.aipssa.com.mx ESMTP Exim 4.96.2 #2 Wed, 25 Sep 2024 00:06:36 -0700
                                                220-We do not authorize the use of this system to transport unsolicited,
                                                220 and/or bulk e-mail.
                                                Sep 25, 2024 09:06:36.921957016 CEST49708587192.168.2.10216.194.161.167EHLO 088753
                                                Sep 25, 2024 09:06:37.079845905 CEST58749708216.194.161.167192.168.2.10250-server.aipssa.com.mx Hello 088753 [8.46.123.33]
                                                250-SIZE 52428800
                                                250-8BITMIME
                                                250-PIPELINING
                                                250-PIPECONNECT
                                                250-AUTH PLAIN LOGIN
                                                250-STARTTLS
                                                250 HELP
                                                Sep 25, 2024 09:06:37.080028057 CEST49708587192.168.2.10216.194.161.167STARTTLS
                                                Sep 25, 2024 09:06:37.239041090 CEST58749708216.194.161.167192.168.2.10220 TLS go ahead

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:03:06:23
                                                Start date:25/09/2024
                                                Path:C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe"
                                                Imagebase:0x400000
                                                File size:1'165'309 bytes
                                                MD5 hash:E2D52DFFB1C3A06EDB70B5767F181FB2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1398600661.0000000003060000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.1398600661.0000000003060000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1398600661.0000000003060000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.1398600661.0000000003060000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:2
                                                Start time:03:06:32
                                                Start date:25/09/2024
                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe"
                                                Imagebase:0xdd0000
                                                File size:45'984 bytes
                                                MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3763081663.00000000031B3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3763081663.000000000319D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3763081663.0000000003175000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3763081663.0000000003175000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3761778897.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3761778897.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:4
                                                Start time:03:06:43
                                                Start date:25/09/2024
                                                Path:C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe"
                                                Imagebase:0x9f0000
                                                File size:45'984 bytes
                                                MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Antivirus matches:
                                                • Detection: 0%, ReversingLabs
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:5
                                                Start time:03:06:43
                                                Start date:25/09/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff620390000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:6
                                                Start time:03:06:51
                                                Start date:25/09/2024
                                                Path:C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe"
                                                Imagebase:0x7a0000
                                                File size:45'984 bytes
                                                MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:7
                                                Start time:03:06:51
                                                Start date:25/09/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff620390000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:3.8%
                                                  Dynamic/Decrypted Code Coverage:0.4%
                                                  Signature Coverage:10.1%
                                                  Total number of Nodes:2000
                                                  Total number of Limit Nodes:34
                                                  execution_graph 84094 4010e0 84097 401100 84094->84097 84096 4010f8 84098 401113 84097->84098 84100 401120 84098->84100 84101 401184 84098->84101 84102 40114c 84098->84102 84128 401182 84098->84128 84099 40112c DefWindowProcW 84099->84096 84100->84099 84156 401000 Shell_NotifyIconW __crtGetStringTypeA_stat 84100->84156 84135 401250 84101->84135 84104 401151 84102->84104 84105 40119d 84102->84105 84109 401219 84104->84109 84110 40115d 84104->84110 84107 4011a3 84105->84107 84108 42afb4 84105->84108 84106 401193 84106->84096 84107->84100 84115 4011b6 KillTimer 84107->84115 84116 4011db SetTimer RegisterWindowMessageW 84107->84116 84151 40f190 10 API calls 84108->84151 84109->84100 84120 401225 84109->84120 84113 401163 84110->84113 84117 42b01d 84110->84117 84118 42afe9 84113->84118 84119 40116c 84113->84119 84114 42b04f 84157 40e0c0 84114->84157 84150 401000 Shell_NotifyIconW __crtGetStringTypeA_stat 84115->84150 84116->84106 84125 401204 CreatePopupMenu 84116->84125 84117->84099 84155 4370f4 52 API calls 84117->84155 84153 40f190 10 API calls 84118->84153 84119->84100 84127 401174 84119->84127 84167 468b0e 74 API calls __crtGetStringTypeA_stat 84120->84167 84125->84096 84152 45fd57 65 API calls __crtGetStringTypeA_stat 84127->84152 84128->84099 84129 42afe4 84129->84106 84130 42b00e 84154 401a50 328 API calls 84130->84154 84131 4011c9 PostQuitMessage 84131->84096 84134 42afdc 84134->84099 84134->84129 84136 401262 __crtGetStringTypeA_stat 84135->84136 84137 4012e8 84135->84137 84168 401b80 84136->84168 84137->84106 84139 4012d1 KillTimer SetTimer 84139->84137 84140 40128c 84140->84139 84141 4012bb 84140->84141 84142 4272ec 84140->84142 84145 4012c5 84141->84145 84146 42733f 84141->84146 84143 4272f4 Shell_NotifyIconW 84142->84143 84144 42731a Shell_NotifyIconW 84142->84144 84143->84139 84144->84139 84145->84139 84149 427393 Shell_NotifyIconW 84145->84149 84147 427348 Shell_NotifyIconW 84146->84147 84148 42736e Shell_NotifyIconW 84146->84148 84147->84139 84148->84139 84149->84139 84150->84131 84151->84106 84152->84134 84153->84130 84154->84128 84155->84128 84156->84114 84158 40e0e7 __crtGetStringTypeA_stat 84157->84158 84159 40e142 84158->84159 84161 42729f DestroyIcon 84158->84161 84160 40e184 84159->84160 84266 4341e6 63 API calls __wcsicoll 84159->84266 84163 40e1a0 Shell_NotifyIconW 84160->84163 84164 4272db Shell_NotifyIconW 84160->84164 84161->84159 84165 401b80 54 API calls 84163->84165 84166 40e1ba 84165->84166 84166->84128 84167->84129 84169 401b9c 84168->84169 84189 401c7e 84168->84189 84190 4013c0 84169->84190 84172 42722b LoadStringW 84175 427246 84172->84175 84173 401bb9 84195 402160 84173->84195 84209 40e0a0 84175->84209 84176 401bcd 84178 427258 84176->84178 84179 401bda 84176->84179 84213 40d200 52 API calls 2 library calls 84178->84213 84179->84175 84180 401be4 84179->84180 84208 40d200 52 API calls 2 library calls 84180->84208 84183 427267 84184 401bf3 _wcscpy __crtGetStringTypeA_stat _wcsncpy 84183->84184 84185 42727b 84183->84185 84188 401c62 Shell_NotifyIconW 84184->84188 84214 40d200 52 API calls 2 library calls 84185->84214 84187 427289 84188->84189 84189->84140 84215 4115d7 84190->84215 84196 426daa 84195->84196 84197 40216b _wcslen 84195->84197 84253 40c600 84196->84253 84200 402180 84197->84200 84201 40219e 84197->84201 84199 426db5 84199->84176 84252 403bd0 52 API calls moneypunct 84200->84252 84203 4013a0 52 API calls 84201->84203 84205 4021a5 84203->84205 84204 402187 _memmove 84204->84176 84206 426db7 84205->84206 84207 4115d7 52 API calls 84205->84207 84207->84204 84208->84184 84210 40e0b2 84209->84210 84211 40e0a8 84209->84211 84210->84184 84265 403c30 52 API calls _memmove 84211->84265 84213->84183 84214->84187 84217 4115e1 _malloc 84215->84217 84218 4013e4 84217->84218 84221 4115fd std::exception::exception 84217->84221 84229 4135bb 84217->84229 84226 4013a0 84218->84226 84219 41163b 84244 4180af 46 API calls std::exception::operator= 84219->84244 84221->84219 84243 41130a 51 API calls __cinit 84221->84243 84222 411645 84245 418105 RaiseException 84222->84245 84225 411656 84227 4115d7 52 API calls 84226->84227 84228 4013a7 84227->84228 84228->84172 84228->84173 84230 413638 _malloc 84229->84230 84233 4135c9 _malloc 84229->84233 84251 417f77 46 API calls __getptd_noexit 84230->84251 84231 4135d4 84231->84233 84246 418901 46 API calls __NMSG_WRITE 84231->84246 84247 418752 46 API calls 6 library calls 84231->84247 84248 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 84231->84248 84233->84231 84235 4135f7 RtlAllocateHeap 84233->84235 84238 413624 84233->84238 84241 413622 84233->84241 84235->84233 84236 413630 84235->84236 84236->84217 84249 417f77 46 API calls __getptd_noexit 84238->84249 84250 417f77 46 API calls __getptd_noexit 84241->84250 84243->84219 84244->84222 84245->84225 84246->84231 84247->84231 84249->84241 84250->84236 84251->84236 84252->84204 84254 40c619 84253->84254 84255 40c60a 84253->84255 84254->84199 84255->84254 84258 4026f0 84255->84258 84257 426d7a _memmove 84257->84199 84259 426873 84258->84259 84260 4026ff 84258->84260 84261 4013a0 52 API calls 84259->84261 84260->84257 84262 42687b 84261->84262 84263 4115d7 52 API calls 84262->84263 84264 42689e _memmove 84263->84264 84264->84257 84265->84210 84266->84160 84267 40bd20 84269 40bd2d 84267->84269 84272 428194 84267->84272 84268 40bd43 84270 40bd37 84269->84270 84290 4531b1 85 API calls 5 library calls 84269->84290 84279 40bd50 84270->84279 84271 4281bc 84289 45e987 86 API calls moneypunct 84271->84289 84272->84268 84272->84271 84274 4281b2 84272->84274 84288 40b510 VariantClear 84274->84288 84278 4281ba 84280 426cf1 84279->84280 84281 40bd63 84279->84281 84300 44cde9 52 API calls _memmove 84280->84300 84291 40bd80 84281->84291 84284 40bd73 84284->84268 84285 426cfc 84286 40e0a0 52 API calls 84285->84286 84287 426d02 84286->84287 84288->84278 84289->84269 84290->84270 84292 40bd8e 84291->84292 84299 40bdb7 _memmove 84291->84299 84293 40bded 84292->84293 84294 40bdad 84292->84294 84292->84299 84296 4115d7 52 API calls 84293->84296 84301 402f00 84294->84301 84297 40bdf6 84296->84297 84298 4115d7 52 API calls 84297->84298 84297->84299 84298->84299 84299->84284 84300->84285 84302 402f0c 84301->84302 84303 402f10 84301->84303 84302->84299 84304 4115d7 52 API calls 84303->84304 84305 4268c3 84303->84305 84306 402f51 moneypunct _memmove 84304->84306 84306->84299 84307 425ba2 84312 40e360 84307->84312 84309 425bb4 84328 41130a 51 API calls __cinit 84309->84328 84311 425bbe 84313 4115d7 52 API calls 84312->84313 84314 40e3ec GetModuleFileNameW 84313->84314 84329 413a0e 84314->84329 84316 40e421 _wcsncat 84332 413a9e 84316->84332 84319 4115d7 52 API calls 84320 40e45e _wcscpy 84319->84320 84335 40bc70 84320->84335 84324 40e4a9 84324->84309 84325 401c90 52 API calls 84326 40e4a1 _wcscat _wcslen _wcsncpy 84325->84326 84326->84324 84326->84325 84327 4115d7 52 API calls 84326->84327 84327->84326 84328->84311 84354 413801 84329->84354 84384 419efd 84332->84384 84336 4115d7 52 API calls 84335->84336 84337 40bc98 84336->84337 84338 4115d7 52 API calls 84337->84338 84339 40bca6 84338->84339 84340 40e4c0 84339->84340 84396 403350 84340->84396 84342 40e4cb RegOpenKeyExW 84343 427190 RegQueryValueExW 84342->84343 84344 40e4eb 84342->84344 84345 4271b0 84343->84345 84346 42721a RegCloseKey 84343->84346 84344->84326 84347 4115d7 52 API calls 84345->84347 84346->84326 84348 4271cb 84347->84348 84403 43652f 52 API calls 84348->84403 84350 4271d8 RegQueryValueExW 84351 4271f7 84350->84351 84353 42720e 84350->84353 84352 402160 52 API calls 84351->84352 84352->84353 84353->84346 84356 41389e 84354->84356 84361 41381a 84354->84361 84355 4139e8 84381 417f77 46 API calls __getptd_noexit 84355->84381 84356->84355 84358 413a00 84356->84358 84383 417f77 46 API calls __getptd_noexit 84358->84383 84359 4139ed 84382 417f25 10 API calls _fseek 84359->84382 84361->84356 84364 41388a 84361->84364 84376 419e30 46 API calls _fseek 84361->84376 84363 413967 84363->84316 84364->84356 84366 413909 84364->84366 84377 419e30 46 API calls _fseek 84364->84377 84367 41396c 84366->84367 84368 413929 84366->84368 84367->84356 84367->84363 84370 41397a 84367->84370 84368->84356 84369 413945 84368->84369 84378 419e30 46 API calls _fseek 84368->84378 84369->84356 84369->84363 84373 41395b 84369->84373 84380 419e30 46 API calls _fseek 84370->84380 84379 419e30 46 API calls _fseek 84373->84379 84376->84364 84377->84366 84378->84369 84379->84363 84380->84363 84381->84359 84382->84363 84383->84363 84385 419f13 84384->84385 84386 419f0e 84384->84386 84393 417f77 46 API calls __getptd_noexit 84385->84393 84386->84385 84392 419f2b 84386->84392 84390 40e454 84390->84319 84391 419f18 84394 417f25 10 API calls _fseek 84391->84394 84392->84390 84395 417f77 46 API calls __getptd_noexit 84392->84395 84393->84391 84394->84390 84395->84391 84397 403367 84396->84397 84398 403358 84396->84398 84399 4115d7 52 API calls 84397->84399 84398->84342 84400 403370 84399->84400 84401 4115d7 52 API calls 84400->84401 84402 40339e 84401->84402 84402->84342 84403->84350 84404 416454 84441 416c70 84404->84441 84406 416460 GetStartupInfoW 84407 416474 84406->84407 84442 419d5a HeapCreate 84407->84442 84409 4164cd 84410 4164d8 84409->84410 84525 41642b 46 API calls 3 library calls 84409->84525 84443 417c20 GetModuleHandleW 84410->84443 84413 4164de 84414 4164e9 __RTC_Initialize 84413->84414 84526 41642b 46 API calls 3 library calls 84413->84526 84462 41aaa1 GetStartupInfoW 84414->84462 84418 416503 GetCommandLineW 84475 41f584 GetEnvironmentStringsW 84418->84475 84422 416513 84481 41f4d6 GetModuleFileNameW 84422->84481 84424 41651d 84425 416528 84424->84425 84528 411924 46 API calls 3 library calls 84424->84528 84485 41f2a4 84425->84485 84428 41652e 84429 416539 84428->84429 84529 411924 46 API calls 3 library calls 84428->84529 84499 411703 84429->84499 84432 416541 84434 41654c __wwincmdln 84432->84434 84530 411924 46 API calls 3 library calls 84432->84530 84503 40d6b0 84434->84503 84437 41657c 84532 411906 46 API calls _doexit 84437->84532 84440 416581 _fseek 84441->84406 84442->84409 84444 417c34 84443->84444 84445 417c3d GetProcAddress GetProcAddress GetProcAddress GetProcAddress 84443->84445 84533 4178ff 49 API calls _free 84444->84533 84447 417c87 TlsAlloc 84445->84447 84450 417cd5 TlsSetValue 84447->84450 84451 417d96 84447->84451 84448 417c39 84448->84413 84450->84451 84452 417ce6 __init_pointers 84450->84452 84451->84413 84534 418151 InitializeCriticalSectionAndSpinCount 84452->84534 84454 417d91 84542 4178ff 49 API calls _free 84454->84542 84456 417d2a 84456->84454 84535 416b49 84456->84535 84459 417d76 84541 41793c 46 API calls 4 library calls 84459->84541 84461 417d7e GetCurrentThreadId 84461->84451 84463 416b49 __calloc_crt 46 API calls 84462->84463 84464 41aabf 84463->84464 84467 416b49 __calloc_crt 46 API calls 84464->84467 84468 4164f7 84464->84468 84470 41abb4 84464->84470 84471 41ac34 84464->84471 84465 41ac6a GetStdHandle 84465->84471 84466 41acce SetHandleCount 84466->84468 84467->84464 84468->84418 84527 411924 46 API calls 3 library calls 84468->84527 84469 41ac7c GetFileType 84469->84471 84470->84471 84472 41abe0 GetFileType 84470->84472 84473 41abeb InitializeCriticalSectionAndSpinCount 84470->84473 84471->84465 84471->84466 84471->84469 84474 41aca2 InitializeCriticalSectionAndSpinCount 84471->84474 84472->84470 84472->84473 84473->84468 84473->84470 84474->84468 84474->84471 84476 41f595 84475->84476 84477 41f599 84475->84477 84476->84422 84552 416b04 84477->84552 84479 41f5bb _memmove 84480 41f5c2 FreeEnvironmentStringsW 84479->84480 84480->84422 84482 41f50b _wparse_cmdline 84481->84482 84483 416b04 __malloc_crt 46 API calls 84482->84483 84484 41f54e _wparse_cmdline 84482->84484 84483->84484 84484->84424 84486 41f2bc _wcslen 84485->84486 84490 41f2b4 84485->84490 84487 416b49 __calloc_crt 46 API calls 84486->84487 84492 41f2e0 _wcslen 84487->84492 84488 41f336 84559 413748 84488->84559 84490->84428 84491 416b49 __calloc_crt 46 API calls 84491->84492 84492->84488 84492->84490 84492->84491 84493 41f35c 84492->84493 84496 41f373 84492->84496 84558 41ef12 46 API calls _fseek 84492->84558 84494 413748 _free 46 API calls 84493->84494 84494->84490 84565 417ed3 84496->84565 84498 41f37f 84498->84428 84500 411711 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 84499->84500 84502 411750 __IsNonwritableInCurrentImage 84500->84502 84584 41130a 51 API calls __cinit 84500->84584 84502->84432 84504 42e2f3 84503->84504 84505 40d6cc 84503->84505 84585 408f40 84505->84585 84507 40d707 84589 40ebb0 84507->84589 84510 40d737 84592 411951 84510->84592 84515 40d751 84604 40f4e0 SystemParametersInfoW SystemParametersInfoW 84515->84604 84517 40d75f 84605 40d590 GetCurrentDirectoryW 84517->84605 84519 40d767 SystemParametersInfoW 84520 40d78d 84519->84520 84521 408f40 VariantClear 84520->84521 84522 40d79d 84521->84522 84523 408f40 VariantClear 84522->84523 84524 40d7a6 84523->84524 84524->84437 84531 4118da 46 API calls _doexit 84524->84531 84525->84410 84526->84414 84531->84437 84532->84440 84533->84448 84534->84456 84537 416b52 84535->84537 84538 416b8f 84537->84538 84539 416b70 Sleep 84537->84539 84543 41f677 84537->84543 84538->84454 84538->84459 84540 416b85 84539->84540 84540->84537 84540->84538 84541->84461 84542->84451 84544 41f683 84543->84544 84545 41f69e _malloc 84543->84545 84544->84545 84546 41f68f 84544->84546 84548 41f6b1 HeapAlloc 84545->84548 84550 41f6d8 84545->84550 84551 417f77 46 API calls __getptd_noexit 84546->84551 84548->84545 84548->84550 84549 41f694 84549->84537 84550->84537 84551->84549 84555 416b0d 84552->84555 84553 4135bb _malloc 45 API calls 84553->84555 84554 416b43 84554->84479 84555->84553 84555->84554 84556 416b24 Sleep 84555->84556 84557 416b39 84556->84557 84557->84554 84557->84555 84558->84492 84560 41377c _free 84559->84560 84561 413753 RtlFreeHeap 84559->84561 84560->84490 84561->84560 84562 413768 84561->84562 84568 417f77 46 API calls __getptd_noexit 84562->84568 84564 41376e GetLastError 84564->84560 84569 417daa 84565->84569 84568->84564 84570 417dc9 __crtGetStringTypeA_stat __call_reportfault 84569->84570 84571 417de7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 84570->84571 84572 417eb5 __call_reportfault 84571->84572 84575 41a208 84572->84575 84574 417ed1 GetCurrentProcess TerminateProcess 84574->84498 84576 41a210 84575->84576 84577 41a212 IsDebuggerPresent 84575->84577 84576->84574 84583 41fe19 84577->84583 84580 421fd3 SetUnhandledExceptionFilter UnhandledExceptionFilter 84581 421ff0 __call_reportfault 84580->84581 84582 421ff8 GetCurrentProcess TerminateProcess 84580->84582 84581->84582 84582->84574 84583->84580 84584->84502 84586 408f48 moneypunct 84585->84586 84587 4265c7 VariantClear 84586->84587 84588 408f55 moneypunct 84586->84588 84587->84588 84588->84507 84645 40ebd0 84589->84645 84649 4182cb 84592->84649 84594 41195e 84656 4181f2 LeaveCriticalSection 84594->84656 84596 40d748 84597 4119b0 84596->84597 84598 4119d6 84597->84598 84599 4119bc 84597->84599 84598->84515 84599->84598 84691 417f77 46 API calls __getptd_noexit 84599->84691 84601 4119c6 84692 417f25 10 API calls _fseek 84601->84692 84603 4119d1 84603->84515 84604->84517 84693 401f20 84605->84693 84607 40d5b6 IsDebuggerPresent 84608 42e1bb MessageBoxA 84607->84608 84609 40d5c4 84607->84609 84610 42e1d4 84608->84610 84609->84610 84611 40d5e3 84609->84611 84865 403a50 52 API calls 3 library calls 84610->84865 84763 40f520 84611->84763 84615 40d5fd GetFullPathNameW 84775 401460 84615->84775 84617 40d63b 84618 40d643 84617->84618 84620 42e231 SetCurrentDirectoryW 84617->84620 84619 40d64c 84618->84619 84866 432fee 6 API calls 84618->84866 84790 410390 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 84619->84790 84620->84618 84624 42e252 84624->84619 84625 42e25a GetModuleFileNameW 84624->84625 84627 42e274 84625->84627 84628 42e2cb GetForegroundWindow ShellExecuteW 84625->84628 84867 401b10 84627->84867 84632 40d688 84628->84632 84629 40d656 84631 40d669 84629->84631 84634 40e0c0 74 API calls 84629->84634 84798 4091e0 84631->84798 84638 40d692 SetCurrentDirectoryW 84632->84638 84634->84631 84638->84519 84639 42e28d 84874 40d200 52 API calls 2 library calls 84639->84874 84642 42e299 GetForegroundWindow ShellExecuteW 84643 42e2c6 84642->84643 84643->84632 84644 40ec00 LoadLibraryA GetProcAddress 84644->84510 84646 40d72e 84645->84646 84647 40ebd6 LoadLibraryA 84645->84647 84646->84510 84646->84644 84647->84646 84648 40ebe7 GetProcAddress 84647->84648 84648->84646 84650 4182e0 84649->84650 84651 4182f3 EnterCriticalSection 84649->84651 84657 418209 84650->84657 84651->84594 84653 4182e6 84653->84651 84684 411924 46 API calls 3 library calls 84653->84684 84656->84596 84658 418215 _fseek 84657->84658 84659 418225 84658->84659 84660 41823d 84658->84660 84685 418901 46 API calls __NMSG_WRITE 84659->84685 84662 416b04 __malloc_crt 45 API calls 84660->84662 84668 41824b _fseek 84660->84668 84664 418256 84662->84664 84663 41822a 84686 418752 46 API calls 6 library calls 84663->84686 84666 41825d 84664->84666 84667 41826c 84664->84667 84688 417f77 46 API calls __getptd_noexit 84666->84688 84671 4182cb __lock 45 API calls 84667->84671 84668->84653 84669 418231 84687 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 84669->84687 84673 418273 84671->84673 84675 4182a6 84673->84675 84676 41827b InitializeCriticalSectionAndSpinCount 84673->84676 84677 413748 _free 45 API calls 84675->84677 84678 418297 84676->84678 84679 41828b 84676->84679 84677->84678 84690 4182c2 LeaveCriticalSection _doexit 84678->84690 84680 413748 _free 45 API calls 84679->84680 84682 418291 84680->84682 84689 417f77 46 API calls __getptd_noexit 84682->84689 84685->84663 84686->84669 84688->84668 84689->84678 84690->84668 84691->84601 84692->84603 84875 40e6e0 84693->84875 84697 401f41 GetModuleFileNameW 84893 410100 84697->84893 84699 401f5c 84905 410960 84699->84905 84702 401b10 52 API calls 84703 401f81 84702->84703 84908 401980 84703->84908 84705 401f8e 84706 408f40 VariantClear 84705->84706 84707 401f9d 84706->84707 84708 401b10 52 API calls 84707->84708 84709 401fb4 84708->84709 84710 401980 53 API calls 84709->84710 84711 401fc3 84710->84711 84712 401b10 52 API calls 84711->84712 84713 401fd2 84712->84713 84916 40c2c0 84713->84916 84715 401fe1 84716 40bc70 52 API calls 84715->84716 84717 401ff3 84716->84717 84934 401a10 84717->84934 84719 401ffe 84941 4114ab 84719->84941 84722 428b05 84724 401a10 52 API calls 84722->84724 84723 402017 84725 4114ab __wcsicoll 58 API calls 84723->84725 84726 428b18 84724->84726 84727 402022 84725->84727 84729 401a10 52 API calls 84726->84729 84727->84726 84728 40202d 84727->84728 84730 4114ab __wcsicoll 58 API calls 84728->84730 84731 428b33 84729->84731 84732 402038 84730->84732 84734 428b3b GetModuleFileNameW 84731->84734 84733 402043 84732->84733 84732->84734 84735 4114ab __wcsicoll 58 API calls 84733->84735 84736 401a10 52 API calls 84734->84736 84737 40204e 84735->84737 84738 428b6c 84736->84738 84739 402092 84737->84739 84743 401a10 52 API calls 84737->84743 84749 428b90 _wcscpy 84737->84749 84740 40e0a0 52 API calls 84738->84740 84742 4020a3 84739->84742 84739->84749 84741 428b7a 84740->84741 84744 401a10 52 API calls 84741->84744 84745 428bc6 84742->84745 84949 40e830 53 API calls 84742->84949 84747 402073 _wcscpy 84743->84747 84748 428b88 84744->84748 84754 401a10 52 API calls 84747->84754 84748->84749 84750 401a10 52 API calls 84749->84750 84758 4020d0 84750->84758 84751 4020bb 84950 40cf00 53 API calls 84751->84950 84753 4020c6 84755 408f40 VariantClear 84753->84755 84754->84739 84755->84758 84756 402110 84760 408f40 VariantClear 84756->84760 84758->84756 84761 401a10 52 API calls 84758->84761 84951 40cf00 53 API calls 84758->84951 84952 40e6a0 53 API calls 84758->84952 84762 402120 moneypunct 84760->84762 84761->84758 84762->84607 84764 4295c9 __crtGetStringTypeA_stat 84763->84764 84765 40f53c 84763->84765 84768 4295d9 GetOpenFileNameW 84764->84768 85648 410120 84765->85648 84767 40f545 85652 4102b0 SHGetMalloc 84767->85652 84768->84765 84770 40d5f5 84768->84770 84770->84615 84770->84617 84771 40f54c 85657 410190 GetFullPathNameW 84771->85657 84773 40f559 85668 40f570 84773->85668 85730 402400 84775->85730 84777 40146f 84780 428c29 _wcscat 84777->84780 85739 401500 84777->85739 84779 40147c 84779->84780 85747 40d440 84779->85747 84782 401489 84782->84780 84783 401491 GetFullPathNameW 84782->84783 84784 402160 52 API calls 84783->84784 84785 4014bb 84784->84785 84786 402160 52 API calls 84785->84786 84787 4014c8 84786->84787 84787->84780 84788 402160 52 API calls 84787->84788 84789 4014ee 84788->84789 84789->84617 84791 428361 84790->84791 84792 4103fc LoadImageW RegisterClassExW 84790->84792 85767 44395e EnumResourceNamesW LoadImageW 84791->85767 85766 410490 7 API calls 84792->85766 84795 40d651 84797 410570 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 84795->84797 84796 428368 84797->84629 84799 409202 84798->84799 84800 42d7ad 84798->84800 84843 409216 moneypunct 84799->84843 86039 410940 328 API calls 84799->86039 86042 45e737 90 API calls 3 library calls 84800->86042 84803 409386 84804 40939c 84803->84804 86040 40f190 10 API calls 84803->86040 84804->84632 84864 401000 Shell_NotifyIconW __crtGetStringTypeA_stat 84804->84864 84806 4095b2 84806->84804 84808 4095bf 84806->84808 84807 409253 PeekMessageW 84807->84843 86041 401a50 328 API calls 84808->86041 84810 42d8cd Sleep 84810->84843 84811 4095c6 LockWindowUpdate DestroyWindow GetMessageW 84811->84804 84814 4095f9 84811->84814 84813 42e13b 86060 40d410 VariantClear 84813->86060 84817 42e158 TranslateMessage DispatchMessageW GetMessageW 84814->84817 84817->84817 84818 42e188 84817->84818 84818->84804 84820 409567 PeekMessageW 84820->84843 84822 44c29d 52 API calls 84854 4094e0 84822->84854 84823 46f3c1 107 API calls 84823->84843 84824 40e0a0 52 API calls 84824->84843 84825 46fdbf 108 API calls 84825->84854 84826 42dcd2 WaitForSingleObject 84830 42dcf0 GetExitCodeProcess CloseHandle 84826->84830 84826->84843 84827 409551 TranslateMessage DispatchMessageW 84827->84820 84829 42dd3d Sleep 84829->84854 86049 40d410 VariantClear 84830->86049 84833 4094cf Sleep 84833->84854 84835 40d410 VariantClear 84835->84843 84837 42d94d timeGetTime 86045 465124 53 API calls 84837->86045 84839 40c620 timeGetTime 84839->84854 84842 465124 53 API calls 84842->84854 84843->84803 84843->84807 84843->84810 84843->84813 84843->84820 84843->84823 84843->84824 84843->84826 84843->84827 84843->84829 84843->84833 84843->84835 84843->84837 84845 47d33e 306 API calls 84843->84845 84843->84854 84858 42e0cc VariantClear 84843->84858 84859 408f40 VariantClear 84843->84859 84860 45e737 90 API calls 84843->84860 85768 4091b0 84843->85768 85826 40afa0 84843->85826 85852 408fc0 84843->85852 85887 408cc0 84843->85887 85901 40d150 84843->85901 85906 40d170 84843->85906 85912 4096a0 84843->85912 86043 465124 53 API calls 84843->86043 86044 40c620 timeGetTime 84843->86044 86059 40e270 VariantClear moneypunct 84843->86059 84844 42dd89 CloseHandle 84844->84854 84845->84843 84846 408f40 VariantClear 84846->84854 84848 42de19 GetExitCodeProcess CloseHandle 84848->84854 84850 401b10 52 API calls 84850->84854 84852 42de88 Sleep 84852->84843 84854->84822 84854->84825 84854->84839 84854->84842 84854->84843 84854->84844 84854->84846 84854->84848 84854->84850 84854->84852 84862 401980 53 API calls 84854->84862 86046 45178a 54 API calls 84854->86046 86047 47d33e 328 API calls 84854->86047 86048 453bc6 54 API calls 84854->86048 86050 40d410 VariantClear 84854->86050 86051 443d19 67 API calls _wcslen 84854->86051 86052 4574b4 VariantClear 84854->86052 86053 403cd0 84854->86053 86057 4731e1 VariantClear 84854->86057 86058 4331a2 6 API calls 84854->86058 84858->84843 84859->84843 84860->84843 84862->84854 84864->84632 84865->84617 84866->84624 84868 401b16 _wcslen 84867->84868 84869 4115d7 52 API calls 84868->84869 84870 401b63 84868->84870 84871 401b4b _memmove 84869->84871 84873 40d200 52 API calls 2 library calls 84870->84873 84872 4115d7 52 API calls 84871->84872 84872->84870 84873->84639 84874->84642 84876 40bc70 52 API calls 84875->84876 84877 401f31 84876->84877 84878 402560 84877->84878 84879 40256d __write_nolock 84878->84879 84880 402160 52 API calls 84879->84880 84882 402593 84880->84882 84892 4025bd 84882->84892 84953 401c90 84882->84953 84883 4026f0 52 API calls 84883->84892 84884 4026a7 84885 401b10 52 API calls 84884->84885 84891 4026db 84884->84891 84886 4026d1 84885->84886 84957 40d7c0 52 API calls 2 library calls 84886->84957 84887 401b10 52 API calls 84887->84892 84889 401c90 52 API calls 84889->84892 84891->84697 84892->84883 84892->84884 84892->84887 84892->84889 84956 40d7c0 52 API calls 2 library calls 84892->84956 84958 40f760 84893->84958 84896 410118 84896->84699 84898 42805d 84899 42806a 84898->84899 85014 431e58 84898->85014 84901 413748 _free 46 API calls 84899->84901 84902 428078 84901->84902 84903 431e58 82 API calls 84902->84903 84904 428084 84903->84904 84904->84699 84906 4115d7 52 API calls 84905->84906 84907 401f74 84906->84907 84907->84702 84909 4019a3 84908->84909 84914 401985 84908->84914 84910 4019b8 84909->84910 84909->84914 85637 403e10 53 API calls 84910->85637 84912 40199f 84912->84705 84913 4019c4 84913->84705 84914->84912 85636 403e10 53 API calls 84914->85636 84917 40c2c7 84916->84917 84918 40c30e 84916->84918 84921 40c2d3 84917->84921 84922 426c79 84917->84922 84919 40c315 84918->84919 84920 426c2b 84918->84920 84923 40c321 84919->84923 84924 426c5a 84919->84924 84926 426c4b 84920->84926 84927 426c2e 84920->84927 85638 403ea0 52 API calls __cinit 84921->85638 85643 4534e3 52 API calls 84922->85643 85639 403ea0 52 API calls __cinit 84923->85639 85642 4534e3 52 API calls 84924->85642 85641 4534e3 52 API calls 84926->85641 84933 40c2de 84927->84933 85640 4534e3 52 API calls 84927->85640 84933->84715 84935 401a30 84934->84935 84936 401a17 84934->84936 84938 402160 52 API calls 84935->84938 84937 401a2d 84936->84937 85644 403c30 52 API calls _memmove 84936->85644 84937->84719 84940 401a3d 84938->84940 84940->84719 84942 411523 84941->84942 84943 4114ba 84941->84943 85647 4113a8 58 API calls 3 library calls 84942->85647 84948 40200c 84943->84948 85645 417f77 46 API calls __getptd_noexit 84943->85645 84946 4114c6 85646 417f25 10 API calls _fseek 84946->85646 84948->84722 84948->84723 84949->84751 84950->84753 84951->84758 84952->84758 84954 4026f0 52 API calls 84953->84954 84955 401c97 84954->84955 84955->84882 84956->84892 84957->84891 85018 40f6f0 84958->85018 84960 40f77b _strcat moneypunct 85026 40f850 84960->85026 84965 427c2a 85055 414d04 84965->85055 84967 40f7fc 84967->84965 84969 40f804 84967->84969 85042 414a46 84969->85042 84973 40f80e 84973->84896 84977 4528bd 84973->84977 84974 427c59 85061 414fe2 84974->85061 84976 427c79 84978 4150d1 _fseek 81 API calls 84977->84978 84979 452930 84978->84979 85561 452719 84979->85561 84982 452948 84982->84898 84983 414d04 __fread_nolock 61 API calls 84984 452966 84983->84984 84985 414d04 __fread_nolock 61 API calls 84984->84985 84986 452976 84985->84986 84987 414d04 __fread_nolock 61 API calls 84986->84987 84988 45298f 84987->84988 84989 414d04 __fread_nolock 61 API calls 84988->84989 84990 4529aa 84989->84990 84991 4150d1 _fseek 81 API calls 84990->84991 84992 4529c4 84991->84992 84993 4135bb _malloc 46 API calls 84992->84993 84994 4529cf 84993->84994 84995 4135bb _malloc 46 API calls 84994->84995 84996 4529db 84995->84996 84997 414d04 __fread_nolock 61 API calls 84996->84997 84998 4529ec 84997->84998 84999 44afef GetSystemTimeAsFileTime 84998->84999 85000 452a00 84999->85000 85001 452a36 85000->85001 85002 452a13 85000->85002 85004 452aa5 85001->85004 85005 452a3c 85001->85005 85003 413748 _free 46 API calls 85002->85003 85006 452a1c 85003->85006 85008 413748 _free 46 API calls 85004->85008 85567 44b1a9 85005->85567 85010 413748 _free 46 API calls 85006->85010 85009 452aa3 85008->85009 85009->84898 85012 452a25 85010->85012 85011 452a9d 85013 413748 _free 46 API calls 85011->85013 85012->84898 85013->85009 85015 431e64 85014->85015 85016 431e6a 85014->85016 85017 414a46 __fcloseall 82 API calls 85015->85017 85016->84899 85017->85016 85019 425de2 85018->85019 85022 40f6fc _wcslen 85018->85022 85019->84960 85020 40f710 WideCharToMultiByte 85021 40f756 85020->85021 85023 40f728 85020->85023 85021->84960 85022->85020 85024 4115d7 52 API calls 85023->85024 85025 40f735 WideCharToMultiByte 85024->85025 85025->84960 85028 40f85d __crtGetStringTypeA_stat _strlen 85026->85028 85029 40f7ab 85028->85029 85074 414db8 85028->85074 85030 4149c2 85029->85030 85089 414904 85030->85089 85032 40f7e9 85032->84965 85033 40f5c0 85032->85033 85037 40f5cd _strcat __write_nolock _memmove 85033->85037 85034 414d04 __fread_nolock 61 API calls 85034->85037 85035 40f691 __tzset_nolock 85035->84967 85037->85034 85037->85035 85040 425d11 85037->85040 85177 4150d1 85037->85177 85038 4150d1 _fseek 81 API calls 85039 425d33 85038->85039 85041 414d04 __fread_nolock 61 API calls 85039->85041 85040->85038 85041->85035 85043 414a52 _fseek 85042->85043 85044 414a64 85043->85044 85045 414a79 85043->85045 85317 417f77 46 API calls __getptd_noexit 85044->85317 85047 415471 __lock_file 47 API calls 85045->85047 85051 414a74 _fseek 85045->85051 85049 414a92 85047->85049 85048 414a69 85318 417f25 10 API calls _fseek 85048->85318 85301 4149d9 85049->85301 85051->84973 85386 414c76 85055->85386 85057 414d1c 85058 44afef 85057->85058 85554 442c5a 85058->85554 85060 44b00d 85060->84974 85062 414fee _fseek 85061->85062 85063 414ffa 85062->85063 85064 41500f 85062->85064 85558 417f77 46 API calls __getptd_noexit 85063->85558 85066 415471 __lock_file 47 API calls 85064->85066 85068 415017 85066->85068 85067 414fff 85559 417f25 10 API calls _fseek 85067->85559 85069 414e4e __ftell_nolock 51 API calls 85068->85069 85071 415024 85069->85071 85560 41503d LeaveCriticalSection LeaveCriticalSection __wfsopen 85071->85560 85072 41500a _fseek 85072->84976 85075 414dd6 85074->85075 85076 414deb 85074->85076 85085 417f77 46 API calls __getptd_noexit 85075->85085 85076->85075 85078 414df2 85076->85078 85087 41b91b 79 API calls 11 library calls 85078->85087 85079 414ddb 85086 417f25 10 API calls _fseek 85079->85086 85082 414e18 85083 414de6 85082->85083 85088 418f98 77 API calls 7 library calls 85082->85088 85083->85028 85085->85079 85086->85083 85087->85082 85088->85083 85092 414910 _fseek 85089->85092 85090 414923 85145 417f77 46 API calls __getptd_noexit 85090->85145 85092->85090 85094 414951 85092->85094 85093 414928 85146 417f25 10 API calls _fseek 85093->85146 85108 41d4d1 85094->85108 85097 414956 85098 41496a 85097->85098 85099 41495d 85097->85099 85101 414992 85098->85101 85102 414972 85098->85102 85147 417f77 46 API calls __getptd_noexit 85099->85147 85125 41d218 85101->85125 85148 417f77 46 API calls __getptd_noexit 85102->85148 85103 414933 _fseek @_EH4_CallFilterFunc@8 85103->85032 85109 41d4dd _fseek 85108->85109 85110 4182cb __lock 46 API calls 85109->85110 85123 41d4eb 85110->85123 85111 41d560 85150 41d5fb 85111->85150 85112 41d567 85114 416b04 __malloc_crt 46 API calls 85112->85114 85116 41d56e 85114->85116 85115 41d5f0 _fseek 85115->85097 85116->85111 85117 41d57c InitializeCriticalSectionAndSpinCount 85116->85117 85118 41d59c 85117->85118 85119 41d5af EnterCriticalSection 85117->85119 85122 413748 _free 46 API calls 85118->85122 85119->85111 85120 418209 __mtinitlocknum 46 API calls 85120->85123 85122->85111 85123->85111 85123->85112 85123->85120 85153 4154b2 47 API calls __lock 85123->85153 85154 415520 LeaveCriticalSection LeaveCriticalSection _doexit 85123->85154 85126 41d23a 85125->85126 85127 41d255 85126->85127 85139 41d26c __wopenfile 85126->85139 85159 417f77 46 API calls __getptd_noexit 85127->85159 85128 41d421 85131 41d47a 85128->85131 85132 41d48c 85128->85132 85130 41d25a 85160 417f25 10 API calls _fseek 85130->85160 85164 417f77 46 API calls __getptd_noexit 85131->85164 85156 422bf9 85132->85156 85136 41d47f 85165 417f25 10 API calls _fseek 85136->85165 85137 41499d 85149 4149b8 LeaveCriticalSection LeaveCriticalSection __wfsopen 85137->85149 85139->85128 85139->85131 85161 41341f 58 API calls 2 library calls 85139->85161 85141 41d41a 85141->85128 85162 41341f 58 API calls 2 library calls 85141->85162 85143 41d439 85143->85128 85163 41341f 58 API calls 2 library calls 85143->85163 85145->85093 85146->85103 85147->85103 85148->85103 85149->85103 85155 4181f2 LeaveCriticalSection 85150->85155 85152 41d602 85152->85115 85153->85123 85154->85123 85155->85152 85166 422b35 85156->85166 85158 422c14 85158->85137 85159->85130 85160->85137 85161->85141 85162->85143 85163->85128 85164->85136 85165->85137 85168 422b41 _fseek 85166->85168 85167 422b54 85169 417f77 _fseek 46 API calls 85167->85169 85168->85167 85170 422b8a 85168->85170 85171 422b59 85169->85171 85173 422400 __tsopen_nolock 109 API calls 85170->85173 85172 417f25 _fseek 10 API calls 85171->85172 85176 422b63 _fseek 85172->85176 85174 422ba4 85173->85174 85175 422bcb __wsopen_helper LeaveCriticalSection 85174->85175 85175->85176 85176->85158 85179 4150dd _fseek 85177->85179 85178 4150e9 85208 417f77 46 API calls __getptd_noexit 85178->85208 85179->85178 85180 41510f 85179->85180 85190 415471 85180->85190 85183 4150ee 85209 417f25 10 API calls _fseek 85183->85209 85189 4150f9 _fseek 85189->85037 85191 415483 85190->85191 85192 4154a5 EnterCriticalSection 85190->85192 85191->85192 85193 41548b 85191->85193 85195 415117 85192->85195 85194 4182cb __lock 46 API calls 85193->85194 85194->85195 85196 415047 85195->85196 85197 415067 85196->85197 85198 415057 85196->85198 85203 415079 85197->85203 85211 414e4e 85197->85211 85266 417f77 46 API calls __getptd_noexit 85198->85266 85202 41505c 85210 415143 LeaveCriticalSection LeaveCriticalSection __wfsopen 85202->85210 85228 41443c 85203->85228 85206 4150b9 85241 41e1f4 85206->85241 85208->85183 85209->85189 85210->85189 85212 414e61 85211->85212 85213 414e79 85211->85213 85267 417f77 46 API calls __getptd_noexit 85212->85267 85214 414139 __filbuf 46 API calls 85213->85214 85216 414e80 85214->85216 85219 41e1f4 __write 51 API calls 85216->85219 85217 414e66 85268 417f25 10 API calls _fseek 85217->85268 85220 414e97 85219->85220 85221 414f09 85220->85221 85223 414ec9 85220->85223 85227 414e71 85220->85227 85269 417f77 46 API calls __getptd_noexit 85221->85269 85224 41e1f4 __write 51 API calls 85223->85224 85223->85227 85225 414f64 85224->85225 85226 41e1f4 __write 51 API calls 85225->85226 85225->85227 85226->85227 85227->85203 85229 414455 85228->85229 85233 414477 85228->85233 85230 414139 __filbuf 46 API calls 85229->85230 85229->85233 85231 414470 85230->85231 85270 41b7b2 77 API calls 5 library calls 85231->85270 85234 414139 85233->85234 85235 414145 85234->85235 85236 41415a 85234->85236 85271 417f77 46 API calls __getptd_noexit 85235->85271 85236->85206 85238 41414a 85272 417f25 10 API calls _fseek 85238->85272 85240 414155 85240->85206 85242 41e200 _fseek 85241->85242 85243 41e223 85242->85243 85244 41e208 85242->85244 85246 41e22f 85243->85246 85250 41e269 85243->85250 85293 417f8a 46 API calls __getptd_noexit 85244->85293 85295 417f8a 46 API calls __getptd_noexit 85246->85295 85248 41e20d 85294 417f77 46 API calls __getptd_noexit 85248->85294 85249 41e234 85296 417f77 46 API calls __getptd_noexit 85249->85296 85273 41ae56 85250->85273 85254 41e23c 85297 417f25 10 API calls _fseek 85254->85297 85255 41e26f 85257 41e291 85255->85257 85258 41e27d 85255->85258 85298 417f77 46 API calls __getptd_noexit 85257->85298 85283 41e17f 85258->85283 85259 41e215 _fseek 85259->85202 85262 41e296 85299 417f8a 46 API calls __getptd_noexit 85262->85299 85263 41e289 85300 41e2c0 LeaveCriticalSection __unlock_fhandle 85263->85300 85266->85202 85267->85217 85268->85227 85269->85227 85270->85233 85271->85238 85272->85240 85274 41ae62 _fseek 85273->85274 85275 41aebc 85274->85275 85276 4182cb __lock 46 API calls 85274->85276 85277 41aec1 EnterCriticalSection 85275->85277 85280 41aede _fseek 85275->85280 85278 41ae8e 85276->85278 85277->85280 85279 41ae97 InitializeCriticalSectionAndSpinCount 85278->85279 85281 41aeaa 85278->85281 85279->85281 85280->85255 85282 41aeec ___lock_fhandle LeaveCriticalSection 85281->85282 85282->85275 85284 41aded __chsize_nolock 46 API calls 85283->85284 85285 41e18e 85284->85285 85286 41e1a4 SetFilePointer 85285->85286 85287 41e194 85285->85287 85289 41e1c3 85286->85289 85290 41e1bb GetLastError 85286->85290 85288 417f77 _fseek 46 API calls 85287->85288 85291 41e199 85288->85291 85289->85291 85292 417f9d __dosmaperr 46 API calls 85289->85292 85290->85289 85291->85263 85292->85291 85293->85248 85294->85259 85295->85249 85296->85254 85297->85259 85298->85262 85299->85263 85300->85259 85302 4149ea 85301->85302 85303 4149fe 85301->85303 85347 417f77 46 API calls __getptd_noexit 85302->85347 85305 4149fa 85303->85305 85307 41443c __flush 77 API calls 85303->85307 85319 414ab2 LeaveCriticalSection LeaveCriticalSection __wfsopen 85305->85319 85306 4149ef 85348 417f25 10 API calls _fseek 85306->85348 85309 414a0a 85307->85309 85320 41d8c2 85309->85320 85312 414139 __filbuf 46 API calls 85313 414a18 85312->85313 85324 41d7fe 85313->85324 85315 414a1e 85315->85305 85316 413748 _free 46 API calls 85315->85316 85316->85305 85317->85048 85318->85051 85319->85051 85321 414a12 85320->85321 85322 41d8d2 85320->85322 85321->85312 85322->85321 85323 413748 _free 46 API calls 85322->85323 85323->85321 85325 41d80a _fseek 85324->85325 85326 41d812 85325->85326 85327 41d82d 85325->85327 85364 417f8a 46 API calls __getptd_noexit 85326->85364 85328 41d839 85327->85328 85333 41d873 85327->85333 85366 417f8a 46 API calls __getptd_noexit 85328->85366 85331 41d817 85365 417f77 46 API calls __getptd_noexit 85331->85365 85332 41d83e 85367 417f77 46 API calls __getptd_noexit 85332->85367 85336 41ae56 ___lock_fhandle 48 API calls 85333->85336 85338 41d879 85336->85338 85337 41d846 85368 417f25 10 API calls _fseek 85337->85368 85340 41d893 85338->85340 85341 41d887 85338->85341 85369 417f77 46 API calls __getptd_noexit 85340->85369 85349 41d762 85341->85349 85343 41d81f _fseek 85343->85315 85345 41d88d 85370 41d8ba LeaveCriticalSection __unlock_fhandle 85345->85370 85347->85306 85348->85305 85371 41aded 85349->85371 85351 41d7c8 85384 41ad67 47 API calls 2 library calls 85351->85384 85352 41d772 85352->85351 85353 41d7a6 85352->85353 85355 41aded __chsize_nolock 46 API calls 85352->85355 85353->85351 85356 41aded __chsize_nolock 46 API calls 85353->85356 85359 41d79d 85355->85359 85360 41d7b2 CloseHandle 85356->85360 85357 41d7d0 85358 41d7f2 85357->85358 85385 417f9d 46 API calls 3 library calls 85357->85385 85358->85345 85362 41aded __chsize_nolock 46 API calls 85359->85362 85360->85351 85363 41d7be GetLastError 85360->85363 85362->85353 85363->85351 85364->85331 85365->85343 85366->85332 85367->85337 85368->85343 85369->85345 85370->85343 85372 41ae12 85371->85372 85373 41adfa 85371->85373 85376 417f8a __free_osfhnd 46 API calls 85372->85376 85378 41ae51 85372->85378 85374 417f8a __free_osfhnd 46 API calls 85373->85374 85375 41adff 85374->85375 85379 417f77 _fseek 46 API calls 85375->85379 85377 41ae23 85376->85377 85380 417f77 _fseek 46 API calls 85377->85380 85378->85352 85383 41ae07 85379->85383 85381 41ae2b 85380->85381 85382 417f25 _fseek 10 API calls 85381->85382 85382->85383 85383->85352 85384->85357 85385->85358 85387 414c82 _fseek 85386->85387 85388 414cbb _fseek 85387->85388 85389 414cc3 85387->85389 85390 414c96 __crtGetStringTypeA_stat 85387->85390 85388->85057 85391 415471 __lock_file 47 API calls 85389->85391 85413 417f77 46 API calls __getptd_noexit 85390->85413 85393 414ccb 85391->85393 85399 414aba 85393->85399 85395 414cb0 85414 417f25 10 API calls _fseek 85395->85414 85403 414ad8 __crtGetStringTypeA_stat 85399->85403 85406 414af2 85399->85406 85400 414ae2 85466 417f77 46 API calls __getptd_noexit 85400->85466 85402 414ae7 85467 417f25 10 API calls _fseek 85402->85467 85403->85400 85403->85406 85410 414b2d 85403->85410 85415 414cfa LeaveCriticalSection LeaveCriticalSection __wfsopen 85406->85415 85407 414c38 __crtGetStringTypeA_stat 85469 417f77 46 API calls __getptd_noexit 85407->85469 85409 414139 __filbuf 46 API calls 85409->85410 85410->85406 85410->85407 85410->85409 85416 41dfcc 85410->85416 85446 41d8f3 85410->85446 85468 41e0c2 46 API calls 3 library calls 85410->85468 85413->85395 85414->85388 85415->85388 85417 41dfd8 _fseek 85416->85417 85418 41dfe0 85417->85418 85419 41dffb 85417->85419 85539 417f8a 46 API calls __getptd_noexit 85418->85539 85420 41e007 85419->85420 85425 41e041 85419->85425 85541 417f8a 46 API calls __getptd_noexit 85420->85541 85423 41dfe5 85540 417f77 46 API calls __getptd_noexit 85423->85540 85424 41e00c 85542 417f77 46 API calls __getptd_noexit 85424->85542 85428 41e063 85425->85428 85429 41e04e 85425->85429 85430 41ae56 ___lock_fhandle 48 API calls 85428->85430 85544 417f8a 46 API calls __getptd_noexit 85429->85544 85433 41e069 85430->85433 85431 41e014 85543 417f25 10 API calls _fseek 85431->85543 85436 41e077 85433->85436 85437 41e08b 85433->85437 85434 41e053 85545 417f77 46 API calls __getptd_noexit 85434->85545 85435 41dfed _fseek 85435->85410 85470 41da15 85436->85470 85546 417f77 46 API calls __getptd_noexit 85437->85546 85442 41e083 85548 41e0ba LeaveCriticalSection __unlock_fhandle 85442->85548 85443 41e090 85547 417f8a 46 API calls __getptd_noexit 85443->85547 85447 41d900 85446->85447 85451 41d915 85446->85451 85552 417f77 46 API calls __getptd_noexit 85447->85552 85449 41d905 85553 417f25 10 API calls _fseek 85449->85553 85452 41d94a 85451->85452 85458 41d910 85451->85458 85549 420603 85451->85549 85454 414139 __filbuf 46 API calls 85452->85454 85455 41d95e 85454->85455 85456 41dfcc __read 59 API calls 85455->85456 85457 41d965 85456->85457 85457->85458 85459 414139 __filbuf 46 API calls 85457->85459 85458->85410 85460 41d988 85459->85460 85460->85458 85461 414139 __filbuf 46 API calls 85460->85461 85462 41d994 85461->85462 85462->85458 85463 414139 __filbuf 46 API calls 85462->85463 85464 41d9a1 85463->85464 85465 414139 __filbuf 46 API calls 85464->85465 85465->85458 85466->85402 85467->85406 85468->85410 85469->85402 85471 41da31 85470->85471 85472 41da4c 85470->85472 85473 417f8a __free_osfhnd 46 API calls 85471->85473 85474 41da5b 85472->85474 85476 41da7a 85472->85476 85475 41da36 85473->85475 85477 417f8a __free_osfhnd 46 API calls 85474->85477 85479 417f77 _fseek 46 API calls 85475->85479 85478 41da98 85476->85478 85492 41daac 85476->85492 85480 41da60 85477->85480 85481 417f8a __free_osfhnd 46 API calls 85478->85481 85493 41da3e 85479->85493 85483 417f77 _fseek 46 API calls 85480->85483 85485 41da9d 85481->85485 85482 41db02 85484 417f8a __free_osfhnd 46 API calls 85482->85484 85486 41da67 85483->85486 85487 41db07 85484->85487 85488 417f77 _fseek 46 API calls 85485->85488 85489 417f25 _fseek 10 API calls 85486->85489 85490 417f77 _fseek 46 API calls 85487->85490 85491 41daa4 85488->85491 85489->85493 85490->85491 85495 417f25 _fseek 10 API calls 85491->85495 85492->85482 85492->85493 85494 41dae1 85492->85494 85496 41db1b 85492->85496 85493->85442 85494->85482 85501 41daec ReadFile 85494->85501 85495->85493 85498 416b04 __malloc_crt 46 API calls 85496->85498 85502 41db31 85498->85502 85499 41dc17 85500 41df8f GetLastError 85499->85500 85507 41dc2b 85499->85507 85503 41de16 85500->85503 85504 41df9c 85500->85504 85501->85499 85501->85500 85505 41db59 85502->85505 85506 41db3b 85502->85506 85513 417f9d __dosmaperr 46 API calls 85503->85513 85518 41dd9b 85503->85518 85509 417f77 _fseek 46 API calls 85504->85509 85508 420494 __lseeki64_nolock 48 API calls 85505->85508 85510 417f77 _fseek 46 API calls 85506->85510 85507->85518 85520 41de5b 85507->85520 85521 41dc47 85507->85521 85511 41db67 85508->85511 85512 41dfa1 85509->85512 85514 41db40 85510->85514 85511->85501 85515 417f8a __free_osfhnd 46 API calls 85512->85515 85513->85518 85516 417f8a __free_osfhnd 46 API calls 85514->85516 85515->85518 85516->85493 85517 413748 _free 46 API calls 85517->85493 85518->85493 85518->85517 85519 41ded0 ReadFile 85524 41deef GetLastError 85519->85524 85531 41def9 85519->85531 85520->85518 85520->85519 85522 41dcab ReadFile 85521->85522 85527 41dd28 85521->85527 85523 41dcc9 GetLastError 85522->85523 85530 41dcd3 85522->85530 85523->85521 85523->85530 85524->85520 85524->85531 85525 41ddec MultiByteToWideChar 85525->85518 85526 41de10 GetLastError 85525->85526 85526->85503 85527->85518 85528 41dda3 85527->85528 85529 41dd96 85527->85529 85533 41dd60 85527->85533 85528->85533 85534 41ddda 85528->85534 85532 417f77 _fseek 46 API calls 85529->85532 85530->85521 85535 420494 __lseeki64_nolock 48 API calls 85530->85535 85531->85520 85536 420494 __lseeki64_nolock 48 API calls 85531->85536 85532->85518 85533->85525 85537 420494 __lseeki64_nolock 48 API calls 85534->85537 85535->85530 85536->85531 85538 41dde9 85537->85538 85538->85525 85539->85423 85540->85435 85541->85424 85542->85431 85543->85435 85544->85434 85545->85431 85546->85443 85547->85442 85548->85435 85550 416b04 __malloc_crt 46 API calls 85549->85550 85551 420618 85550->85551 85551->85452 85552->85449 85553->85458 85557 4148b3 GetSystemTimeAsFileTime __aulldiv 85554->85557 85556 442c6b 85556->85060 85557->85556 85558->85067 85559->85072 85560->85072 85564 45272f __tzset_nolock _wcscpy 85561->85564 85562 44afef GetSystemTimeAsFileTime 85562->85564 85563 4528a4 85563->84982 85563->84983 85564->85562 85564->85563 85565 414d04 61 API calls __fread_nolock 85564->85565 85566 4150d1 81 API calls _fseek 85564->85566 85565->85564 85566->85564 85568 44b1bc 85567->85568 85569 44b1ca 85567->85569 85570 4149c2 116 API calls 85568->85570 85571 44b1e1 85569->85571 85572 4149c2 116 API calls 85569->85572 85573 44b1d8 85569->85573 85570->85569 85602 4321a4 85571->85602 85574 44b2db 85572->85574 85573->85011 85574->85571 85576 44b2e9 85574->85576 85578 44b2f6 85576->85578 85581 414a46 __fcloseall 82 API calls 85576->85581 85577 44b224 85579 44b253 85577->85579 85580 44b228 85577->85580 85578->85011 85606 43213d 85579->85606 85583 44b235 85580->85583 85586 414a46 __fcloseall 82 API calls 85580->85586 85581->85578 85584 44b245 85583->85584 85587 414a46 __fcloseall 82 API calls 85583->85587 85584->85011 85585 44b25a 85588 44b260 85585->85588 85589 44b289 85585->85589 85586->85583 85587->85584 85591 44b26d 85588->85591 85593 414a46 __fcloseall 82 API calls 85588->85593 85616 44b0bf 85589->85616 85594 44b27d 85591->85594 85596 414a46 __fcloseall 82 API calls 85591->85596 85592 44b28f 85625 4320f8 85592->85625 85593->85591 85594->85011 85596->85594 85598 44b2a2 85600 44b2b2 85598->85600 85601 414a46 __fcloseall 82 API calls 85598->85601 85599 414a46 __fcloseall 82 API calls 85599->85598 85600->85011 85601->85600 85603 4321cb 85602->85603 85605 4321b4 __tzset_nolock _memmove 85602->85605 85604 414d04 __fread_nolock 61 API calls 85603->85604 85604->85605 85605->85577 85607 4135bb _malloc 46 API calls 85606->85607 85608 432150 85607->85608 85609 4135bb _malloc 46 API calls 85608->85609 85610 432162 85609->85610 85611 4135bb _malloc 46 API calls 85610->85611 85612 432174 85611->85612 85613 4320f8 46 API calls 85612->85613 85614 432189 85612->85614 85615 432198 85613->85615 85614->85585 85615->85585 85617 44b18e 85616->85617 85623 44b0da 85616->85623 85635 43206e 80 API calls 85617->85635 85619 44b194 85619->85592 85620 442caf 61 API calls 85620->85623 85623->85617 85623->85620 85624 44b19d 85623->85624 85633 44b040 61 API calls 85623->85633 85634 442d48 80 API calls 85623->85634 85624->85592 85626 43210f 85625->85626 85627 432109 85625->85627 85629 413748 _free 46 API calls 85626->85629 85630 432122 85626->85630 85628 413748 _free 46 API calls 85627->85628 85628->85626 85629->85630 85631 413748 _free 46 API calls 85630->85631 85632 432135 85630->85632 85631->85632 85632->85598 85632->85599 85633->85623 85634->85623 85635->85619 85636->84912 85637->84913 85638->84933 85639->84933 85640->84933 85641->84924 85642->84933 85643->84933 85644->84937 85645->84946 85646->84948 85647->84948 85697 410160 85648->85697 85650 41012f GetFullPathNameW 85651 410147 moneypunct 85650->85651 85651->84767 85653 4102cb SHGetDesktopFolder 85652->85653 85656 410333 _wcsncpy 85652->85656 85654 4102e0 _wcsncpy 85653->85654 85653->85656 85655 41031c SHGetPathFromIDListW 85654->85655 85654->85656 85655->85656 85656->84771 85658 425f4a 85657->85658 85659 4101bb 85657->85659 85662 4114ab __wcsicoll 58 API calls 85658->85662 85665 425f6e 85658->85665 85660 410160 52 API calls 85659->85660 85661 4101c7 85660->85661 85701 410200 52 API calls 2 library calls 85661->85701 85662->85658 85664 4101d6 85702 410200 52 API calls 2 library calls 85664->85702 85665->84773 85667 4101e9 85667->84773 85669 40f760 128 API calls 85668->85669 85670 40f584 85669->85670 85671 429335 85670->85671 85672 40f58c 85670->85672 85675 4528bd 119 API calls 85671->85675 85673 40f598 85672->85673 85674 429358 85672->85674 85727 4033c0 113 API calls 7 library calls 85673->85727 85728 434034 86 API calls _wprintf 85674->85728 85678 42934b 85675->85678 85679 429373 85678->85679 85680 42934f 85678->85680 85684 4115d7 52 API calls 85679->85684 85683 431e58 82 API calls 85680->85683 85681 429369 85681->85679 85682 40f5b4 85682->84770 85683->85674 85696 4293c5 moneypunct 85684->85696 85685 42959c 85686 413748 _free 46 API calls 85685->85686 85687 4295a5 85686->85687 85688 431e58 82 API calls 85687->85688 85689 4295b1 85688->85689 85693 401b10 52 API calls 85693->85696 85696->85685 85696->85693 85703 444af8 85696->85703 85706 44b41c 85696->85706 85713 402780 85696->85713 85721 4022d0 85696->85721 85729 44c7dd 64 API calls 3 library calls 85696->85729 85698 410167 _wcslen 85697->85698 85699 4115d7 52 API calls 85698->85699 85700 41017e _wcscpy 85699->85700 85700->85650 85701->85664 85702->85667 85704 4115d7 52 API calls 85703->85704 85705 444b27 _memmove 85704->85705 85705->85696 85708 44b429 85706->85708 85707 4115d7 52 API calls 85709 44b440 85707->85709 85708->85707 85710 44b45e 85709->85710 85711 401b10 52 API calls 85709->85711 85710->85696 85712 44b453 85711->85712 85712->85696 85714 402827 85713->85714 85720 402790 moneypunct _memmove 85713->85720 85716 4115d7 52 API calls 85714->85716 85715 4115d7 52 API calls 85717 402797 85715->85717 85716->85720 85718 4115d7 52 API calls 85717->85718 85719 4027bd 85717->85719 85718->85719 85719->85696 85720->85715 85722 4022e0 85721->85722 85724 40239d 85721->85724 85723 4115d7 52 API calls 85722->85723 85722->85724 85725 402320 moneypunct 85722->85725 85723->85725 85724->85696 85725->85724 85726 4115d7 52 API calls 85725->85726 85726->85725 85727->85682 85728->85681 85729->85696 85731 402539 moneypunct 85730->85731 85732 402417 85730->85732 85731->84777 85732->85731 85733 4115d7 52 API calls 85732->85733 85734 402443 85733->85734 85735 4115d7 52 API calls 85734->85735 85736 4024b4 85735->85736 85736->85731 85738 4022d0 52 API calls 85736->85738 85759 402880 95 API calls 2 library calls 85736->85759 85738->85736 85744 401566 85739->85744 85740 401794 85760 40e9a0 90 API calls 85740->85760 85742 40167a 85745 4017c0 85742->85745 85761 45e737 90 API calls 3 library calls 85742->85761 85744->85740 85744->85742 85746 4010a0 52 API calls 85744->85746 85745->84779 85746->85744 85748 40bc70 52 API calls 85747->85748 85758 40d451 85748->85758 85749 40d50f 85764 410600 52 API calls 85749->85764 85751 427c01 85765 45e737 90 API calls 3 library calls 85751->85765 85752 40e0a0 52 API calls 85752->85758 85754 401b10 52 API calls 85754->85758 85755 40d519 85755->84782 85758->85749 85758->85751 85758->85752 85758->85754 85758->85755 85762 40f310 53 API calls 85758->85762 85763 40d860 91 API calls 85758->85763 85759->85736 85760->85742 85761->85745 85762->85758 85763->85758 85764->85755 85765->85755 85766->84795 85767->84796 85769 42c5fe 85768->85769 85784 4091c6 85768->85784 85770 40bc70 52 API calls 85769->85770 85769->85784 85771 42c64e InterlockedIncrement 85770->85771 85772 42c665 85771->85772 85777 42c697 85771->85777 85775 42c672 InterlockedDecrement Sleep InterlockedIncrement 85772->85775 85772->85777 85773 42c737 InterlockedDecrement 85774 42c74a 85773->85774 85778 408f40 VariantClear 85774->85778 85775->85772 85775->85777 85776 42c731 85776->85773 85777->85773 85777->85776 86061 408e80 85777->86061 85780 42c752 85778->85780 86074 410c60 VariantClear moneypunct 85780->86074 85784->84843 85785 42c6db 85786 402160 52 API calls 85785->85786 85787 42c6e5 85786->85787 85788 45340c 85 API calls 85787->85788 85789 42c6f1 85788->85789 86071 40d200 52 API calls 2 library calls 85789->86071 85791 42c6fb 86072 465124 53 API calls 85791->86072 85793 42c715 85794 42c76a 85793->85794 85795 42c719 85793->85795 85797 401b10 52 API calls 85794->85797 86073 46fe32 VariantClear 85795->86073 85798 42c77e 85797->85798 85799 401980 53 API calls 85798->85799 85806 42c796 85799->85806 85800 42c812 86081 46fe32 VariantClear 85800->86081 85802 42c82a InterlockedDecrement 86082 46ff07 54 API calls 85802->86082 85804 42c849 85808 42c9ec 85804->85808 85813 408f40 VariantClear 85804->85813 85820 401980 53 API calls 85804->85820 85822 402780 52 API calls 85804->85822 86085 40a780 85804->86085 85805 42c864 86083 45e737 90 API calls 3 library calls 85805->86083 85806->85800 85806->85805 86075 40ba10 85806->86075 85813->85804 85815 408f40 VariantClear 85817 42c891 85815->85817 86084 410c60 VariantClear moneypunct 85817->86084 85820->85804 85822->85804 85823 42c874 85823->85815 85825 42ca59 85823->85825 85825->85825 85827 40afc4 85826->85827 85828 40b156 85826->85828 85829 40afd5 85827->85829 85830 42d1e3 85827->85830 86138 45e737 90 API calls 3 library calls 85828->86138 85833 40a780 197 API calls 85829->85833 85851 40b11a moneypunct 85829->85851 86139 45e737 90 API calls 3 library calls 85830->86139 85836 40b00a 85833->85836 85834 42d1f8 85839 408f40 VariantClear 85834->85839 85835 40b143 85835->84843 85836->85834 85841 40b012 85836->85841 85838 42d4db 85838->85838 85839->85835 85840 40b04a 85849 40b05c moneypunct 85840->85849 86140 40e270 VariantClear moneypunct 85840->86140 85841->85840 85842 42d231 VariantClear 85841->85842 85845 40b094 moneypunct 85841->85845 85842->85849 85843 40b108 85843->85851 86141 40e270 VariantClear moneypunct 85843->86141 85844 42d45a VariantClear 85844->85851 85845->85843 85847 42d425 moneypunct 85845->85847 85847->85844 85847->85851 85849->85845 85850 4115d7 52 API calls 85849->85850 85850->85845 85851->85835 86142 45e737 90 API calls 3 library calls 85851->86142 85853 408fff 85852->85853 85866 40900d 85852->85866 86189 403ea0 52 API calls __cinit 85853->86189 85856 42c3f6 86192 45e737 90 API calls 3 library calls 85856->86192 85858 40a780 197 API calls 85858->85866 85859 42c44a 86194 45e737 90 API calls 3 library calls 85859->86194 85861 42c47b 86195 451b42 61 API calls 85861->86195 85863 42c4cb 86143 47faae 85863->86143 85864 42c564 85869 408f40 VariantClear 85864->85869 85866->85856 85866->85858 85866->85859 85866->85861 85866->85863 85866->85864 85868 42c548 85866->85868 85872 409112 85866->85872 85874 4090df 85866->85874 85876 42c528 85866->85876 85879 4090ea 85866->85879 85886 4090f2 moneypunct 85866->85886 86191 4534e3 52 API calls 85866->86191 86193 40c4e0 197 API calls 85866->86193 86199 45e737 90 API calls 3 library calls 85868->86199 85869->85886 85870 42c491 85870->85886 86196 45e737 90 API calls 3 library calls 85870->86196 85871 42c4da 85871->85886 86197 45e737 90 API calls 3 library calls 85871->86197 85872->85868 85877 40912b 85872->85877 85874->85879 85880 408e80 VariantClear 85874->85880 86198 45e737 90 API calls 3 library calls 85876->86198 85877->85886 86190 403e10 53 API calls 85877->86190 85882 408f40 VariantClear 85879->85882 85880->85879 85882->85886 85884 40914b 85885 408f40 VariantClear 85884->85885 85885->85886 85886->84843 86389 408d90 85887->86389 85889 429778 86415 410c60 VariantClear moneypunct 85889->86415 85891 429780 85892 408cf9 85892->85889 85893 42976c 85892->85893 85895 408d2d 85892->85895 86414 45e737 90 API calls 3 library calls 85893->86414 86405 403d10 85895->86405 85898 408d71 moneypunct 85898->84843 85899 408f40 VariantClear 85900 408d45 moneypunct 85899->85900 85900->85898 85900->85899 85902 425c87 85901->85902 85903 40d15f 85901->85903 85904 425cc7 85902->85904 85905 425ca1 TranslateAcceleratorW 85902->85905 85903->84843 85905->85903 85907 42602f 85906->85907 85908 40d17f 85906->85908 85907->84843 85909 42608e IsDialogMessageW 85908->85909 85910 40d18c 85908->85910 86627 430c46 GetClassLongW 85908->86627 85909->85908 85909->85910 85910->84843 85913 4096c6 _wcslen 85912->85913 85914 4115d7 52 API calls 85913->85914 85974 40a70c moneypunct _memmove 85913->85974 85915 4096fa _memmove 85914->85915 85916 4115d7 52 API calls 85915->85916 85918 40971b 85916->85918 85917 4013a0 52 API calls 85919 4297aa 85917->85919 85920 409749 CharUpperBuffW 85918->85920 85924 40976a moneypunct 85918->85924 85918->85974 85921 4115d7 52 API calls 85919->85921 85920->85924 85963 4297d1 _memmove 85921->85963 85970 4097e5 moneypunct 85924->85970 86629 47dcbb 199 API calls 85924->86629 85925 408f40 VariantClear 85926 42ae92 85925->85926 86655 410c60 VariantClear moneypunct 85926->86655 85928 42aea4 85929 409aa2 85931 4115d7 52 API calls 85929->85931 85935 409afe 85929->85935 85929->85963 85930 40a689 85932 4115d7 52 API calls 85930->85932 85931->85935 85953 40a6af moneypunct _memmove 85932->85953 85933 409b2a 85937 429dbe 85933->85937 86002 409b4d moneypunct _memmove 85933->86002 86636 40b400 VariantClear VariantClear moneypunct 85933->86636 85934 40c2c0 52 API calls 85934->85970 85935->85933 85936 4115d7 52 API calls 85935->85936 85938 429d31 85936->85938 85939 429dd3 85937->85939 86637 40b400 VariantClear VariantClear moneypunct 85937->86637 85943 429d42 85938->85943 86633 44a801 52 API calls 85938->86633 85939->86002 86638 40e1c0 VariantClear moneypunct 85939->86638 85940 429a46 VariantClear 85940->85970 85941 409fd2 85944 40a045 85941->85944 85999 42a3f5 85941->85999 85951 40e0a0 52 API calls 85943->85951 85948 4115d7 52 API calls 85944->85948 85945 408f40 VariantClear 85945->85970 85955 40a04c 85948->85955 85950 4115d7 52 API calls 85950->85970 85956 429d57 85951->85956 85960 4115d7 52 API calls 85953->85960 85961 40a0a7 85955->85961 85965 4091e0 314 API calls 85955->85965 86634 453443 52 API calls 85956->86634 85957 40ba10 52 API calls 85957->85970 85958 42a42f 86642 45e737 90 API calls 3 library calls 85958->86642 85960->85974 85985 40a0af 85961->85985 86643 40c790 VariantClear moneypunct 85961->86643 85962 4299d9 85966 408f40 VariantClear 85962->85966 86654 45e737 90 API calls 3 library calls 85963->86654 85965->85961 85969 4299e2 85966->85969 85967 429abd 85967->84843 85968 429d88 86635 453443 52 API calls 85968->86635 86631 410c60 VariantClear moneypunct 85969->86631 85970->85929 85970->85930 85970->85934 85970->85940 85970->85945 85970->85950 85970->85953 85970->85957 85970->85962 85970->85963 85970->85967 85976 40a780 197 API calls 85970->85976 85977 42a452 85970->85977 86630 40c4e0 197 API calls 85970->86630 86632 40e270 VariantClear moneypunct 85970->86632 85974->85917 85976->85970 85977->85925 85979 4115d7 52 API calls 85979->86002 85980 44a801 52 API calls 85980->86002 85982 408f40 VariantClear 86014 40a162 moneypunct _memmove 85982->86014 85983 41130a 51 API calls __cinit 85983->86002 85984 402780 52 API calls 85984->86002 85986 40a11b 85985->85986 85987 42a4b4 VariantClear 85985->85987 85985->86014 85993 40a12d moneypunct 85986->85993 86644 40e270 VariantClear moneypunct 85986->86644 85987->85993 85988 40a780 197 API calls 85988->86002 85989 408e80 VariantClear 85989->86002 85991 401980 53 API calls 85991->86002 85992 4115d7 52 API calls 85992->86014 85993->85992 85993->86014 85995 408e80 VariantClear 85995->86014 85996 42a74d VariantClear 85996->86014 85997 40a368 85998 42aad4 85997->85998 86007 40a397 85997->86007 86647 46fe90 VariantClear VariantClear moneypunct 85998->86647 86641 47390f VariantClear 85999->86641 86000 42a7e4 VariantClear 86000->86014 86001 42a886 VariantClear 86001->86014 86002->85941 86002->85958 86002->85974 86002->85979 86002->85980 86002->85983 86002->85984 86002->85988 86002->85989 86002->85991 86002->85999 86003 409c95 86002->86003 86639 45f508 52 API calls 86002->86639 86640 403e10 53 API calls 86002->86640 86003->84843 86004 40a3ce 86019 40a3d9 moneypunct 86004->86019 86648 40b400 VariantClear VariantClear moneypunct 86004->86648 86006 40e270 VariantClear 86006->86014 86007->86004 86031 40a42c moneypunct 86007->86031 86628 40b400 VariantClear VariantClear moneypunct 86007->86628 86010 4115d7 52 API calls 86010->86014 86011 42abaf 86015 42abd4 VariantClear 86011->86015 86025 40a4ee moneypunct 86011->86025 86012 40a4dc 86012->86025 86650 40e270 VariantClear moneypunct 86012->86650 86013 4115d7 52 API calls 86016 42a5a6 VariantInit VariantCopy 86013->86016 86014->85982 86014->85995 86014->85996 86014->85997 86014->85998 86014->86000 86014->86001 86014->86006 86014->86010 86014->86013 86645 470870 52 API calls 86014->86645 86646 44ccf1 VariantClear moneypunct 86014->86646 86015->86025 86016->86014 86021 42a5c6 VariantClear 86016->86021 86017 42ac4f 86026 42ac79 VariantClear 86017->86026 86032 40a546 moneypunct 86017->86032 86020 40a41a 86019->86020 86023 42ab44 VariantClear 86019->86023 86019->86031 86020->86031 86649 40e270 VariantClear moneypunct 86020->86649 86021->86014 86022 40a534 86022->86032 86651 40e270 VariantClear moneypunct 86022->86651 86023->86031 86025->86017 86025->86022 86026->86032 86027 42ad28 86033 42ad4e VariantClear 86027->86033 86038 40a583 moneypunct 86027->86038 86030 40a571 86030->86038 86652 40e270 VariantClear moneypunct 86030->86652 86031->86011 86031->86012 86032->86027 86032->86030 86033->86038 86035 40a650 moneypunct 86035->84843 86036 42ae0e VariantClear 86036->86038 86038->86035 86038->86036 86653 40e270 VariantClear moneypunct 86038->86653 86039->84843 86040->84806 86041->84811 86042->84843 86043->84843 86044->84843 86045->84843 86046->84854 86047->84854 86048->84854 86049->84854 86050->84854 86051->84854 86052->84854 86054 403cdf 86053->86054 86055 408f40 VariantClear 86054->86055 86056 403ce7 86055->86056 86056->84852 86057->84854 86058->84854 86059->84843 86060->84803 86062 408e88 86061->86062 86064 408e94 86061->86064 86063 408f40 VariantClear 86062->86063 86063->86064 86065 45340c 86064->86065 86066 453439 86065->86066 86067 453419 86065->86067 86066->85785 86068 45342f 86067->86068 86128 4531b1 85 API calls 5 library calls 86067->86128 86068->85785 86070 453425 86070->85785 86071->85791 86072->85793 86073->85776 86074->85784 86076 40ba1b moneypunct _memmove 86075->86076 86078 40ba49 86075->86078 86077 4115d7 52 API calls 86076->86077 86080 40ba22 86077->86080 86079 4115d7 52 API calls 86078->86079 86079->86076 86080->85806 86081->85802 86082->85804 86083->85823 86084->85784 86086 40a7a6 86085->86086 86087 40ae8c 86085->86087 86128->86070 86138->85830 86139->85834 86140->85849 86141->85851 86142->85838 86144 408e80 VariantClear 86143->86144 86152 47fb02 86144->86152 86147 47fc59 86150 40a780 197 API calls 86147->86150 86148 47fc2b 86153 408f40 VariantClear 86148->86153 86151 47fc6a 86150->86151 86151->86148 86155 47fc7d 86151->86155 86156 47fc8c 86151->86156 86152->86147 86152->86148 86157 408f40 VariantClear 86152->86157 86167 47fcd4 86152->86167 86171 408e80 VariantClear 86152->86171 86184 47fc1d 86152->86184 86200 475a67 86152->86200 86228 47b291 86152->86228 86239 46fe32 VariantClear 86152->86239 86154 47fc33 86153->86154 86158 408f40 VariantClear 86154->86158 86242 45e737 90 API calls 3 library calls 86155->86242 86160 40ba10 52 API calls 86156->86160 86157->86152 86161 47fc3b 86158->86161 86162 47fc98 86160->86162 86163 408f40 VariantClear 86161->86163 86243 47b2f4 144 API calls 86162->86243 86165 47fc43 86163->86165 86241 410c60 VariantClear moneypunct 86165->86241 86166 47fca7 86170 408f40 VariantClear 86166->86170 86169 408f40 VariantClear 86167->86169 86173 47fcdc 86169->86173 86174 47fcb1 86170->86174 86171->86152 86172 47fc4b 86172->85871 86175 408f40 VariantClear 86173->86175 86176 408f40 VariantClear 86174->86176 86177 47fce4 86175->86177 86178 47fcb9 86176->86178 86179 408f40 VariantClear 86177->86179 86180 408f40 VariantClear 86178->86180 86181 47fcec 86179->86181 86182 47fcc1 86180->86182 86245 410c60 VariantClear moneypunct 86181->86245 86244 410c60 VariantClear moneypunct 86182->86244 86240 45e538 90 API calls 3 library calls 86184->86240 86186 47fcc9 86186->85871 86188 47fcf4 86188->85871 86189->85866 86190->85884 86191->85866 86192->85886 86193->85866 86194->85886 86195->85870 86196->85886 86197->85886 86198->85886 86199->85864 86201 475ae5 86200->86201 86204 475ac5 86200->86204 86246 45e737 90 API calls 3 library calls 86201->86246 86203 475afe 86205 408f40 VariantClear 86203->86205 86204->86201 86206 475b42 86204->86206 86207 402780 52 API calls 86204->86207 86209 475b06 86205->86209 86208 402780 52 API calls 86206->86208 86207->86204 86218 475b60 86208->86218 86209->86152 86210 475c7c 86211 408f40 VariantClear 86210->86211 86215 475c84 86211->86215 86212 40a780 197 API calls 86212->86218 86213 40c2c0 52 API calls 86213->86218 86214 475cc7 86217 408f40 VariantClear 86214->86217 86215->86152 86216 40ba10 52 API calls 86216->86218 86227 475ca8 86217->86227 86218->86210 86218->86212 86218->86213 86218->86214 86218->86216 86219 475cd5 86218->86219 86220 408f40 VariantClear 86218->86220 86224 475ca0 86218->86224 86247 40c4e0 197 API calls 86218->86247 86248 45e737 90 API calls 3 library calls 86219->86248 86220->86218 86223 475ce8 86225 408f40 VariantClear 86223->86225 86226 408f40 VariantClear 86224->86226 86225->86227 86226->86227 86227->86152 86229 47b2e7 86228->86229 86230 47b2a5 86228->86230 86229->86152 86249 40e710 86230->86249 86233 47b2b7 86260 47974b 86233->86260 86234 47b2cf 86236 47974b 144 API calls 86234->86236 86238 47b2df 86236->86238 86237 47b2c7 86237->86152 86238->86152 86239->86152 86240->86148 86241->86172 86242->86148 86243->86166 86244->86186 86245->86188 86246->86203 86247->86218 86248->86223 86250 408f40 VariantClear 86249->86250 86251 40e71b 86250->86251 86252 4115d7 52 API calls 86251->86252 86253 40e729 86252->86253 86254 426bdc 86253->86254 86255 40e734 86253->86255 86256 426be7 86254->86256 86258 40bc70 52 API calls 86254->86258 86255->86256 86257 401b10 52 API calls 86255->86257 86259 40e743 86257->86259 86258->86256 86259->86233 86259->86234 86261 479786 86260->86261 86262 479aed 86260->86262 86261->86262 86265 479798 86261->86265 86329 451b42 61 API calls 86262->86329 86264 479b00 86264->86237 86266 4797a2 86265->86266 86267 4797be 86265->86267 86322 451b42 61 API calls 86266->86322 86269 4797c7 86267->86269 86270 4797e3 86267->86270 86323 451b42 61 API calls 86269->86323 86300 441eba 86270->86300 86273 4797b5 86273->86237 86274 4797da 86274->86237 86275 4797f7 86276 479815 86275->86276 86277 4797fe 86275->86277 86281 47983c 86276->86281 86305 451d2b 86276->86305 86324 451b42 61 API calls 86277->86324 86279 47980c 86279->86237 86286 4798e6 86281->86286 86316 479714 86281->86316 86282 47994b VariantInit 86285 479916 VariantClear 86285->86286 86286->86282 86286->86285 86301 441f12 86300->86301 86302 441ecc _wcslen 86300->86302 86301->86275 86302->86301 86303 410160 52 API calls 86302->86303 86304 441ede 86303->86304 86304->86275 86306 451d5e 86305->86306 86307 451e93 SysFreeString 86306->86307 86308 451f21 86306->86308 86309 451ea0 86306->86309 86315 451d68 86306->86315 86307->86309 86308->86309 86310 451f6d lstrcmpiW 86308->86310 86311 451f7f SysFreeString 86308->86311 86312 451fab 86308->86312 86309->86315 86330 44a545 RaiseException 86309->86330 86310->86311 86311->86308 86312->86281 86315->86281 86317 479728 86316->86317 86322->86273 86323->86274 86324->86279 86329->86264 86330->86309 86390 4289d2 86389->86390 86391 408db3 86389->86391 86420 45e737 90 API calls 3 library calls 86390->86420 86416 40bec0 86391->86416 86394 4289e5 86421 45e737 90 API calls 3 library calls 86394->86421 86395 408e5a 86395->85892 86397 40ba10 52 API calls 86403 408dc9 86397->86403 86398 428a05 86399 408f40 VariantClear 86398->86399 86399->86395 86400 40a780 197 API calls 86400->86403 86401 408e64 86402 408f40 VariantClear 86401->86402 86402->86395 86403->86394 86403->86395 86403->86397 86403->86398 86403->86400 86403->86401 86404 408f40 VariantClear 86403->86404 86404->86403 86406 408f40 VariantClear 86405->86406 86407 403d20 86406->86407 86408 403cd0 VariantClear 86407->86408 86409 403d4d 86408->86409 86423 46f8cb 86409->86423 86442 477145 86409->86442 86447 4755ad 86409->86447 86410 403d76 86410->85889 86410->85900 86414->85889 86415->85891 86417 40bed0 86416->86417 86418 40bef2 86417->86418 86422 45e737 90 API calls 3 library calls 86417->86422 86418->86403 86420->86394 86421->86398 86422->86418 86424 46f8e7 86423->86424 86425 46f978 86423->86425 86426 46f900 86424->86426 86427 46f93c 86424->86427 86428 46f91a 86424->86428 86429 46f8ee 86424->86429 86425->86410 86430 45340c 85 API calls 86426->86430 86432 45340c 85 API calls 86427->86432 86431 45340c 85 API calls 86428->86431 86433 45340c 85 API calls 86429->86433 86430->86429 86434 46f931 86431->86434 86435 46f958 86432->86435 86436 46f971 86433->86436 86437 45340c 85 API calls 86434->86437 86438 45340c 85 API calls 86435->86438 86450 46cb5f 86436->86450 86437->86429 86440 46f95f 86438->86440 86441 45340c 85 API calls 86440->86441 86441->86429 86443 408e80 VariantClear 86442->86443 86444 47715a 86443->86444 86500 467ac4 86444->86500 86446 477160 86446->86410 86523 475077 86447->86523 86449 4755c0 86449->86410 86451 40bc70 52 API calls 86450->86451 86452 46cb7e 86451->86452 86453 40bc70 52 API calls 86452->86453 86454 46cb86 86453->86454 86455 40bc70 52 API calls 86454->86455 86456 46cb91 86455->86456 86457 408f40 VariantClear 86456->86457 86458 46cbaf 86457->86458 86501 467bb8 86500->86501 86502 467adc 86500->86502 86501->86446 86503 467c1d 86502->86503 86504 467c16 86502->86504 86505 467b90 86502->86505 86506 467aed 86502->86506 86508 4115d7 52 API calls 86503->86508 86522 40e270 VariantClear moneypunct 86504->86522 86509 4115d7 52 API calls 86505->86509 86510 467b28 moneypunct 86506->86510 86516 4115d7 52 API calls 86506->86516 86519 467b75 _memmove 86508->86519 86509->86519 86510->86503 86511 467b55 86510->86511 86510->86519 86513 4115d7 52 API calls 86511->86513 86512 4115d7 52 API calls 86512->86501 86514 467b5b 86513->86514 86520 442ee0 52 API calls 86514->86520 86516->86510 86517 467b6b 86521 45f645 54 API calls moneypunct 86517->86521 86519->86512 86520->86517 86521->86519 86522->86503 86574 4533eb 86523->86574 86526 4750ee 86528 408f40 VariantClear 86526->86528 86527 475129 86578 4646e0 86527->86578 86534 4750f5 86528->86534 86530 47515e 86531 475162 86530->86531 86564 47518e 86530->86564 86533 408f40 VariantClear 86531->86533 86534->86449 86562 4754b5 86564->86562 86575 453404 86574->86575 86576 4533f8 86574->86576 86575->86526 86575->86527 86576->86575 86621 4531b1 85 API calls 5 library calls 86576->86621 86622 4536f7 53 API calls 86578->86622 86580 4646fc 86623 4426cd 59 API calls _wcslen 86580->86623 86582 464711 86584 40bc70 52 API calls 86582->86584 86590 46474b 86582->86590 86585 46472c 86584->86585 86624 461465 52 API calls _memmove 86585->86624 86587 464741 86589 464793 86589->86530 86590->86589 86625 463ad5 64 API calls __wcsicoll 86590->86625 86621->86575 86622->86580 86623->86582 86624->86587 86625->86589 86627->85908 86628->86004 86629->85924 86630->85970 86631->86035 86632->85970 86633->85943 86634->85968 86635->85933 86636->85937 86637->85939 86638->86002 86639->86002 86640->86002 86641->85958 86642->85977 86643->85961 86644->85993 86645->86014 86646->86014 86647->86004 86648->86019 86649->86031 86650->86025 86651->86032 86652->86038 86653->86038 86654->85977 86655->85928 86656 42d154 86660 480a8d 86656->86660 86658 42d161 86659 480a8d 197 API calls 86658->86659 86659->86658 86661 480ae4 86660->86661 86662 480b26 86660->86662 86664 480aeb 86661->86664 86665 480b15 86661->86665 86663 40bc70 52 API calls 86662->86663 86689 480b2e 86663->86689 86666 480aee 86664->86666 86667 480b04 86664->86667 86693 4805bf 197 API calls 86665->86693 86666->86662 86669 480af3 86666->86669 86692 47fea2 197 API calls __itow_s 86667->86692 86691 47f135 197 API calls 86669->86691 86671 40e0a0 52 API calls 86671->86689 86673 408f40 VariantClear 86675 481156 86673->86675 86678 408f40 VariantClear 86675->86678 86676 40c2c0 52 API calls 86676->86689 86677 480aff 86677->86673 86679 48115e 86678->86679 86679->86658 86680 480ff5 86699 45e737 90 API calls 3 library calls 86680->86699 86681 401980 53 API calls 86681->86689 86683 40e710 53 API calls 86683->86689 86684 40a780 197 API calls 86684->86689 86685 408e80 VariantClear 86685->86689 86689->86671 86689->86676 86689->86677 86689->86680 86689->86681 86689->86683 86689->86684 86689->86685 86694 45377f 52 API calls 86689->86694 86695 45e951 53 API calls 86689->86695 86696 40e830 53 API calls 86689->86696 86697 47925f 53 API calls 86689->86697 86698 47fcff 197 API calls 86689->86698 86691->86677 86692->86677 86693->86677 86694->86689 86695->86689 86696->86689 86697->86689 86698->86689 86699->86677 86700 42b14b 86707 40bc10 86700->86707 86702 42b159 86703 4096a0 328 API calls 86702->86703 86704 42b177 86703->86704 86718 44b92d VariantClear 86704->86718 86706 42bc5b 86708 40bc24 86707->86708 86709 40bc17 86707->86709 86711 40bc2a 86708->86711 86712 40bc3c 86708->86712 86710 408e80 VariantClear 86709->86710 86713 40bc1f 86710->86713 86714 408e80 VariantClear 86711->86714 86715 4115d7 52 API calls 86712->86715 86713->86702 86716 40bc33 86714->86716 86717 40bc43 86715->86717 86716->86702 86717->86702 86718->86706 86719 425b2b 86724 40f000 86719->86724 86723 425b3a 86725 4115d7 52 API calls 86724->86725 86726 40f007 86725->86726 86727 4276ea 86726->86727 86733 40f030 86726->86733 86732 41130a 51 API calls __cinit 86732->86723 86734 40f039 86733->86734 86735 40f01a 86733->86735 86763 41130a 51 API calls __cinit 86734->86763 86737 40e500 86735->86737 86738 40bc70 52 API calls 86737->86738 86739 40e515 GetVersionExW 86738->86739 86740 402160 52 API calls 86739->86740 86741 40e557 86740->86741 86764 40e660 86741->86764 86747 427674 86751 4276c6 GetSystemInfo 86747->86751 86749 40e5e0 86752 4276d5 GetSystemInfo 86749->86752 86778 40efd0 86749->86778 86750 40e5cd GetCurrentProcess 86785 40ef20 LoadLibraryA GetProcAddress 86750->86785 86751->86752 86756 40e629 86782 40ef90 86756->86782 86759 40e641 FreeLibrary 86760 40e644 86759->86760 86761 40e653 FreeLibrary 86760->86761 86762 40e656 86760->86762 86761->86762 86762->86732 86763->86735 86765 40e667 86764->86765 86766 42761d 86765->86766 86767 40c600 52 API calls 86765->86767 86768 40e55c 86767->86768 86769 40e680 86768->86769 86770 40e687 86769->86770 86771 427616 86770->86771 86772 40c600 52 API calls 86770->86772 86773 40e566 86772->86773 86773->86747 86774 40ef60 86773->86774 86775 40e5c8 86774->86775 86776 40ef66 LoadLibraryA 86774->86776 86775->86749 86775->86750 86776->86775 86777 40ef77 GetProcAddress 86776->86777 86777->86775 86779 40e620 86778->86779 86780 40efd6 LoadLibraryA 86778->86780 86779->86751 86779->86756 86780->86779 86781 40efe7 GetProcAddress 86780->86781 86781->86779 86786 40efb0 LoadLibraryA GetProcAddress 86782->86786 86784 40e632 GetNativeSystemInfo 86784->86759 86784->86760 86785->86749 86786->86784 86787 3fb9430 86801 3fb7080 86787->86801 86789 3fb950b 86804 3fb9320 86789->86804 86807 3fba530 GetPEB 86801->86807 86803 3fb770b 86803->86789 86805 3fb9329 Sleep 86804->86805 86806 3fb9337 86805->86806 86808 3fba55a 86807->86808 86808->86803 86809 425b5e 86814 40c7f0 86809->86814 86813 425b6d 86849 40db10 52 API calls 86814->86849 86816 40c82a 86850 410ab0 6 API calls 86816->86850 86818 40c86d 86819 40bc70 52 API calls 86818->86819 86820 40c877 86819->86820 86821 40bc70 52 API calls 86820->86821 86822 40c881 86821->86822 86823 40bc70 52 API calls 86822->86823 86824 40c88b 86823->86824 86825 40bc70 52 API calls 86824->86825 86826 40c8d1 86825->86826 86827 40bc70 52 API calls 86826->86827 86828 40c991 86827->86828 86851 40d2c0 52 API calls 86828->86851 86830 40c99b 86852 40d0d0 53 API calls 86830->86852 86832 40c9c1 86833 40bc70 52 API calls 86832->86833 86834 40c9cb 86833->86834 86853 40e310 53 API calls 86834->86853 86836 40ca28 86837 408f40 VariantClear 86836->86837 86838 40ca30 86837->86838 86839 408f40 VariantClear 86838->86839 86840 40ca38 GetStdHandle 86839->86840 86841 429630 86840->86841 86842 40ca87 86840->86842 86841->86842 86843 429639 86841->86843 86848 41130a 51 API calls __cinit 86842->86848 86854 4432c0 57 API calls 86843->86854 86845 429641 86855 44b6ab CreateThread 86845->86855 86847 42964f CloseHandle 86847->86842 86848->86813 86849->86816 86850->86818 86851->86830 86852->86832 86853->86836 86854->86845 86855->86847 86856 44b5cb 58 API calls 86855->86856 86857 425b6f 86862 40dc90 86857->86862 86861 425b7e 86863 40bc70 52 API calls 86862->86863 86864 40dd03 86863->86864 86870 40f210 86864->86870 86867 40dd96 86868 40ddb7 86867->86868 86873 40dc00 52 API calls 2 library calls 86867->86873 86869 41130a 51 API calls __cinit 86868->86869 86869->86861 86874 40f250 RegOpenKeyExW 86870->86874 86872 40f230 86872->86867 86873->86867 86875 425e17 86874->86875 86876 40f275 RegQueryValueExW 86874->86876 86875->86872 86877 40f2c3 RegCloseKey 86876->86877 86878 40f298 86876->86878 86877->86872 86879 40f2a9 RegCloseKey 86878->86879 86880 425e1d 86878->86880 86879->86872

                                                  Executed Functions

                                                  Function 004096A0 Relevance: 33.9, APIs: 21, Instructions: 2413COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcslen.LIBCMT ref: 004096C1
                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                  • _memmove.LIBCMT ref: 0040970C
                                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                    • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                  • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 00409753
                                                  • _memmove.LIBCMT ref: 00409D96
                                                  • _memmove.LIBCMT ref: 0040A6C4
                                                  • _memmove.LIBCMT ref: 004297E5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
                                                  • String ID:
                                                  • API String ID: 2383988440-0
                                                  • Opcode ID: c80423eaff0593ad1daf6fa7b1063788de4f89018b33fd36f38930ce8cd7e028
                                                  • Instruction ID: 3262ed4b583d717621f118bf118656dde374edbe3d76219253c131e703a2432c
                                                  • Opcode Fuzzy Hash: c80423eaff0593ad1daf6fa7b1063788de4f89018b33fd36f38930ce8cd7e028
                                                  • Instruction Fuzzy Hash: CD13BF706043109FD724DF25D480A2BB7E1BF89304F54896EE8869B392D739EC56CB9B
                                                  Function 0040D590 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144windowCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0040D5AA
                                                    • Part of subcall function 00401F20: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe,00000104,?), ref: 00401F4C
                                                    • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402007
                                                    • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 0040201D
                                                    • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402033
                                                    • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402049
                                                    • Part of subcall function 00401F20: _wcscpy.LIBCMT ref: 0040207C
                                                  • IsDebuggerPresent.KERNEL32 ref: 0040D5B6
                                                  • GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe,00000104,?,004A7F50,004A7F54), ref: 0040D625
                                                    • Part of subcall function 00401460: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 004014A5
                                                  • SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 0040D699
                                                  • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00484C92,00000010), ref: 0042E1C9
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0042E238
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0042E268
                                                  • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 0042E2B2
                                                  • ShellExecuteW.SHELL32(00000000), ref: 0042E2B9
                                                    • Part of subcall function 00410390: GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                    • Part of subcall function 00410390: LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                    • Part of subcall function 00410390: LoadIconW.USER32(?,00000063), ref: 004103C0
                                                    • Part of subcall function 00410390: LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                    • Part of subcall function 00410390: LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                    • Part of subcall function 00410390: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                    • Part of subcall function 00410390: RegisterClassExW.USER32(?), ref: 0041045D
                                                    • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                    • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                    • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105E4
                                                    • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105EE
                                                    • Part of subcall function 0040E0C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcscpy
                                                  • String ID: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                                  • API String ID: 2495805114-3586330392
                                                  • Opcode ID: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                                                  • Instruction ID: d8104b1e62918721d1641daf81013a976a0e8d4b3b5b72af0edf1e1af392be53
                                                  • Opcode Fuzzy Hash: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                                                  • Instruction Fuzzy Hash: A3513B71A48201AFD710B7E1AC45BEE3B689B59714F4049BFF905672D2CBBC4A88C72D
                                                  Function 0046CB5F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 304comCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1515 46cb5f-46cbc3 call 40bc70 * 3 call 408f40 1524 46cbd4-46cbe7 CLSIDFromProgID 1515->1524 1525 46cbc5-46cbcd OleInitialize 1515->1525 1526 46cc33-46cc47 1524->1526 1527 46cbe9-46cbf9 CLSIDFromString 1524->1527 1525->1524 1528 46cca6-46ccba call 458651 1526->1528 1529 46cc49-46cc60 CoCreateInstance 1526->1529 1527->1526 1530 46cbfb-46cc05 1527->1530 1531 46cc96-46cca1 1528->1531 1540 46ccbc-46ccf7 CoInitializeSecurity call 412f40 call 4311fc 1528->1540 1529->1531 1532 46cc62-46cc8b call 43119b 1529->1532 1533 46cc06-46cc30 call 451b42 call 402250 * 3 1530->1533 1531->1533 1549 46cc8e-46cc90 1532->1549 1551 46cdf4 1540->1551 1552 46ccfd-46cd1f call 402160 call 431a2b 1540->1552 1549->1531 1553 46ceb7-46cef0 call 468070 call 402250 * 3 1549->1553 1558 46cdfa-46ce4a call 412f40 CoCreateInstanceEx CoTaskMemFree 1551->1558 1568 46cd35-46cd41 call 465177 1552->1568 1569 46cd21-46cd33 1552->1569 1558->1531 1564 46ce50-46ce55 1558->1564 1564->1531 1567 46ce5b-46ce62 1564->1567 1571 46ce64-46ce8b CoSetProxyBlanket 1567->1571 1572 46ce8d-46ce9e 1567->1572 1579 46cd46-46cda3 call 40e0a0 call 402250 call 46150f call 40e0a0 call 402250 1568->1579 1573 46cda5-46cdaa 1569->1573 1571->1572 1572->1549 1576 46cea4-46ceb2 1572->1576 1577 46cdac-46cdbb call 4111c1 1573->1577 1578 46cdbd-46cdc0 1573->1578 1576->1533 1582 46cdc3-46cdf2 1577->1582 1578->1582 1579->1573 1582->1558
                                                  APIs
                                                  • OleInitialize.OLE32(00000000), ref: 0046CBC7
                                                  • CLSIDFromProgID.COMBASE(?,?), ref: 0046CBDF
                                                  • CLSIDFromString.OLE32(?,?), ref: 0046CBF1
                                                  • CoCreateInstance.OLE32(?,?,00000005,00482998,?), ref: 0046CC56
                                                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0046CCCA
                                                  • _wcslen.LIBCMT ref: 0046CDB0
                                                  • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0046CE33
                                                  • CoTaskMemFree.OLE32(?), ref: 0046CE42
                                                  • CoSetProxyBlanket.OLE32(?,?,?,?,?,?,?,00000800), ref: 0046CE85
                                                    • Part of subcall function 00468070: VariantInit.OLEAUT32(00000000), ref: 004680B0
                                                    • Part of subcall function 00468070: VariantCopy.OLEAUT32(00000000,00479A50), ref: 004680BA
                                                    • Part of subcall function 00468070: VariantClear.OLEAUT32 ref: 004680C7
                                                  Strings
                                                  • NULL Pointer assignment, xrefs: 0046CEA6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Variant$CreateFromInitializeInstance$BlanketClearCopyFreeInitProgProxySecurityStringTask_wcslen
                                                  • String ID: NULL Pointer assignment
                                                  • API String ID: 440038798-2785691316
                                                  • Opcode ID: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                  • Instruction ID: 7aab634462a7dbcbf958abac95e41bd58996b502d0213671d322085b5631b432
                                                  • Opcode Fuzzy Hash: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                  • Instruction Fuzzy Hash: 74B13FB1D00229AFDB10DFA5CC85FEEB7B8EF48700F10855AF909A7281EB745A45CB95
                                                  Function 0040E500 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1986 40e500-40e57c call 40bc70 GetVersionExW call 402160 call 40e660 call 40e680 1995 40e582-40e583 1986->1995 1996 427674-427679 1986->1996 1999 40e585-40e596 1995->1999 2000 40e5ba-40e5cb call 40ef60 1995->2000 1997 427683-427686 1996->1997 1998 42767b-427681 1996->1998 2002 427693-427696 1997->2002 2003 427688-427691 1997->2003 2001 4276b4-4276be 1998->2001 2004 427625-427629 1999->2004 2005 40e59c-40e59f 1999->2005 2018 40e5ec-40e60c 2000->2018 2019 40e5cd-40e5e6 GetCurrentProcess call 40ef20 2000->2019 2020 4276c6-4276ca GetSystemInfo 2001->2020 2002->2001 2009 427698-4276a8 2002->2009 2003->2001 2011 427636-427640 2004->2011 2012 42762b-427631 2004->2012 2007 40e5a5-40e5ae 2005->2007 2008 427654-427657 2005->2008 2014 40e5b4 2007->2014 2015 427645-42764f 2007->2015 2008->2000 2013 42765d-42766f 2008->2013 2016 4276b0 2009->2016 2017 4276aa-4276ae 2009->2017 2011->2000 2012->2000 2013->2000 2014->2000 2015->2000 2016->2001 2017->2001 2021 40e612-40e623 call 40efd0 2018->2021 2022 4276d5-4276df GetSystemInfo 2018->2022 2019->2018 2030 40e5e8 2019->2030 2020->2022 2021->2020 2027 40e629-40e63f call 40ef90 GetNativeSystemInfo 2021->2027 2032 40e641-40e642 FreeLibrary 2027->2032 2033 40e644-40e651 2027->2033 2030->2018 2032->2033 2034 40e653-40e654 FreeLibrary 2033->2034 2035 40e656-40e65d 2033->2035 2034->2035
                                                  APIs
                                                  • GetVersionExW.KERNEL32(?), ref: 0040E52A
                                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                  • GetCurrentProcess.KERNEL32(?), ref: 0040E5D4
                                                  • GetNativeSystemInfo.KERNELBASE(?), ref: 0040E632
                                                  • FreeLibrary.KERNEL32(?), ref: 0040E642
                                                  • FreeLibrary.KERNEL32(?), ref: 0040E654
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
                                                  • String ID: 0SH$Mw
                                                  • API String ID: 3363477735-496018430
                                                  • Opcode ID: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                  • Instruction ID: 6dc39e8e7f592ebea2fdbb3e4710260bd4e3e134fe0a85e77c096ec086c2d55c
                                                  • Opcode Fuzzy Hash: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                  • Instruction Fuzzy Hash: E361C170908656EECB10CFA9D84429DFBB0BF19308F54496ED404A3B42D379E969CB9A
                                                  Function 0040EBD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EBB5,0040D72E), ref: 0040EBDB
                                                  • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EBED
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: IsThemeActive$uxtheme.dll
                                                  • API String ID: 2574300362-3542929980
                                                  • Opcode ID: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                  • Instruction ID: d0aec1e7cdd3fc231052cfb2f432bc7d0e698e699ac1f50efe2d89ca8b78c0bc
                                                  • Opcode Fuzzy Hash: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                  • Instruction Fuzzy Hash: D6D0C7B49407039AD7305F71C91871B76E47B50751F104C3DF946A1294DB7CD040D768
                                                  Function 0040D6B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040D779
                                                  • FreeLibrary.KERNEL32(?), ref: 0040D78E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: FreeInfoLibraryParametersSystem
                                                  • String ID: Mw
                                                  • API String ID: 3403648963-2910736759
                                                  • Opcode ID: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                  • Instruction ID: 5fcdf068f8d8459ddaa7ea8882eac3df2259875866eaebb33036fc29c92b3e87
                                                  • Opcode Fuzzy Hash: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                  • Instruction Fuzzy Hash: BB2184719083019FC300DF5ADC8190ABBE4FB84358F40493FF988A7392D735D9458B9A
                                                  Function 004091E0 Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409266
                                                  • Sleep.KERNEL32(0000000A,?), ref: 004094D1
                                                  • TranslateMessage.USER32(?), ref: 00409556
                                                  • DispatchMessageW.USER32(?), ref: 00409561
                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Message$Peek$DispatchSleepTranslate
                                                  • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
                                                  • API String ID: 1762048999-758534266
                                                  • Opcode ID: f501adada9997479f36eff97a8dbeac7b9e74cdaa6692d9ba2f3cae751283df7
                                                  • Instruction ID: 6221a9036d09df45d33125ba93b856da71e554157a22c4cdc10a0b2ba1356448
                                                  • Opcode Fuzzy Hash: f501adada9997479f36eff97a8dbeac7b9e74cdaa6692d9ba2f3cae751283df7
                                                  • Instruction Fuzzy Hash: EF62E370608341AFD724DF25C884BABF7A4BF85304F14492FF94597292D778AC89CB9A
                                                  Function 00401F20 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 214COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe,00000104,?), ref: 00401F4C
                                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                  • __wcsicoll.LIBCMT ref: 00402007
                                                  • __wcsicoll.LIBCMT ref: 0040201D
                                                  • __wcsicoll.LIBCMT ref: 00402033
                                                    • Part of subcall function 004114AB: __wcsicmp_l.LIBCMT ref: 0041152B
                                                  • __wcsicoll.LIBCMT ref: 00402049
                                                  • _wcscpy.LIBCMT ref: 0040207C
                                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe,00000104), ref: 00428B5B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: __wcsicoll$FileModuleName$__wcsicmp_l_memmove_wcscpy_wcslen
                                                  • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe$CMDLINE$CMDLINERAW
                                                  • API String ID: 3948761352-948235829
                                                  • Opcode ID: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                                                  • Instruction ID: a67d1fff980de619c7b08a01c822048bbc87f212fdb5160913ca6de555091b2a
                                                  • Opcode Fuzzy Hash: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                                                  • Instruction Fuzzy Hash: 0E718571D0021A9ACB10EBA1DD456EE7774AF54308F40843FF905772D1EBBC6A49CB99
                                                  Function 00452719 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 147COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: __fread_nolock$_fseek_wcscpy
                                                  • String ID: D)E$D)E$FILE
                                                  • API String ID: 3888824918-361185794
                                                  • Opcode ID: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                  • Instruction ID: d9efd4ed024b2b159ad8c10c4a9bf0fd337e36d0f3dc2ca46923192c63d65648
                                                  • Opcode Fuzzy Hash: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                  • Instruction Fuzzy Hash: DC4196B2910204BBEB20EBD5DC81FEF7379AF88704F14455EFA0497281F6799684CBA5
                                                  Function 0040E360 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040E3FF
                                                  • __wsplitpath.LIBCMT ref: 0040E41C
                                                    • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                  • _wcsncat.LIBCMT ref: 0040E433
                                                  • __wmakepath.LIBCMT ref: 0040E44F
                                                    • Part of subcall function 00413A9E: __wmakepath_s.LIBCMT ref: 00413AB4
                                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                    • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                  • _wcscpy.LIBCMT ref: 0040E487
                                                    • Part of subcall function 0040E4C0: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                  • _wcscat.LIBCMT ref: 00427541
                                                  • _wcslen.LIBCMT ref: 00427551
                                                  • _wcslen.LIBCMT ref: 00427562
                                                  • _wcscat.LIBCMT ref: 0042757C
                                                  • _wcsncpy.LIBCMT ref: 004275BC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
                                                  • String ID: Include$\
                                                  • API String ID: 3173733714-3429789819
                                                  • Opcode ID: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                                  • Instruction ID: e70d120923bcd55e0c09bdb97153e7c20ea4c8242d515b2096525f9594b4aeca
                                                  • Opcode Fuzzy Hash: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                                  • Instruction Fuzzy Hash: 9851DAB1504301ABE314EF66DC8589BBBE4FB8D304F40493EF589972A1E7749944CB5E
                                                  Function 004528BD Relevance: 19.7, APIs: 13, Instructions: 173COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • _fseek.LIBCMT ref: 0045292B
                                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                    • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                    • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                  • __fread_nolock.LIBCMT ref: 00452961
                                                  • __fread_nolock.LIBCMT ref: 00452971
                                                  • __fread_nolock.LIBCMT ref: 0045298A
                                                  • __fread_nolock.LIBCMT ref: 004529A5
                                                  • _fseek.LIBCMT ref: 004529BF
                                                  • _malloc.LIBCMT ref: 004529CA
                                                  • _malloc.LIBCMT ref: 004529D6
                                                  • __fread_nolock.LIBCMT ref: 004529E7
                                                  • _free.LIBCMT ref: 00452A17
                                                  • _free.LIBCMT ref: 00452A20
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: __fread_nolock$_free_fseek_malloc_wcscpy
                                                  • String ID:
                                                  • API String ID: 1255752989-0
                                                  • Opcode ID: 3f43f4209565cf9930803292f55859f81113a3883ec0e7be7bac3bff720706a2
                                                  • Instruction ID: f7ea06a446360153d9086f7ce944ba4ee1a7a4a6ab52c1fb03413739877f8e55
                                                  • Opcode Fuzzy Hash: 3f43f4209565cf9930803292f55859f81113a3883ec0e7be7bac3bff720706a2
                                                  • Instruction Fuzzy Hash: B95111F1900218AFDB60DF65DC81B9A77B9EF88304F0085AEF50CD7241E675AA84CF59
                                                  Function 00410490 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56windowregistryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                  • RegisterClassExW.USER32(00000030), ref: 004104ED
                                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                  • InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                  • LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                  • ImageList_ReplaceIcon.COMCTL32(00ADEC50,000000FF,00000000), ref: 00410552
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                  • API String ID: 2914291525-1005189915
                                                  • Opcode ID: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                  • Instruction ID: 324008788ca11066222c16167fc5b3db855b21205033cf9bff29629ff6c43806
                                                  • Opcode Fuzzy Hash: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                  • Instruction Fuzzy Hash: 6221F7B1900218AFDB40DFA4E988B9DBFB4FB09710F10862EFA15A6390D7B40544CF99
                                                  Function 00410390 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                  • LoadIconW.USER32(?,00000063), ref: 004103C0
                                                  • LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                  • LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                  • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                  • RegisterClassExW.USER32(?), ref: 0041045D
                                                    • Part of subcall function 00410490: GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                    • Part of subcall function 00410490: RegisterClassExW.USER32(00000030), ref: 004104ED
                                                    • Part of subcall function 00410490: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                    • Part of subcall function 00410490: InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                    • Part of subcall function 00410490: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                    • Part of subcall function 00410490: LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                    • Part of subcall function 00410490: ImageList_ReplaceIcon.COMCTL32(00ADEC50,000000FF,00000000), ref: 00410552
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                  • String ID: #$0$AutoIt v3
                                                  • API String ID: 423443420-4155596026
                                                  • Opcode ID: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                  • Instruction ID: fa3beea58d24b169a793a749875a715f65b9999dd8e8f54869ce90ead7ff89b0
                                                  • Opcode Fuzzy Hash: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                  • Instruction Fuzzy Hash: 31212AB1E55214AFD720DFA9ED45B9EBBB8BB4C700F00447AFA08A7290D7B559408B98
                                                  Function 0040A780 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _malloc
                                                  • String ID: Default
                                                  • API String ID: 1579825452-753088835
                                                  • Opcode ID: 4baf5ca2405be5455ac24bb95f1fa40f153dd1d14dcfbbf3cadbb4c6cd5c85f8
                                                  • Instruction ID: a673259d86369fb9501a746496732cc59a2062e12c9a0651055f0cdb6904a52b
                                                  • Opcode Fuzzy Hash: 4baf5ca2405be5455ac24bb95f1fa40f153dd1d14dcfbbf3cadbb4c6cd5c85f8
                                                  • Instruction Fuzzy Hash: 13729DB06043019FD714DF25D481A2BB7E5EF85314F14882EE986AB391D738EC56CB9B
                                                  Function 0040F5C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 125COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2036 40f5c0-40f5cf call 422240 2039 40f5d0-40f5e8 2036->2039 2039->2039 2040 40f5ea-40f613 call 413650 call 410e60 2039->2040 2045 40f614-40f633 call 414d04 2040->2045 2048 40f691 2045->2048 2049 40f635-40f63c 2045->2049 2050 40f696-40f69c 2048->2050 2051 40f660-40f674 call 4150d1 2049->2051 2052 40f63e 2049->2052 2056 40f679-40f67c 2051->2056 2054 40f640 2052->2054 2055 40f642-40f650 2054->2055 2057 40f652-40f655 2055->2057 2058 40f67e-40f68c 2055->2058 2056->2045 2059 40f65b-40f65e 2057->2059 2060 425d1e-425d3e call 4150d1 call 414d04 2057->2060 2061 40f68e-40f68f 2058->2061 2062 40f69f-40f6ad 2058->2062 2059->2051 2059->2054 2073 425d43-425d5f call 414d30 2060->2073 2061->2057 2064 40f6b4-40f6c2 2062->2064 2065 40f6af-40f6b2 2062->2065 2067 425d16 2064->2067 2068 40f6c8-40f6d6 2064->2068 2065->2057 2067->2060 2070 425d05-425d0b 2068->2070 2071 40f6dc-40f6df 2068->2071 2070->2055 2072 425d11 2070->2072 2071->2057 2072->2067 2073->2050
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: __fread_nolock_fseek_memmove_strcat
                                                  • String ID: AU3!$EA06
                                                  • API String ID: 1268643489-2658333250
                                                  • Opcode ID: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                  • Instruction ID: 581a58983a44a30c9dde9fea67fd4d6d070b0eb534c71953d0d39c84ae2506d9
                                                  • Opcode Fuzzy Hash: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                  • Instruction Fuzzy Hash: A541EF3160414CABCB21DF64D891FFD3B749B15304F2808BFF581A7692EA79A58AC754
                                                  Function 00401100 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136windowtimeregistryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2076 401100-401111 2077 401113-401119 2076->2077 2078 401179-401180 2076->2078 2080 401144-40114a 2077->2080 2081 40111b-40111e 2077->2081 2078->2077 2079 401182 2078->2079 2082 40112c-401141 DefWindowProcW 2079->2082 2084 401184-40118e call 401250 2080->2084 2085 40114c-40114f 2080->2085 2081->2080 2083 401120-401126 2081->2083 2083->2082 2087 42b038-42b03f 2083->2087 2091 401193-40119a 2084->2091 2088 401151-401157 2085->2088 2089 40119d 2085->2089 2087->2082 2090 42b045-42b059 call 401000 call 40e0c0 2087->2090 2094 401219-40121f 2088->2094 2095 40115d 2088->2095 2092 4011a3-4011a9 2089->2092 2093 42afb4-42afc5 call 40f190 2089->2093 2090->2082 2092->2083 2098 4011af 2092->2098 2093->2091 2094->2083 2101 401225-42b06d call 468b0e 2094->2101 2099 401163-401166 2095->2099 2100 42b01d-42b024 2095->2100 2098->2083 2104 4011b6-4011d8 KillTimer call 401000 PostQuitMessage 2098->2104 2105 4011db-401202 SetTimer RegisterWindowMessageW 2098->2105 2107 42afe9-42b018 call 40f190 call 401a50 2099->2107 2108 40116c-401172 2099->2108 2100->2082 2106 42b02a-42b033 call 4370f4 2100->2106 2101->2091 2105->2091 2114 401204-401216 CreatePopupMenu 2105->2114 2106->2082 2107->2082 2108->2083 2116 401174-42afde call 45fd57 2108->2116 2116->2082 2127 42afe4 2116->2127 2127->2091
                                                  APIs
                                                  • DefWindowProcW.USER32(?,?,?,?,?,?,?,004010F8,?,?,?), ref: 00401136
                                                  • KillTimer.USER32(?,00000001,?), ref: 004011B9
                                                  • PostQuitMessage.USER32(00000000), ref: 004011CB
                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004011E5
                                                  • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,004010F8,?,?,?), ref: 004011F0
                                                  • CreatePopupMenu.USER32 ref: 00401204
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                  • String ID: TaskbarCreated
                                                  • API String ID: 129472671-2362178303
                                                  • Opcode ID: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                                                  • Instruction ID: c871ea33cf18a3cc9178abcaf30b48d6b70312a550ef0fd47f6a389c1f0ea6f4
                                                  • Opcode Fuzzy Hash: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                                                  • Instruction Fuzzy Hash: 1E417932B0420497DB28DB68EC85BBE3355E759320F10493FFA11AB6F1C67D9850879E
                                                  Function 004115D7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2128 4115d7-4115df 2129 4115ee-4115f9 call 4135bb 2128->2129 2132 4115e1-4115ec call 411988 2129->2132 2133 4115fb-4115fc 2129->2133 2132->2129 2136 4115fd-41160e 2132->2136 2137 411610-41163b call 417fc0 call 41130a 2136->2137 2138 41163c-411656 call 4180af call 418105 2136->2138 2137->2138
                                                  APIs
                                                  • _malloc.LIBCMT ref: 004115F1
                                                    • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                    • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                    • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                  • std::exception::exception.LIBCMT ref: 00411626
                                                  • std::exception::exception.LIBCMT ref: 00411640
                                                  • __CxxThrowException@8.LIBCMT ref: 00411651
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                  • String ID: ,*H$4*H$@fI
                                                  • API String ID: 615853336-1459471987
                                                  • Opcode ID: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                  • Instruction ID: 1677ae912bb9c86ef767233b76c14da205579da8f33ef274bedc9cd0e4e1b94c
                                                  • Opcode Fuzzy Hash: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                  • Instruction Fuzzy Hash: C5F0F9716001196BCB24AB56DC01AEE7AA5AB40708F15002FF904951A1CBB98AC2875D
                                                  Function 03FB9680 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2147 3fb9680-3fb972e call 3fb7080 2150 3fb9735-3fb975b call 3fba590 CreateFileW 2147->2150 2153 3fb975d 2150->2153 2154 3fb9762-3fb9772 2150->2154 2155 3fb98ad-3fb98b1 2153->2155 2162 3fb9779-3fb9793 VirtualAlloc 2154->2162 2163 3fb9774 2154->2163 2156 3fb98f3-3fb98f6 2155->2156 2157 3fb98b3-3fb98b7 2155->2157 2159 3fb98f9-3fb9900 2156->2159 2160 3fb98b9-3fb98bc 2157->2160 2161 3fb98c3-3fb98c7 2157->2161 2164 3fb9902-3fb990d 2159->2164 2165 3fb9955-3fb996a 2159->2165 2160->2161 2166 3fb98c9-3fb98d3 2161->2166 2167 3fb98d7-3fb98db 2161->2167 2168 3fb979a-3fb97b1 ReadFile 2162->2168 2169 3fb9795 2162->2169 2163->2155 2172 3fb990f 2164->2172 2173 3fb9911-3fb991d 2164->2173 2174 3fb997a-3fb9982 2165->2174 2175 3fb996c-3fb9977 VirtualFree 2165->2175 2166->2167 2176 3fb98eb 2167->2176 2177 3fb98dd-3fb98e7 2167->2177 2170 3fb97b8-3fb97f8 VirtualAlloc 2168->2170 2171 3fb97b3 2168->2171 2169->2155 2178 3fb97fa 2170->2178 2179 3fb97ff-3fb981a call 3fba7e0 2170->2179 2171->2155 2172->2165 2180 3fb991f-3fb992f 2173->2180 2181 3fb9931-3fb993d 2173->2181 2175->2174 2176->2156 2177->2176 2178->2155 2187 3fb9825-3fb982f 2179->2187 2183 3fb9953 2180->2183 2184 3fb994a-3fb9950 2181->2184 2185 3fb993f-3fb9948 2181->2185 2183->2159 2184->2183 2185->2183 2188 3fb9862-3fb9876 call 3fba5f0 2187->2188 2189 3fb9831-3fb9860 call 3fba7e0 2187->2189 2195 3fb987a-3fb987e 2188->2195 2196 3fb9878 2188->2196 2189->2187 2197 3fb988a-3fb988e 2195->2197 2198 3fb9880-3fb9884 CloseHandle 2195->2198 2196->2155 2199 3fb989e-3fb98a7 2197->2199 2200 3fb9890-3fb989b VirtualFree 2197->2200 2198->2197 2199->2150 2199->2155 2200->2199
                                                  APIs
                                                  • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03FB9751
                                                  • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03FB9977
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1399327193.0000000003FB7000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FB7000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3fb7000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: CreateFileFreeVirtual
                                                  • String ID:
                                                  • API String ID: 204039940-0
                                                  • Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                  • Instruction ID: 98bfe7d4da08506a46ff65f71f3c3ee2a857a46afca1408b686f89027d495d57
                                                  • Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                  • Instruction Fuzzy Hash: F9A129B4E00209EBDB14CFA5C994BEEB7B5FF48304F248599E215BB280D7B59A41CF64
                                                  Function 004102B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2201 4102b0-4102c5 SHGetMalloc 2202 4102cb-4102da SHGetDesktopFolder 2201->2202 2203 425dfd-425e0e call 433244 2201->2203 2205 4102e0-41031a call 412fba 2202->2205 2206 41036b-410379 2202->2206 2213 410360-410368 2205->2213 2214 41031c-410331 SHGetPathFromIDListW 2205->2214 2206->2203 2211 41037f-410384 2206->2211 2213->2206 2215 410351-41035d 2214->2215 2216 410333-41034a call 412fba 2214->2216 2215->2213 2216->2215
                                                  APIs
                                                  • SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                  • SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                  • _wcsncpy.LIBCMT ref: 004102ED
                                                  • SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                  • _wcsncpy.LIBCMT ref: 00410340
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _wcsncpy$DesktopFolderFromListMallocPath
                                                  • String ID: C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe
                                                  • API String ID: 3170942423-3994685151
                                                  • Opcode ID: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                  • Instruction ID: 8627f7bfe00d67ecf541507c27de0d1a6b0c746b93627a891ac6cfe5d1469166
                                                  • Opcode Fuzzy Hash: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                  • Instruction Fuzzy Hash: 4B219475A00619ABCB14DBA4DC84DEFB37DEF88700F108599F909D7210E674EE45DBA4
                                                  Function 00401250 Relevance: 10.6, APIs: 7, Instructions: 86windowtimeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2219 401250-40125c 2220 401262-401293 call 412f40 call 401b80 2219->2220 2221 4012e8-4012ed 2219->2221 2226 4012d1-4012e2 KillTimer SetTimer 2220->2226 2227 401295-4012b5 2220->2227 2226->2221 2228 4012bb-4012bf 2227->2228 2229 4272ec-4272f2 2227->2229 2232 4012c5-4012cb 2228->2232 2233 42733f-427346 2228->2233 2230 4272f4-427315 Shell_NotifyIconW 2229->2230 2231 42731a-42733a Shell_NotifyIconW 2229->2231 2230->2226 2231->2226 2232->2226 2236 427393-4273b4 Shell_NotifyIconW 2232->2236 2234 427348-427369 Shell_NotifyIconW 2233->2234 2235 42736e-42738e Shell_NotifyIconW 2233->2235 2234->2226 2235->2226 2236->2226
                                                  APIs
                                                    • Part of subcall function 00401B80: _wcsncpy.LIBCMT ref: 00401C41
                                                    • Part of subcall function 00401B80: _wcscpy.LIBCMT ref: 00401C5D
                                                    • Part of subcall function 00401B80: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                  • KillTimer.USER32(?,?,?,?,?), ref: 004012D3
                                                  • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012E2
                                                  • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 0042730F
                                                  • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00427363
                                                  • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 004273AE
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: IconNotifyShell_$Timer$Kill_wcscpy_wcsncpy
                                                  • String ID:
                                                  • API String ID: 3300667738-0
                                                  • Opcode ID: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                                                  • Instruction ID: ad6fff92b80ef16b1053521cf30c66606da497e43c90b6e238f917110e524b22
                                                  • Opcode Fuzzy Hash: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                                                  • Instruction Fuzzy Hash: AF31EA70604259BFDB16CB24DC55BEAFBBCBB02304F0000EAF58CA3291C7741A95CB9A
                                                  Function 0040E4C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,0040E4A1,00000000,?,?,?,0040E4A1), ref: 004271A6
                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,0040E4A1,?,00000000,?,?,?,?,0040E4A1), ref: 004271ED
                                                  • RegCloseKey.ADVAPI32(?,?,?,?,0040E4A1), ref: 0042721E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: QueryValue$CloseOpen
                                                  • String ID: Include$Software\AutoIt v3\AutoIt
                                                  • API String ID: 1586453840-614718249
                                                  • Opcode ID: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                                  • Instruction ID: d6672e68ffeed78ba434be4ce119fa1e10800d5a5bf196f8e2f41644cb46c1f5
                                                  • Opcode Fuzzy Hash: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                                  • Instruction Fuzzy Hash: CF21D871780204BBDB14EBF4ED46FAF737CEB54700F10055EB605E7281EAB5AA008768
                                                  Function 00410570 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                  • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                  • ShowWindow.USER32(?,00000000), ref: 004105E4
                                                  • ShowWindow.USER32(?,00000000), ref: 004105EE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Window$CreateShow
                                                  • String ID: AutoIt v3$edit
                                                  • API String ID: 1584632944-3779509399
                                                  • Opcode ID: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                  • Instruction ID: 021b1916d714280a6beb379f8f8b29d81737bdb93309e58067b2166fb7f1837a
                                                  • Opcode Fuzzy Hash: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                  • Instruction Fuzzy Hash: 29F01771BE43107BF6B0A764AC43F5A2698A758F65F31083BB700BB5D0E1E4B8408B9C
                                                  Function 0047974B Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 349COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Variant$Copy$ClearErrorLast
                                                  • String ID: NULL Pointer assignment$Not an Object type
                                                  • API String ID: 2487901850-572801152
                                                  • Opcode ID: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                  • Instruction ID: 7224d39ad4dd36db717bb7decd6d6f3456075e50b8db1d036073f09e8ed5fad7
                                                  • Opcode Fuzzy Hash: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                  • Instruction Fuzzy Hash: 70C1AFB1A00209ABDF14DF98C881FEEB7B9EB44304F10C55EE909AB341D7799D85CBA5
                                                  Function 03FB9430 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 153fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03FB9320: Sleep.KERNELBASE(000001F4), ref: 03FB9331
                                                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03FB9577
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1399327193.0000000003FB7000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FB7000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3fb7000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: CreateFileSleep
                                                  • String ID: DHD23T2JR4S5R5LYEYPCR
                                                  • API String ID: 2694422964-1619412914
                                                  • Opcode ID: e36ac241ec81e406d3b80546ad70b873cf738c87c7eef01594e6ed22f5843bc5
                                                  • Instruction ID: be507f921a370a3678eb91c6a2d20dc53267ae2d80520fbac96d1a154bde95bc
                                                  • Opcode Fuzzy Hash: e36ac241ec81e406d3b80546ad70b873cf738c87c7eef01594e6ed22f5843bc5
                                                  • Instruction Fuzzy Hash: 4A519070D18248DBEF11DBA4C854BEFBBB9AF19300F044199E248BB2C1D7B91B44CBA5
                                                  Function 00401B80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042723B
                                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                  • _wcsncpy.LIBCMT ref: 00401C41
                                                  • _wcscpy.LIBCMT ref: 00401C5D
                                                  • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: IconLoadNotifyShell_String_memmove_wcscpy_wcslen_wcsncpy
                                                  • String ID: Line:
                                                  • API String ID: 1874344091-1585850449
                                                  • Opcode ID: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                  • Instruction ID: 22c0e507134e40740d6fd31dbafdd21c3b8ff828be9a92102ab360472f74cad7
                                                  • Opcode Fuzzy Hash: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                  • Instruction Fuzzy Hash: EB31A1715083459BD320EB61DC45BDA77E8BF85318F04093EF588931E1E7B8AA49C75E
                                                  Function 0040F250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExW.KERNELBASE(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 0040F267
                                                  • RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 0040F28E
                                                  • RegCloseKey.KERNELBASE(?), ref: 0040F2B5
                                                  • RegCloseKey.ADVAPI32(?), ref: 0040F2C9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Close$OpenQueryValue
                                                  • String ID: Control Panel\Mouse
                                                  • API String ID: 1607946009-824357125
                                                  • Opcode ID: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                  • Instruction ID: a31ac2e1b7deaa2d1d9e7506379341dce8fcd1dacbe24dc49005ae4a0027d3ba
                                                  • Opcode Fuzzy Hash: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                  • Instruction Fuzzy Hash: 91118C76640108AFCB10CFA8ED459EFB7BCEF59300B1089AAF908C3210E6759A11DBA4
                                                  Function 00475077 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 390COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Mw
                                                  • API String ID: 0-2910736759
                                                  • Opcode ID: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                                  • Instruction ID: 8c99b1ef877cebc7a747b8a97cc81d83a07aa3771b44d3adc2ea031a64448d8d
                                                  • Opcode Fuzzy Hash: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                                  • Instruction Fuzzy Hash: CEF18C716043019FC700DF29C884A5AB7E5FF88318F14C95EF9998B392D7B9E945CB86
                                                  Function 00475300 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00000000,?,00000067,000000FF), ref: 004753C7
                                                  • TerminateProcess.KERNEL32(00000000), ref: 004753CE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Process$CurrentTerminate
                                                  • String ID: Mw
                                                  • API String ID: 2429186680-2910736759
                                                  • Opcode ID: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                                                  • Instruction ID: dddcdfafc98398d1c0f0a19edd80e49036cf45bbfca44c020541658de01b6296
                                                  • Opcode Fuzzy Hash: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                                                  • Instruction Fuzzy Hash: 2C519D71604301AFC710DF65C881BABB7E5EF88308F14891EF9598B382D7B9D945CB96
                                                  Function 03FB8320 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 03FB8B4D
                                                  • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03FB8B71
                                                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03FB8B93
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1399327193.0000000003FB7000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FB7000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3fb7000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                  • String ID:
                                                  • API String ID: 2438371351-0
                                                  • Opcode ID: 0b43d72d38ac188f5e361c01a6572487286e397564ea08694eb873f1bb21aafa
                                                  • Instruction ID: 087043e3d6624144a45a138e4d5b97078b13dd7226e0ab6bebbf7fee5354a1cf
                                                  • Opcode Fuzzy Hash: 0b43d72d38ac188f5e361c01a6572487286e397564ea08694eb873f1bb21aafa
                                                  • Instruction Fuzzy Hash: 78621B70A14258DBEB24CFA5C850BDEB376EF98340F1091A9D10DEB390E7799E81CB59
                                                  Function 00451D2B Relevance: 6.4, APIs: 4, Instructions: 405COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                                  • Instruction ID: c5df29d3d24fc858ebdc5227190e2e918b6fbc7f8fe9fd347d916346834f6d96
                                                  • Opcode Fuzzy Hash: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                                  • Instruction Fuzzy Hash: 66E17F75600209AFCB04DF98C880EAEB7B9FF88714F10859AE909DB351D775EE45CBA0
                                                  Function 00479500 Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VariantInit.OLEAUT32(?), ref: 0047950F
                                                  • SysAllocString.OLEAUT32(00000000), ref: 004795D8
                                                  • VariantCopy.OLEAUT32(?,?), ref: 0047960F
                                                  • VariantClear.OLEAUT32(?), ref: 00479650
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Variant$AllocClearCopyInitString
                                                  • String ID:
                                                  • API String ID: 2808897238-0
                                                  • Opcode ID: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                  • Instruction ID: 372c40b5ecffa4d340e825e49f449287305c7189bb1404562c27c74c4f1437f4
                                                  • Opcode Fuzzy Hash: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                  • Instruction Fuzzy Hash: 8251C436600209A6C700FF3AD8815DAB764EF84315F50863FFD0897252DB78DA1997EA
                                                  Function 0040F570 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 247COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040F760: _strcat.LIBCMT ref: 0040F786
                                                  • _free.LIBCMT ref: 004295A0
                                                    • Part of subcall function 004033C0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                    • Part of subcall function 004033C0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                    • Part of subcall function 004033C0: __wsplitpath.LIBCMT ref: 00403492
                                                    • Part of subcall function 004033C0: _wcscpy.LIBCMT ref: 004034A7
                                                    • Part of subcall function 004033C0: _wcscat.LIBCMT ref: 004034BC
                                                    • Part of subcall function 004033C0: SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: CurrentDirectory$FullNamePath__wsplitpath_free_strcat_wcscat_wcscpy
                                                  • String ID: >>>AUTOIT SCRIPT<<<$C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe
                                                  • API String ID: 3938964917-1937374382
                                                  • Opcode ID: 270dd0ea9a5e8039f531707175cdd08c3ef27e69020102fad8003a9fe26c702a
                                                  • Instruction ID: c8289cc7cde30cfde4dff3f83c8481f20f860a5b07fa540731426c520eca24fb
                                                  • Opcode Fuzzy Hash: 270dd0ea9a5e8039f531707175cdd08c3ef27e69020102fad8003a9fe26c702a
                                                  • Instruction Fuzzy Hash: 9A919171A00219ABCF04EFA5D8819EE7774BF48314F50452EF915B7391D778EA06CBA8
                                                  Function 0040BD80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _memmove
                                                  • String ID: Error:
                                                  • API String ID: 4104443479-232661952
                                                  • Opcode ID: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                                  • Instruction ID: 2c658176ab693071ca67d4d31bd2fe4acf4d59654e7b744331f3a235cb1e2e29
                                                  • Opcode Fuzzy Hash: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                                  • Instruction Fuzzy Hash: 0D3191716006059FC324DF29C881AA7B3E6EF84314B24853FE95AC7791EB79E941CBD8
                                                  Function 0040F520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetOpenFileNameW.COMDLG32(?), ref: 0042961B
                                                    • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe,0040F545,C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe,004A90E8,C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe,?,0040F545), ref: 0041013C
                                                    • Part of subcall function 004102B0: SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                    • Part of subcall function 004102B0: SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                    • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 004102ED
                                                    • Part of subcall function 004102B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                    • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 00410340
                                                    • Part of subcall function 00410190: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 004101AB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen
                                                  • String ID: X$pWH
                                                  • API String ID: 85490731-941433119
                                                  • Opcode ID: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                  • Instruction ID: b6f0e4d7e30e2857a1e9cc165fafff24640ac0dd2e9829c062eaf90218724cbe
                                                  • Opcode Fuzzy Hash: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                  • Instruction Fuzzy Hash: 1F118AB0A00244ABDB11EFD9DC457DEBBF95F45304F14842AE504AB392D7FD08498BA9
                                                  Function 00401B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcslen.LIBCMT ref: 00401B11
                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                  • _memmove.LIBCMT ref: 00401B57
                                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                    • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
                                                  • String ID: @EXITCODE
                                                  • API String ID: 2734553683-3436989551
                                                  • Opcode ID: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                                  • Instruction ID: 16ac7666fc6b8d0cd4c8082de1062d74cbdf630d8e5b0a9ec9a55ac2b86b5c72
                                                  • Opcode Fuzzy Hash: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                                  • Instruction Fuzzy Hash: D5F0CDF2B00641AFD720DB36DC02B6775E49B84308F04883EA24BC6795FA7DE4828B14
                                                  Function 00410100 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 0042804F
                                                  • C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe, xrefs: 00410107
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _strcat
                                                  • String ID: >>>AUTOIT NO CMDEXECUTE<<<$C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe
                                                  • API String ID: 1765576173-863038067
                                                  • Opcode ID: afbcd64a5de9b9cf0401a7756764eed502eca04e8b93ddfb1cf174919bef9872
                                                  • Instruction ID: e645463cc19bd0c1a49bcabea2d674544a6c2f3c5714d62cb3526a870e150300
                                                  • Opcode Fuzzy Hash: afbcd64a5de9b9cf0401a7756764eed502eca04e8b93ddfb1cf174919bef9872
                                                  • Instruction Fuzzy Hash: FBF090B390020D768B00F6E6D942CEFB37C9985704B5006AFA905B3152EA79EA0987B6
                                                  Function 00414ABA Relevance: 4.7, APIs: 3, Instructions: 160COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: __filbuf__getptd_noexit__read_memcpy_s
                                                  • String ID:
                                                  • API String ID: 1794320848-0
                                                  • Opcode ID: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                  • Instruction ID: 2f36134af58cf06217a4581a57f76d3547d7b7b98d7afe96428f3577b7504850
                                                  • Opcode Fuzzy Hash: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                  • Instruction Fuzzy Hash: 6C51E631A01208DBCB249F69C9446DFB7B1AFC0364F25826BE43597290E378EED1CB59
                                                  Function 0040E0C0 Relevance: 4.6, APIs: 3, Instructions: 82windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: IconNotifyShell_
                                                  • String ID:
                                                  • API String ID: 1144537725-0
                                                  • Opcode ID: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                                                  • Instruction ID: eb3a406907b17a2fb372061a5351d340f380801689ea858bebf243c914dbfa85
                                                  • Opcode Fuzzy Hash: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                                                  • Instruction Fuzzy Hash: 16318F70608701DFD320CF25D855797BBE4BB85314F000C3EE5AA87391E7B8A958CB5A
                                                  Function 0043213D Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _malloc.LIBCMT ref: 0043214B
                                                    • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                    • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                    • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                  • _malloc.LIBCMT ref: 0043215D
                                                  • _malloc.LIBCMT ref: 0043216F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _malloc$AllocateHeap
                                                  • String ID:
                                                  • API String ID: 680241177-0
                                                  • Opcode ID: f71c381a9a4e64bea8472010c286ed0a2169748a03ca4327bb91778eef0474c7
                                                  • Instruction ID: dac51259f70ca5acf95ac1b1a30df86389447b5c3122b5fc7e5239b6c816f1c7
                                                  • Opcode Fuzzy Hash: f71c381a9a4e64bea8472010c286ed0a2169748a03ca4327bb91778eef0474c7
                                                  • Instruction Fuzzy Hash: A0F0E273200B142AD2206A6A6DC1BE7B39ADBD4765F00403FFB058A206DAE9988542EC
                                                  Function 00409519 Relevance: 4.5, APIs: 3, Instructions: 31windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TranslateMessage.USER32(?), ref: 00409556
                                                  • DispatchMessageW.USER32(?), ref: 00409561
                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Message$DispatchPeekTranslate
                                                  • String ID:
                                                  • API String ID: 4217535847-0
                                                  • Opcode ID: ced410c349f54cf5afb894e4facd1df4a4f56f438d67fe37ea70020fd5d89546
                                                  • Instruction ID: 9fbe2eaaa5ffb99098057fa667d4f29c0aa55754a5137076743fac66577e99fa
                                                  • Opcode Fuzzy Hash: ced410c349f54cf5afb894e4facd1df4a4f56f438d67fe37ea70020fd5d89546
                                                  • Instruction Fuzzy Hash: D8F05431554300AAE624D7A18D41F9B76A89F98784F40482EB641962E1EB78D444CB5A
                                                  Function 004320F8 Relevance: 4.5, APIs: 3, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 0043210A
                                                    • Part of subcall function 00413748: RtlFreeHeap.NTDLL(00000000,00000000,?,00417A5A,00000000), ref: 0041375E
                                                    • Part of subcall function 00413748: GetLastError.KERNEL32(00000000,?,00417A5A,00000000), ref: 00413770
                                                  • _free.LIBCMT ref: 0043211D
                                                  • _free.LIBCMT ref: 00432130
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: 471d261c1978e8fd492efb66726f25644d258391566ce7e49abf025be84b45d1
                                                  • Instruction ID: d08fe22c6a524c27e4c6c7bcf1019f14b9a5eff3fc739cf1d41fcb720108e0a5
                                                  • Opcode Fuzzy Hash: 471d261c1978e8fd492efb66726f25644d258391566ce7e49abf025be84b45d1
                                                  • Instruction Fuzzy Hash: 29E092F290071433CD1099219941A87F38C4B15B11F08402AFA15A3301E969FA40C1E9
                                                  Function 0040AFA0 Relevance: 3.3, APIs: 2, Instructions: 258COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ClearVariant
                                                  • String ID:
                                                  • API String ID: 1473721057-0
                                                  • Opcode ID: 30fb1b5656a8e298aebe1b45ed9f9297ed51282c110b4441b4c64d109fdc6671
                                                  • Instruction ID: 76271617df0236ab3ccd2777984eb13d60b28668e4953fb9a85eec064aa2abc3
                                                  • Opcode Fuzzy Hash: 30fb1b5656a8e298aebe1b45ed9f9297ed51282c110b4441b4c64d109fdc6671
                                                  • Instruction Fuzzy Hash: F891A370A00204DFDB14DF65D884AAAB3B5EF09304F24C56BE915AB391D739EC41CBAE
                                                  Function 00467AC4 Relevance: 3.1, APIs: 2, Instructions: 130COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _memmove
                                                  • String ID:
                                                  • API String ID: 4104443479-0
                                                  • Opcode ID: 275534035a012e7ef0db215d78f24564d6aa5c775b6c55b3817692144b07e5e7
                                                  • Instruction ID: 2565b1472f88146c75409e19c065a4aacb94a5f6c219594ae44f545f2623c2f3
                                                  • Opcode Fuzzy Hash: 275534035a012e7ef0db215d78f24564d6aa5c775b6c55b3817692144b07e5e7
                                                  • Instruction Fuzzy Hash: 85412871D00104AFDB10AF15C881BAE7B74AF4670CF14C05AFA055B342E63DA946CBAA
                                                  Function 0040F760 Relevance: 3.1, APIs: 2, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040F6F0: _wcslen.LIBCMT ref: 0040F705
                                                    • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00454478,?,00000000,?,?), ref: 0040F71E
                                                    • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0040F747
                                                  • _strcat.LIBCMT ref: 0040F786
                                                    • Part of subcall function 0040F850: _strlen.LIBCMT ref: 0040F858
                                                    • Part of subcall function 0040F850: _sprintf.LIBCMT ref: 0040F9AE
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
                                                  • String ID:
                                                  • API String ID: 3199840319-0
                                                  • Opcode ID: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                                                  • Instruction ID: aac9d08775c2cbfae45fd546c2dd5c585d34072f6b495fb7426f91ad36779b1c
                                                  • Opcode Fuzzy Hash: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                                                  • Instruction Fuzzy Hash: 7B2148B260825027D724EF3A9C82A6EF2D4AF85304F14893FF555C22C2F738D554879A
                                                  Function 00414A46 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                  • __lock_file.LIBCMT ref: 00414A8D
                                                    • Part of subcall function 00415471: __lock.LIBCMT ref: 00415496
                                                  • __fclose_nolock.LIBCMT ref: 00414A98
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                  • String ID:
                                                  • API String ID: 2800547568-0
                                                  • Opcode ID: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                  • Instruction ID: d9443fdd3ee0a3059f5d17ec53abbfe2105cc8a5d10ddad395bff0ae1f283336
                                                  • Opcode Fuzzy Hash: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                  • Instruction Fuzzy Hash: EEF0F6308417019AD710AB7588027EF37A09F41379F22864FA061961D1C73C85C29B5D
                                                  Function 00414FE2 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __lock_file.LIBCMT ref: 00415012
                                                  • __ftell_nolock.LIBCMT ref: 0041501F
                                                    • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                  • String ID:
                                                  • API String ID: 2999321469-0
                                                  • Opcode ID: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                  • Instruction ID: e3e7bc223609ce985a1750c66bb322057640979a4505571362f253753ce4bf01
                                                  • Opcode Fuzzy Hash: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                  • Instruction Fuzzy Hash: 64F03030900605EADB107FB5DD027EE3B70AF443A8F20825BB0259A0E1DB7C8AC29A59
                                                  Function 03FB831D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 03FB8B4D
                                                  • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03FB8B71
                                                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03FB8B93
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1399327193.0000000003FB7000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FB7000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3fb7000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                  • String ID:
                                                  • API String ID: 2438371351-0
                                                  • Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                  • Instruction ID: b866e30b0bb687699726f41f5b06cf3442fd1b8ecef7c40d724ef3c4f783cfab
                                                  • Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                  • Instruction Fuzzy Hash: 3212DE24E24658C6EB24DF64D8507DEB232EF68340F1090E9D10DEB7A5E77A4E81CF5A
                                                  Function 00402F00 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _memmove
                                                  • String ID:
                                                  • API String ID: 4104443479-0
                                                  • Opcode ID: 224a1bccd0668171228bffd00b4e167e84225026459a60d9317a1c29c8a59c26
                                                  • Instruction ID: 6397ebbfaf442e519c955e074037b65107783079284990db5ef0c3dd021860ed
                                                  • Opcode Fuzzy Hash: 224a1bccd0668171228bffd00b4e167e84225026459a60d9317a1c29c8a59c26
                                                  • Instruction Fuzzy Hash: 36317371E00209EBDF009F52E9866AEFBF4FF40740F2189BED855E2650E7389990D759
                                                  Function 00410CFC Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ProtectVirtual
                                                  • String ID:
                                                  • API String ID: 544645111-0
                                                  • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                  • Instruction ID: 21b87f0337b3904faf2e49e7d89a80b8c5538d611ad57d97d778efbd48141229
                                                  • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                  • Instruction Fuzzy Hash: 8131F770A00105DBC718DF88E590AAAF7B1FB49310B6486A6E409CF355DB78EDC1CBD9
                                                  Function 00408F40 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                                                  • Instruction ID: 427b4a632c312742ac0951887501238d3178a51c37fde1d0fd35c98815df3d2a
                                                  • Opcode Fuzzy Hash: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                                                  • Instruction Fuzzy Hash: 21119674200201ABDB249F36D984E26B3A5AF45304B244D2FF9C5D7790DB7CE881DB5E
                                                  Function 00414C76 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: __lock_file
                                                  • String ID:
                                                  • API String ID: 3031932315-0
                                                  • Opcode ID: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                  • Instruction ID: 324047821ed349453e17c5e7f52af34d31ade4ebcb64e32b23ce3c6ad3b356a0
                                                  • Opcode Fuzzy Hash: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                  • Instruction Fuzzy Hash: FF011E71801219EBCF21AFA5C8028DF7B71AF44764F11851BF824551A1E7398AE2DBD9
                                                  Function 00479714 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00479500: VariantInit.OLEAUT32(?), ref: 0047950F
                                                    • Part of subcall function 00437063: VariantClear.OLEAUT32(00479459), ref: 0043706B
                                                    • Part of subcall function 00437063: VariantCopy.OLEAUT32(00479459,00470E7C), ref: 00437076
                                                  • VariantClear.OLEAUT32(?), ref: 0047973E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Variant$Clear$CopyInit
                                                  • String ID:
                                                  • API String ID: 24293632-0
                                                  • Opcode ID: 5d7337fccf444792d50b64af1a389de1ebb3e8953e67bf22bf250c0f7ac223aa
                                                  • Instruction ID: ce75823fad5ab463881ca656a32c684f825172ff923cb7d6b6c05433a05b9d1b
                                                  • Opcode Fuzzy Hash: 5d7337fccf444792d50b64af1a389de1ebb3e8953e67bf22bf250c0f7ac223aa
                                                  • Instruction Fuzzy Hash: C4E012B251010C6B8704FBFDDDC6CAFB7BCFB18204B80495DB919A3142EA75A914C7E9
                                                  Function 004149C2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: __wfsopen
                                                  • String ID:
                                                  • API String ID: 197181222-0
                                                  • Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                  • Instruction ID: b34ddb7a850719c89311ce964fc9f65e9e9400c6a390d5c1cbb008c3125e494a
                                                  • Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                  • Instruction Fuzzy Hash: 82C092B244020C77CF112A93EC02F9A3F1E9BC0764F058021FB1C1A162AA77EAA19689
                                                  Function 03FB9320 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNELBASE(000001F4), ref: 03FB9331
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1399327193.0000000003FB7000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FB7000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3fb7000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Sleep
                                                  • String ID:
                                                  • API String ID: 3472027048-0
                                                  • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                  • Instruction ID: d2a9b89daf9b2eff8de72a367e9189d5dd8a009d1d72bbb66fb602fd3d431eb9
                                                  • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                  • Instruction Fuzzy Hash: 9EE0BF7494010D9FDB00EFA8D5496DE7BB4EF04301F1001A1FD01D2280D67099508A62

                                                  Non-executed Functions

                                                  Function 0047C81C Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 674windowkeyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C8E1
                                                  • DefDlgProcW.USER32(?,0000004E,?,?), ref: 0047C8FC
                                                  • GetKeyState.USER32(00000011), ref: 0047C92D
                                                  • GetKeyState.USER32(00000009), ref: 0047C936
                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C949
                                                  • GetKeyState.USER32(00000010), ref: 0047C953
                                                  • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C967
                                                  • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C993
                                                  • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C9B6
                                                  • _wcsncpy.LIBCMT ref: 0047CA29
                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047CA5A
                                                  • SendMessageW.USER32 ref: 0047CA7F
                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 0047CADF
                                                  • SendMessageW.USER32(?,00001030,?,0047EA68), ref: 0047CB84
                                                  • ImageList_SetDragCursorImage.COMCTL32(00ADEC50,00000000,00000000,00000000), ref: 0047CB9B
                                                  • ImageList_BeginDrag.COMCTL32(00ADEC50,00000000,000000F8,000000F0), ref: 0047CBAC
                                                  • SetCapture.USER32(?), ref: 0047CBB6
                                                  • ClientToScreen.USER32(?,?), ref: 0047CC17
                                                  • ImageList_DragEnter.COMCTL32(00000000,?,?,?,?), ref: 0047CC26
                                                  • ReleaseCapture.USER32 ref: 0047CC3A
                                                  • GetCursorPos.USER32(?), ref: 0047CC72
                                                  • ScreenToClient.USER32(?,?), ref: 0047CC80
                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CCE6
                                                  • SendMessageW.USER32 ref: 0047CD12
                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CD53
                                                  • SendMessageW.USER32 ref: 0047CD80
                                                  • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0047CD99
                                                  • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0047CDAA
                                                  • GetCursorPos.USER32(?), ref: 0047CDC8
                                                  • ScreenToClient.USER32(?,?), ref: 0047CDD6
                                                  • GetParent.USER32(00000000), ref: 0047CDF7
                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CE60
                                                  • SendMessageW.USER32 ref: 0047CE93
                                                  • ClientToScreen.USER32(?,?), ref: 0047CEEE
                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,02F51B28,00000000,?,?,?,?), ref: 0047CF1C
                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CF46
                                                  • SendMessageW.USER32 ref: 0047CF6B
                                                  • ClientToScreen.USER32(?,?), ref: 0047CFB5
                                                  • TrackPopupMenuEx.USER32(?,00000080,?,?,02F51B28,00000000,?,?,?,?), ref: 0047CFE6
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 0047D086
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$ClientScreen$Image$CursorDragList_State$CaptureLongMenuPopupTrackWindow$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                  • String ID: @GUI_DRAGID$F
                                                  • API String ID: 3100379633-4164748364
                                                  • Opcode ID: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                  • Instruction ID: 980357f173c9be8e312ccaa606797ee7157b6525bda81ee0817efdfc4c954517
                                                  • Opcode Fuzzy Hash: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                  • Instruction Fuzzy Hash: F842AD706043419FD714DF28C884FABB7A5FF89700F14865EFA489B291C7B8E846CB5A
                                                  Function 00434418 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetForegroundWindow.USER32 ref: 00434420
                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00434446
                                                  • IsIconic.USER32(?), ref: 0043444F
                                                  • ShowWindow.USER32(?,00000009), ref: 0043445C
                                                  • SetForegroundWindow.USER32(?), ref: 0043446A
                                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434481
                                                  • GetCurrentThreadId.KERNEL32 ref: 00434485
                                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434493
                                                  • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A2
                                                  • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A8
                                                  • AttachThreadInput.USER32(00000000,?,00000001), ref: 004344B1
                                                  • SetForegroundWindow.USER32(00000000), ref: 004344B7
                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344C6
                                                  • keybd_event.USER32(00000012,00000000), ref: 004344CF
                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344DD
                                                  • keybd_event.USER32(00000012,00000000), ref: 004344E6
                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344F4
                                                  • keybd_event.USER32(00000012,00000000), ref: 004344FD
                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043450B
                                                  • keybd_event.USER32(00000012,00000000), ref: 00434514
                                                  • SetForegroundWindow.USER32(00000000), ref: 0043451E
                                                  • AttachThreadInput.USER32(00000000,?,00000000), ref: 0043453F
                                                  • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434545
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                                  • String ID: Shell_TrayWnd
                                                  • API String ID: 2889586943-2988720461
                                                  • Opcode ID: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                  • Instruction ID: 0b42b206f44700a00bd4aa1610e9651ae8f7722fee000eb3c659fd44b6abead8
                                                  • Opcode Fuzzy Hash: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                  • Instruction Fuzzy Hash: AD416272640218BFE7205BA4DE4AFBE7B6CDB58B11F10442EFA01EA1D0D6F458419BA9
                                                  Function 00446313 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 234processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 0044638E
                                                  • CloseHandle.KERNEL32(?), ref: 004463A0
                                                  • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004463B8
                                                  • GetProcessWindowStation.USER32 ref: 004463D1
                                                  • SetProcessWindowStation.USER32(00000000), ref: 004463DB
                                                  • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004463F7
                                                  • _wcslen.LIBCMT ref: 00446498
                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                  • _wcsncpy.LIBCMT ref: 004464C0
                                                  • LoadUserProfileW.USERENV(?,00000020), ref: 004464D9
                                                  • CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 004464F3
                                                  • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,000F01FF,00000400), ref: 00446522
                                                  • UnloadUserProfile.USERENV(?,?), ref: 00446555
                                                  • CloseWindowStation.USER32(00000000), ref: 0044656C
                                                  • CloseDesktop.USER32(?), ref: 0044657A
                                                  • SetProcessWindowStation.USER32(?), ref: 00446588
                                                  • CloseHandle.KERNEL32(?), ref: 00446592
                                                  • DestroyEnvironmentBlock.USERENV(?), ref: 004465A9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_wcslen_wcsncpy
                                                  • String ID: $@OH$default$winsta0
                                                  • API String ID: 3324942560-3791954436
                                                  • Opcode ID: 4d1d68c1aea3dabcf030405aafb24e1344eb51be90ba82aa3e7b9bd6ceeac822
                                                  • Instruction ID: a255b9755a473e3b45922b0ee48cea4cb67e1360e8ecd59b8ab49ad27cdc7b44
                                                  • Opcode Fuzzy Hash: 4d1d68c1aea3dabcf030405aafb24e1344eb51be90ba82aa3e7b9bd6ceeac822
                                                  • Instruction Fuzzy Hash: A28180B0A00209ABEF10CFA5DD4AFAF77B8AF49704F05455EF914A7284D778D901CB69
                                                  Function 0044BD27 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe,0040F545,C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe,004A90E8,C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe,?,0040F545), ref: 0041013C
                                                    • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 0043392E
                                                    • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 00433950
                                                    • Part of subcall function 00433908: __wcsicoll.LIBCMT ref: 00433974
                                                    • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                  • _wcscat.LIBCMT ref: 0044BD94
                                                  • _wcscat.LIBCMT ref: 0044BDBD
                                                  • __wsplitpath.LIBCMT ref: 0044BDEA
                                                  • FindFirstFileW.KERNEL32(?,?), ref: 0044BE02
                                                  • _wcscpy.LIBCMT ref: 0044BE71
                                                  • _wcscat.LIBCMT ref: 0044BE83
                                                  • _wcscat.LIBCMT ref: 0044BE95
                                                  • lstrcmpiW.KERNEL32(?,?), ref: 0044BEC1
                                                  • DeleteFileW.KERNEL32(?), ref: 0044BED3
                                                  • MoveFileW.KERNEL32(?,?), ref: 0044BEF3
                                                  • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0A
                                                  • DeleteFileW.KERNEL32(?), ref: 0044BF15
                                                  • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2C
                                                  • FindClose.KERNEL32(00000000), ref: 0044BF33
                                                  • MoveFileW.KERNEL32(?,?), ref: 0044BF4F
                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF64
                                                  • FindClose.KERNEL32(00000000), ref: 0044BF7C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
                                                  • String ID: \*.*
                                                  • API String ID: 2188072990-1173974218
                                                  • Opcode ID: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                                                  • Instruction ID: 72a2fd59153234373391f972af8bc7e503bf673df65afccb4f4ecee040a4f935
                                                  • Opcode Fuzzy Hash: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                                                  • Instruction Fuzzy Hash: E25167B2408384AAD734DB50DC45EDF73E9AFC8304F544E1EF68982141EB75D249CBA6
                                                  Function 004788BD Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 217timefileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(00000000,?,?), ref: 004788E4
                                                  • FindClose.KERNEL32(00000000), ref: 00478924
                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478949
                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478961
                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00478989
                                                  • __swprintf.LIBCMT ref: 004789D3
                                                  • __swprintf.LIBCMT ref: 00478A1D
                                                  • __swprintf.LIBCMT ref: 00478A4B
                                                  • __swprintf.LIBCMT ref: 00478A79
                                                    • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 00413314
                                                    • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 0041332C
                                                  • __swprintf.LIBCMT ref: 00478AA7
                                                  • __swprintf.LIBCMT ref: 00478AD5
                                                  • __swprintf.LIBCMT ref: 00478B03
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem
                                                  • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                  • API String ID: 999945258-2428617273
                                                  • Opcode ID: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                  • Instruction ID: 8fd0730747e081185947bc4026d2fd3d0a29cbe563c255e8678d3cf3417a7967
                                                  • Opcode Fuzzy Hash: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                  • Instruction Fuzzy Hash: 32719772204300ABC310EF55CC85FAFB7E9AF88705F504D2FF645962D1E6B9E944875A
                                                  Function 004033C0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                  • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                  • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                  • __wsplitpath.LIBCMT ref: 00403492
                                                    • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                  • _wcscpy.LIBCMT ref: 004034A7
                                                  • _wcscat.LIBCMT ref: 004034BC
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                    • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                    • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0040355C,?,?,?,00000010), ref: 00403B08
                                                    • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00403B41
                                                  • _wcscpy.LIBCMT ref: 004035A0
                                                  • _wcslen.LIBCMT ref: 00403623
                                                  • _wcslen.LIBCMT ref: 0040367D
                                                  Strings
                                                  • Unterminated string, xrefs: 00428348
                                                  • #include depth exceeded. Make sure there are no recursive includes, xrefs: 00428200
                                                  • Error opening the file, xrefs: 00428231
                                                  • _, xrefs: 0040371C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
                                                  • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                                                  • API String ID: 3393021363-188983378
                                                  • Opcode ID: 8f97009b1bf37824170bfd28a55259835aaf6cf29f8ea0c932b2b617a2771f3f
                                                  • Instruction ID: 51a390cb75b153cc6cab8b26b712b327f6f81406d0e69f910df9a3585dc9283e
                                                  • Opcode Fuzzy Hash: 8f97009b1bf37824170bfd28a55259835aaf6cf29f8ea0c932b2b617a2771f3f
                                                  • Instruction Fuzzy Hash: CCD105B1508341AAD710EF64D841AEFBBE8AF85304F404C2FF98553291DB79DA49C7AB
                                                  Function 00431A86 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00431AAA
                                                  • GetFileAttributesW.KERNEL32(?), ref: 00431AE7
                                                  • SetFileAttributesW.KERNEL32(?,?), ref: 00431AFD
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00431B0F
                                                  • FindClose.KERNEL32(00000000), ref: 00431B20
                                                  • FindClose.KERNEL32(00000000), ref: 00431B34
                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 00431B4F
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00431B96
                                                  • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 00431BBA
                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00431BC2
                                                  • FindClose.KERNEL32(00000000), ref: 00431BCD
                                                  • FindClose.KERNEL32(00000000), ref: 00431BDB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                  • String ID: *.*
                                                  • API String ID: 1409584000-438819550
                                                  • Opcode ID: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                  • Instruction ID: b696eadadcb8a1627fc7fa6feda0e6e57aab690e04623b9265854ab7309d24dd
                                                  • Opcode Fuzzy Hash: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                  • Instruction Fuzzy Hash: CE41D8726002046BC700EF65DC45EAFB3ACAE89311F04592FF954C3190E7B8E519C7A9
                                                  Function 00431BE8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 116COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00431C09
                                                  • __swprintf.LIBCMT ref: 00431C2E
                                                  • _wcslen.LIBCMT ref: 00431C3A
                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 00431C67
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: CreateDirectoryFullNamePath__swprintf_wcslen
                                                  • String ID: :$\$\??\%s
                                                  • API String ID: 2192556992-3457252023
                                                  • Opcode ID: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                  • Instruction ID: 5b8928ca783b893dacbf0721098a8616f59dd17613a34138e213b27d6ec4c177
                                                  • Opcode Fuzzy Hash: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                  • Instruction Fuzzy Hash: EE413E726403186BD720DB54DC45FDFB3BCFF58710F00859AFA0896191EBB49A548BD8
                                                  Function 004720DB Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocalTime.KERNEL32(?), ref: 004722A2
                                                  • __swprintf.LIBCMT ref: 004722B9
                                                  • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0048BF68), ref: 004724EC
                                                  • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,0048BF68), ref: 00472506
                                                  • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,0048BF68), ref: 00472520
                                                  • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0048BF68), ref: 0047253A
                                                  • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,0048BF68), ref: 00472554
                                                  • SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,0048BF68), ref: 0047256E
                                                  • SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,0048BF68), ref: 00472588
                                                  • SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,0048BF68), ref: 004725A2
                                                  • SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,0048BF68), ref: 004725BC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: FolderPath$LocalTime__swprintf
                                                  • String ID: %.3d
                                                  • API String ID: 3337348382-986655627
                                                  • Opcode ID: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                                  • Instruction ID: 0d137f706e98bab13a4a4c7fcb7914b07bdb7c22a72ec07ab57cd4d47a51df83
                                                  • Opcode Fuzzy Hash: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                                  • Instruction Fuzzy Hash: A6C1EC326101185BD710FBA1DD8AFEE7328EB44701F5045BFF909A60C2DBB99B598F64
                                                  Function 00442886 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(?,?), ref: 004428A8
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0044290B
                                                  • FindClose.KERNEL32(00000000), ref: 0044291C
                                                  • FindClose.KERNEL32(00000000), ref: 00442930
                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 0044294D
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0044299C
                                                  • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 004429BF
                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 004429C9
                                                  • FindClose.KERNEL32(00000000), ref: 004429D4
                                                    • Part of subcall function 00433C08: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00433C2A
                                                  • FindClose.KERNEL32(00000000), ref: 004429E2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                  • String ID: *.*
                                                  • API String ID: 2640511053-438819550
                                                  • Opcode ID: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                  • Instruction ID: 696d482812dd8bff2d9106dd2d2144e175b5fe2258968c3fd44c1969776f6f9a
                                                  • Opcode Fuzzy Hash: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                  • Instruction Fuzzy Hash: AD410AB2A001186BDB10EBA5ED45FEF73689F89321F50465BFD0493280D6B8DE558BB8
                                                  Function 004333BE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 004333CE
                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 004333D5
                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004333EA
                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0043340E
                                                  • GetLastError.KERNEL32 ref: 00433414
                                                  • ExitWindowsEx.USER32(?,00000000), ref: 00433437
                                                  • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 00433466
                                                  • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 00433479
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                                                  • String ID: SeShutdownPrivilege
                                                  • API String ID: 2938487562-3733053543
                                                  • Opcode ID: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                  • Instruction ID: ad32a9094aef850e2966724807b7d50af50c82f056daff98c21d8f44207777ad
                                                  • Opcode Fuzzy Hash: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                  • Instruction Fuzzy Hash: F221C971640205ABF7108FA4EC4EF7FB3ACE708702F144569FE09D51D1D6BA5D408765
                                                  Function 00446124 Relevance: 16.7, APIs: 11, Instructions: 182COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00436E45
                                                    • Part of subcall function 00436E2B: GetLastError.KERNEL32(?,00000000,?), ref: 00436E4F
                                                    • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00436E75
                                                    • Part of subcall function 00436DF7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00436E12
                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0044618A
                                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004461BE
                                                  • GetLengthSid.ADVAPI32(?), ref: 004461D0
                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 0044620D
                                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00446229
                                                  • GetLengthSid.ADVAPI32(?), ref: 00446241
                                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0044626A
                                                  • CopySid.ADVAPI32(00000000), ref: 00446271
                                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004462A3
                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004462C5
                                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004462D8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                  • String ID:
                                                  • API String ID: 1255039815-0
                                                  • Opcode ID: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                  • Instruction ID: cbecfdc94e872455e881353a2ef69e95113e06a92746e25f2a634f38edc45108
                                                  • Opcode Fuzzy Hash: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                  • Instruction Fuzzy Hash: C251BC71A00209BBEB10EFA1CD84EEFB778BF49704F01855EF515A7241D6B8DA05CB69
                                                  Function 0043305F Relevance: 16.6, APIs: 11, Instructions: 122COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __swprintf.LIBCMT ref: 00433073
                                                  • __swprintf.LIBCMT ref: 00433085
                                                  • __wcsicoll.LIBCMT ref: 00433092
                                                  • FindResourceW.KERNEL32(?,?,0000000E), ref: 004330A5
                                                  • LoadResource.KERNEL32(?,00000000), ref: 004330BD
                                                  • LockResource.KERNEL32(00000000), ref: 004330CA
                                                  • FindResourceW.KERNEL32(?,?,00000003), ref: 004330F7
                                                  • LoadResource.KERNEL32(?,00000000), ref: 00433105
                                                  • SizeofResource.KERNEL32(?,00000000), ref: 00433114
                                                  • LockResource.KERNEL32(?), ref: 00433120
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
                                                  • String ID:
                                                  • API String ID: 1158019794-0
                                                  • Opcode ID: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                  • Instruction ID: 48d2d5a3af9b637b7fc6f2c6b5a7fdd3517197a5f8dc2ef3994740021b7ed835
                                                  • Opcode Fuzzy Hash: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                  • Instruction Fuzzy Hash: C741F1322002146BDB10EF65EC84FAB37ADEB89321F00846BFD01C6245E779DA51C7A8
                                                  Function 0045A10F Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                  • String ID:
                                                  • API String ID: 1737998785-0
                                                  • Opcode ID: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                  • Instruction ID: d84b136cee2c902db59abfe4f82a3f409d39725fe24efd6a62fd8a04edebb5dd
                                                  • Opcode Fuzzy Hash: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                  • Instruction Fuzzy Hash: 334114726001119FC310EFA5EC89B5EB7A4FF54315F00856EF909EB3A1EB75A941CB88
                                                  Function 0045D619 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D627
                                                  • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D6B5
                                                  • GetLastError.KERNEL32 ref: 0045D6BF
                                                  • SetErrorMode.KERNEL32(00000000,?), ref: 0045D751
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Error$Mode$DiskFreeLastSpace
                                                  • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                  • API String ID: 4194297153-14809454
                                                  • Opcode ID: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                  • Instruction ID: 1f300c266cb1daf6abeae651b696e439ee3a0372042695327ab67fb83666ce96
                                                  • Opcode Fuzzy Hash: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                  • Instruction Fuzzy Hash: FE418235D00209DFCB10EFA5C884A9DB7B4FF48315F10846BE905AB352D7799A85CB69
                                                  Function 004652BE Relevance: 12.1, APIs: 8, Instructions: 97networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 0046530D
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 0046531C
                                                  • bind.WSOCK32(00000000,?,00000010), ref: 00465356
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00465363
                                                  • closesocket.WSOCK32(00000000,00000000), ref: 00465377
                                                  • listen.WSOCK32(00000000,00000005), ref: 00465381
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 004653A9
                                                  • closesocket.WSOCK32(00000000,00000000), ref: 004653BD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$closesocket$bindlistensocket
                                                  • String ID:
                                                  • API String ID: 540024437-0
                                                  • Opcode ID: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                  • Instruction ID: 689f190a2b8ca197395c4559ba4ec64c13dad074e2778b61c05f6be918bdb8b0
                                                  • Opcode Fuzzy Hash: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                  • Instruction Fuzzy Hash: A8319331200500ABD310EF25DD89B6EB7A8EF44725F10866EF855E73D1DBB4AC818B99
                                                  Function 0044663B Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 895COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ERCP$VUUU$VUUU$VUUU$XjH
                                                  • API String ID: 0-2872873767
                                                  • Opcode ID: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                  • Instruction ID: d175e7d0ae6fb3d700f9da8fb6b70819649eb02c4ceaf458d011f7582104736e
                                                  • Opcode Fuzzy Hash: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                  • Instruction Fuzzy Hash: D772D871A042198BEF24CF58C8807AEB7F1EB42314F25829BD859A7380D7799DC5CF5A
                                                  Function 004755C4 Relevance: 10.6, APIs: 7, Instructions: 148processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 00475608
                                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00475618
                                                  • __wsplitpath.LIBCMT ref: 00475644
                                                    • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                  • _wcscat.LIBCMT ref: 00475657
                                                  • __wcsicoll.LIBCMT ref: 0047567B
                                                  • Process32NextW.KERNEL32(00000000,?), ref: 004756AB
                                                  • CloseHandle.KERNEL32(00000000), ref: 004756BA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                  • String ID:
                                                  • API String ID: 2547909840-0
                                                  • Opcode ID: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                  • Instruction ID: 52239f647ae7113ca4c6e3167181772f82882466072c53a1302db900a9aecbbd
                                                  • Opcode Fuzzy Hash: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                  • Instruction Fuzzy Hash: B3518671900618ABDB10DF55CD85FDE77B8EF44704F1084AAF509AB282DA75AF84CF68
                                                  Function 00452492 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128filesleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                  • FindFirstFileW.KERNEL32(?,?), ref: 004524DF
                                                  • Sleep.KERNEL32(0000000A), ref: 0045250B
                                                  • FindNextFileW.KERNEL32(?,?), ref: 004525E9
                                                  • FindClose.KERNEL32(?), ref: 004525FF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
                                                  • String ID: *.*$\VH
                                                  • API String ID: 2786137511-2657498754
                                                  • Opcode ID: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                  • Instruction ID: de376bcde865418ddd8e10142a6165d1fec8b8ecf5afc9fd422e88b207ce0255
                                                  • Opcode Fuzzy Hash: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                  • Instruction Fuzzy Hash: 37417F7190021DABDB14DF64CD58AEE77B4AF49305F14445BEC09A3281E678EE49CB98
                                                  Function 0041A208 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • IsDebuggerPresent.KERNEL32 ref: 00421FC1
                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00421FD6
                                                  • UnhandledExceptionFilter.KERNEL32(pqI), ref: 00421FE1
                                                  • GetCurrentProcess.KERNEL32(C0000409), ref: 00421FFD
                                                  • TerminateProcess.KERNEL32(00000000), ref: 00422004
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                  • String ID: pqI
                                                  • API String ID: 2579439406-2459173057
                                                  • Opcode ID: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                  • Instruction ID: 2caf929301e55fbdfba35cdc3931bb3174c20cf3198a7c5bb5494214f042e870
                                                  • Opcode Fuzzy Hash: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                  • Instruction Fuzzy Hash: 9E21CDB45392059FCB50DF65FE456483BA4BB68304F5005BBF90987371E7B969818F0D
                                                  Function 0043333C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __wcsicoll.LIBCMT ref: 00433349
                                                  • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 0043335F
                                                  • __wcsicoll.LIBCMT ref: 00433375
                                                  • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043338B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: __wcsicollmouse_event
                                                  • String ID: DOWN
                                                  • API String ID: 1033544147-711622031
                                                  • Opcode ID: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                  • Instruction ID: c5effa3e7e2998e6ee15a8e10ce6e2e5d36a5fc043d4170c53cc9f091e4fe068
                                                  • Opcode Fuzzy Hash: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                  • Instruction Fuzzy Hash: 78F0A0726846103AF80026947C02EFB334C9B26767F004023FE0CD1280EA59290557BD
                                                  Function 0044C37A Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyboardState.USER32(?), ref: 0044C3D2
                                                  • SetKeyboardState.USER32(00000080), ref: 0044C3F6
                                                  • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C43A
                                                  • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C472
                                                  • SendInput.USER32(00000001,?,0000001C), ref: 0044C4FF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: KeyboardMessagePostState$InputSend
                                                  • String ID:
                                                  • API String ID: 3031425849-0
                                                  • Opcode ID: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                  • Instruction ID: ca9f4cb769efad0e1be190fe8763212e5a79bd7c4ee8908ff6f5a5d8a4a0dc9b
                                                  • Opcode Fuzzy Hash: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                  • Instruction Fuzzy Hash: 4D415D755001082AEB109FA9DCD5BFFBB68AF96320F04815BFD8456283C378D9518BF8
                                                  Function 00476619 Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                  • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 0047666F
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00476692
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastinet_addrsocket
                                                  • String ID:
                                                  • API String ID: 4170576061-0
                                                  • Opcode ID: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                  • Instruction ID: b6cffcacb6afaf0b8cd9bee7f3c7ce362d61c656181a10c6507bcc72ef542d5a
                                                  • Opcode Fuzzy Hash: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                  • Instruction Fuzzy Hash: 604129326002005BD710EF39DC86F5A73D59F44728F15866FF944AB3C2DABAEC418799
                                                  Function 0047A330 Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                  • IsWindowVisible.USER32 ref: 0047A368
                                                  • IsWindowEnabled.USER32 ref: 0047A378
                                                  • GetForegroundWindow.USER32(?,?,?,00000001), ref: 0047A385
                                                  • IsIconic.USER32 ref: 0047A393
                                                  • IsZoomed.USER32 ref: 0047A3A1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                  • String ID:
                                                  • API String ID: 292994002-0
                                                  • Opcode ID: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                  • Instruction ID: 143e3079ffab126fd184b85051f6534cdea6adf6d01d93e69c1b4810180b6228
                                                  • Opcode Fuzzy Hash: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                  • Instruction Fuzzy Hash: 8F11A2322001119BE3219F2ADC05B9FB798AF80715F15842FF849E7250DBB8E85187A9
                                                  Function 0046DC80 Relevance: 6.1, APIs: 4, Instructions: 70clipboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenClipboard.USER32(?), ref: 0046DCE7
                                                  • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                  • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                  • CloseClipboard.USER32 ref: 0046DD0D
                                                  • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                  • CloseClipboard.USER32 ref: 0046DD41
                                                  • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                  • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                  • CloseClipboard.USER32 ref: 0046DD99
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                  • String ID:
                                                  • API String ID: 15083398-0
                                                  • Opcode ID: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                  • Instruction ID: df02eb04a95629b292fb88db9571ebb8a4b5ed240788a0c572d8156b6d3d2bc0
                                                  • Opcode Fuzzy Hash: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                  • Instruction Fuzzy Hash: 1A0128326042416BC311BBB99C8596E7B64EF4A324F04097FF984A72C1EB74A912C3A9
                                                  Function 0045CAFA Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045CB1F
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0045CB7C
                                                  • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CBAB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Find$File$CloseFirstNext
                                                  • String ID:
                                                  • API String ID: 3541575487-0
                                                  • Opcode ID: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                                  • Instruction ID: f333144462bda28c064cc07c1e05bb1389ec512a64b809c533c1c3d7cc497df0
                                                  • Opcode Fuzzy Hash: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                                  • Instruction Fuzzy Hash: 6741DF716003019FC710EF69D881A9BB3E5FF89315F108A6EE9698B351DB75F844CB94
                                                  Function 004339B6 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileAttributesW.KERNEL32(?,00000000), ref: 004339C7
                                                  • FindFirstFileW.KERNEL32(?,?), ref: 004339D8
                                                  • FindClose.KERNEL32(00000000), ref: 004339EB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: FileFind$AttributesCloseFirst
                                                  • String ID:
                                                  • API String ID: 48322524-0
                                                  • Opcode ID: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                  • Instruction ID: b419dbaef297d354eb99830e4178f101d1a7f75c7260f3cbf0392e7d05c3e8e7
                                                  • Opcode Fuzzy Hash: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                  • Instruction Fuzzy Hash: 22E092328145189B8610AA78AC0D4EE779CDF0A236F100B56FE38C21E0D7B49A9047DA
                                                  Function 00442E0C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __time64.LIBCMT ref: 00442E1E
                                                    • Part of subcall function 004148B3: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00430E3E,00000000,?,?,00441E36,?,00000001), ref: 004148BE
                                                    • Part of subcall function 004148B3: __aulldiv.LIBCMT ref: 004148DE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Time$FileSystem__aulldiv__time64
                                                  • String ID: @uJ
                                                  • API String ID: 2893107130-1268412911
                                                  • Opcode ID: f8baac42c5f25f74c7dd853c159356035b8e1d829a17ed988ba9b2caf3e3cd55
                                                  • Instruction ID: d38707ff02ce459d0d249ce09c4ef886a5fe37698b82f7f0427e65daa233e585
                                                  • Opcode Fuzzy Hash: f8baac42c5f25f74c7dd853c159356035b8e1d829a17ed988ba9b2caf3e3cd55
                                                  • Instruction Fuzzy Hash: CB21A2335605108BF320CF37CC01652B7E7EBE5310F358A69E4A5973D1DAB96906CB98
                                                  Function 004422FE Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0044231E
                                                  • InternetReadFile.WININET(?,00000000,?,?), ref: 00442356
                                                    • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Internet$AvailableDataErrorFileLastQueryRead
                                                  • String ID:
                                                  • API String ID: 901099227-0
                                                  • Opcode ID: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                                                  • Instruction ID: 2cb050104b41b6b223ad4d4b8d529f91c68f3ac810c45c6f1fc1690b5501c343
                                                  • Opcode Fuzzy Hash: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                                                  • Instruction Fuzzy Hash: B32174752002047BFB10DE26DC41FAB73A8EB54765F40C42BFE059A141D6B8E5458BA5
                                                  Function 0047EA6F Relevance: 2.0, APIs: 1, Instructions: 502COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DefDlgProcW.USER32(?,?,?,?), ref: 0047EA9E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Proc
                                                  • String ID:
                                                  • API String ID: 2346855178-0
                                                  • Opcode ID: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                  • Instruction ID: f892bfb12232205f5f58103f0897237a3558493ed3735c4837d976d353c396a9
                                                  • Opcode Fuzzy Hash: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                  • Instruction Fuzzy Hash: 82B1167330C1182DF218A6AABC81EFF679CD7C5779B10863FF248C55C2D62B5821A1B9
                                                  Function 0045A370 Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • BlockInput.USER32(00000001), ref: 0045A38B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: BlockInput
                                                  • String ID:
                                                  • API String ID: 3456056419-0
                                                  • Opcode ID: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                  • Instruction ID: ec784d9e1adcb2c5bdb0852901797f150ca91aa996cd98963819779bf85d9a24
                                                  • Opcode Fuzzy Hash: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                  • Instruction Fuzzy Hash: D8E0DF352002029FC300EF66C84495AB7E8EF94368F10883EFD45D7341EA74E80087A6
                                                  Function 00436CD7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 00436CF9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: LogonUser
                                                  • String ID:
                                                  • API String ID: 1244722697-0
                                                  • Opcode ID: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                  • Instruction ID: 7208d1371e48addad7a82bf776aec5a394cd9d1c10cc53d221989696c058f8f6
                                                  • Opcode Fuzzy Hash: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                  • Instruction Fuzzy Hash: 4DE0ECB626460EAFDB04CF68DC42EBF37ADA749710F004618BA16D7280C670E911CA74
                                                  Function 00472C3F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetUserNameW.ADVAPI32(?,?), ref: 00472C51
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: NameUser
                                                  • String ID:
                                                  • API String ID: 2645101109-0
                                                  • Opcode ID: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                  • Instruction ID: cbdb53fe1e94bfc77c89611ca4b62432a5518fa0aa6a76fb1323f8d63e00c007
                                                  • Opcode Fuzzy Hash: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                  • Instruction Fuzzy Hash: C3C04CB5004008EBDB148F50D9889D93B78BB04340F108199B60E95040D7B496C9DBA5
                                                  Function 0041F250 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_0001F20E), ref: 0041F255
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled
                                                  • String ID:
                                                  • API String ID: 3192549508-0
                                                  • Opcode ID: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                  • Instruction ID: fb0c5f5a3ae0de1c345b26270a1521b23addb5e119a177cdcf8b78f668196b28
                                                  • Opcode Fuzzy Hash: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                  • Instruction Fuzzy Hash: 8190027625150157470417705E1964925905B5960275108BA6D11C8564DAA98089A619
                                                  Function 0042200C Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: N@
                                                  • API String ID: 0-1509896676
                                                  • Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                  • Instruction ID: 433aa61276291b0397d7e0efaabfbd78b7095b9e612e68cb1662ee3b8c9c8781
                                                  • Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                  • Instruction Fuzzy Hash: 48618E71A003259FCB18CF48D584AAEBBF2FF84310F5AC1AED9095B361C7B59955CB88
                                                  Function 0040FA10 Relevance: .6, Instructions: 607COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                  • Instruction ID: 421b1f2eadcb2952f8febc08502f38db6b120a980ad90a3a21cdce547adf9c29
                                                  • Opcode Fuzzy Hash: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                  • Instruction Fuzzy Hash: 132270B7E5151A9BDB08CE95CC415D9B3A3BBC832471F9129D819E7305EE78BA078BC0
                                                  Function 004129D0 Relevance: .4, Instructions: 355COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                  • Instruction ID: 2bcfc4213c201322ab01e918109ed7ba488288358e1fe6702c600853dbf8b640
                                                  • Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                  • Instruction Fuzzy Hash: 9CC1B473D0E6B3058B35466D45182BFFE626E91B8031FC392DDD03F399C22AADA196D4
                                                  Function 004125E8 Relevance: .3, Instructions: 349COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                  • Instruction ID: 7014f9c6c4bb04029b5f83a2624c32223adacf072d8c068e18a9ecb8bc3ae66d
                                                  • Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                  • Instruction Fuzzy Hash: 04C1A473D1A6B2058B36476D05182BFFE626E91B8031FC3D6CCD03F299C22AAD9596D4
                                                  Function 00412216 Relevance: .3, Instructions: 332COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                  • Instruction ID: 878ae001d8650add2b069b622ec184fb54f95ec25c04ba16196e518284591b6f
                                                  • Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                  • Instruction Fuzzy Hash: FBC19473D0A6B2068B36476D05582BFFE626E91B8131FC3D2CCD03F299C22AAD9595D4
                                                  Function 00411E78 Relevance: .3, Instructions: 326COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
                                                  • Instruction ID: 1be110723fa64262e89d0aec0a1a20255c1bae91910aebb39a61821022ff9223
                                                  • Opcode Fuzzy Hash: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
                                                  • Instruction Fuzzy Hash: 55B1B533D0A6B3058736836D05582BFFE626E91B8031FC396CDD03F399C62AAD9295D4
                                                  Function 03FBA6A0 Relevance: .1, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1399327193.0000000003FB7000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FB7000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3fb7000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                  • Instruction ID: 2e4c5f32dc4625ebf09a023bc9ff22b8cda93cc511a8ec7ca613d02b84373596
                                                  • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                  • Instruction Fuzzy Hash: E741A471D1051CEBCF48CFADC991AEEBBF1AF88201F648299D516AB345D730AB41DB50
                                                  Function 03FBA530 Relevance: .0, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1399327193.0000000003FB7000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FB7000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3fb7000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                  • Instruction ID: df8ddd3230d243ec9489b5cdb5e6b97136291fe8f441efbd65973a1111a1a8a6
                                                  • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                  • Instruction Fuzzy Hash: F9018078E10209EFCB44DF99C5909AEF7B5FB48310B208599D909A7701D730AE41DB80
                                                  Function 03FBA590 Relevance: .0, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1399327193.0000000003FB7000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FB7000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3fb7000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                  • Instruction ID: a45af76dd8bfdf6fe8283e6938453890c6cb6279fd5a12681287e7553f962f2a
                                                  • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                  • Instruction Fuzzy Hash: FF0192B8E10209EFCB44DF99C5909AEF7F5FB48310F208599D919A7701D730AE42DB80
                                                  Function 03FB8EF0 Relevance: .0, Instructions: 6COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1399327193.0000000003FB7000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FB7000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3fb7000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                  • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                  • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                  • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                  Function 004594E9 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DeleteObject.GDI32(?), ref: 0045953B
                                                  • DeleteObject.GDI32(?), ref: 00459551
                                                  • DestroyWindow.USER32(?), ref: 00459563
                                                  • GetDesktopWindow.USER32 ref: 00459581
                                                  • GetWindowRect.USER32(00000000), ref: 00459588
                                                  • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0045969E
                                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004596AC
                                                  • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,00000002,00000007,?,?,?,00000000,00000000), ref: 004596E8
                                                  • GetClientRect.USER32(00000000,?), ref: 004596F8
                                                  • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 0045973B
                                                  • CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00459760
                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0045977B
                                                  • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00459786
                                                  • GlobalLock.KERNEL32(00000000), ref: 0045978F
                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0045979E
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 004597A5
                                                  • CloseHandle.KERNEL32(00000000), ref: 004597AC
                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 004597B9
                                                  • OleLoadPicture.OLEAUT32(000001F4,00000000,00000000,004829F8,00000000), ref: 004597D0
                                                  • GlobalFree.KERNEL32(00000000), ref: 004597E2
                                                  • CopyImage.USER32(50000001,00000000,00000000,00000000,00002000), ref: 0045980E
                                                  • SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 00459831
                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00459857
                                                  • ShowWindow.USER32(?,00000004), ref: 00459865
                                                  • CreateWindowExW.USER32(00000000,static,00000000,000001F4,50000001,0000000B,0000000B,?,?,?,00000000,00000000), ref: 004598AF
                                                  • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004598C3
                                                  • GetStockObject.GDI32(00000011), ref: 004598CD
                                                  • SelectObject.GDI32(00000000,00000000), ref: 004598D5
                                                  • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004598E5
                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004598EE
                                                  • DeleteDC.GDI32(00000000), ref: 004598F8
                                                  • _wcslen.LIBCMT ref: 00459916
                                                  • _wcscpy.LIBCMT ref: 0045993A
                                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004599DB
                                                  • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 004599EF
                                                  • GetDC.USER32(00000000), ref: 004599FC
                                                  • SelectObject.GDI32(00000000,?), ref: 00459A0C
                                                  • SelectObject.GDI32(00000000,00000007), ref: 00459A37
                                                  • ReleaseDC.USER32(00000000,00000000), ref: 00459A42
                                                  • MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 00459A5F
                                                  • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00459A6D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                                                  • String ID: $AutoIt v3$DISPLAY$static
                                                  • API String ID: 4040870279-2373415609
                                                  • Opcode ID: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                  • Instruction ID: 0470743097681e939cd033c9659fc80dd101af82a4c7fdd8c03ae3a829a790b9
                                                  • Opcode Fuzzy Hash: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                  • Instruction Fuzzy Hash: 92027D71600204EFDB14DF64CD89FAE7BB9BB48305F108569FA05AB292D7B4ED05CB68
                                                  Function 004417BF Relevance: 49.8, APIs: 33, Instructions: 275COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSysColor.USER32(00000012), ref: 0044181E
                                                  • SetTextColor.GDI32(?,?), ref: 00441826
                                                  • GetSysColorBrush.USER32(0000000F), ref: 0044183D
                                                  • GetSysColor.USER32(0000000F), ref: 00441849
                                                  • SetBkColor.GDI32(?,?), ref: 00441864
                                                  • SelectObject.GDI32(?,?), ref: 00441874
                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 004418AA
                                                  • GetSysColor.USER32(00000010), ref: 004418B2
                                                  • CreateSolidBrush.GDI32(00000000), ref: 004418B9
                                                  • FrameRect.USER32(?,?,00000000), ref: 004418CA
                                                  • DeleteObject.GDI32(?), ref: 004418D5
                                                  • InflateRect.USER32(?,000000FE,000000FE), ref: 0044192F
                                                  • FillRect.USER32(?,?,?), ref: 00441970
                                                    • Part of subcall function 004308EF: GetSysColor.USER32(0000000E), ref: 00430913
                                                    • Part of subcall function 004308EF: SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                    • Part of subcall function 004308EF: GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                    • Part of subcall function 004308EF: GetSysColor.USER32(0000000F), ref: 00430959
                                                    • Part of subcall function 004308EF: GetSysColor.USER32(00000011), ref: 00430979
                                                    • Part of subcall function 004308EF: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                    • Part of subcall function 004308EF: SelectObject.GDI32(?,00000000), ref: 0043099C
                                                    • Part of subcall function 004308EF: SetBkColor.GDI32(?,?), ref: 004309A6
                                                    • Part of subcall function 004308EF: SelectObject.GDI32(?,?), ref: 004309B4
                                                    • Part of subcall function 004308EF: InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                    • Part of subcall function 004308EF: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                    • Part of subcall function 004308EF: GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                    • Part of subcall function 004308EF: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                                                  • String ID:
                                                  • API String ID: 69173610-0
                                                  • Opcode ID: fbb8d870229eb44a1def9ba3881ac6b42e654f1da7cb1ff5097cb3e0d6ff825e
                                                  • Instruction ID: 7a723b7ebc9985c742df47702d768576d0729d4f0beaa2415310c4eb73739e4f
                                                  • Opcode Fuzzy Hash: fbb8d870229eb44a1def9ba3881ac6b42e654f1da7cb1ff5097cb3e0d6ff825e
                                                  • Instruction Fuzzy Hash: 76B15BB1508301AFD304DF64DD88A6FB7F8FB88720F104A2DF996922A0D774E945CB66
                                                  Function 004590BD Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DestroyWindow.USER32(?), ref: 004590F2
                                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004591AF
                                                  • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004591EF
                                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00459200
                                                  • CreateWindowExW.USER32(00000008,AutoIt v3,00000000,?,88C00000,?,?,?,00000001,?,00000000,00000000), ref: 00459242
                                                  • GetClientRect.USER32(00000000,?), ref: 0045924E
                                                  • CreateWindowExW.USER32(00000000,static,00000000,?,50000000,?,00000004,00000500,00000018,?,00000000,00000000), ref: 00459290
                                                  • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004592A2
                                                  • GetStockObject.GDI32(00000011), ref: 004592AC
                                                  • SelectObject.GDI32(00000000,00000000), ref: 004592B4
                                                  • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004592C4
                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004592CD
                                                  • DeleteDC.GDI32(00000000), ref: 004592D6
                                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045931C
                                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00459334
                                                  • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,?,00000000,00000000,00000000), ref: 0045936E
                                                  • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00459382
                                                  • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00459393
                                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,?,00000000,00000000,00000000), ref: 004593C8
                                                  • GetStockObject.GDI32(00000011), ref: 004593D3
                                                  • SendMessageW.USER32(?,00000030,00000000), ref: 004593E3
                                                  • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004593EE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                  • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                  • API String ID: 2910397461-517079104
                                                  • Opcode ID: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                  • Instruction ID: c5562805fc82c6770b180505aab83e69ed0b4cba248239bed49a3b83ebf26fc7
                                                  • Opcode Fuzzy Hash: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                  • Instruction Fuzzy Hash: 71A18371B40214BFEB14DF64CD8AFAE7769AB44711F208529FB05BB2D1D6B4AD00CB68
                                                  Function 00403A20 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: __wcsnicmp
                                                  • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                                                  • API String ID: 1038674560-3360698832
                                                  • Opcode ID: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                                                  • Instruction ID: 9c7d50a5cd0ee83047e92bfb3361563e61671b380f2e7b4b5fccf758bfaba57c
                                                  • Opcode Fuzzy Hash: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                                                  • Instruction Fuzzy Hash: B5610670701621B7D711AE219C42FAF335C9F50705F50442BFE05AA286FB7DEE8686AE
                                                  Function 00430737 Relevance: 43.6, APIs: 29, Instructions: 108COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadCursorW.USER32(00000000,00007F89), ref: 00430754
                                                  • SetCursor.USER32(00000000), ref: 0043075B
                                                  • LoadCursorW.USER32(00000000,00007F8A), ref: 0043076C
                                                  • SetCursor.USER32(00000000), ref: 00430773
                                                  • LoadCursorW.USER32(00000000,00007F03), ref: 00430784
                                                  • SetCursor.USER32(00000000), ref: 0043078B
                                                  • LoadCursorW.USER32(00000000,00007F8B), ref: 0043079C
                                                  • SetCursor.USER32(00000000), ref: 004307A3
                                                  • LoadCursorW.USER32(00000000,00007F01), ref: 004307B4
                                                  • SetCursor.USER32(00000000), ref: 004307BB
                                                  • LoadCursorW.USER32(00000000,00007F88), ref: 004307CC
                                                  • SetCursor.USER32(00000000), ref: 004307D3
                                                  • LoadCursorW.USER32(00000000,00007F86), ref: 004307E4
                                                  • SetCursor.USER32(00000000), ref: 004307EB
                                                  • LoadCursorW.USER32(00000000,00007F83), ref: 004307FC
                                                  • SetCursor.USER32(00000000), ref: 00430803
                                                  • LoadCursorW.USER32(00000000,00007F85), ref: 00430814
                                                  • SetCursor.USER32(00000000), ref: 0043081B
                                                  • LoadCursorW.USER32(00000000,00007F82), ref: 0043082C
                                                  • SetCursor.USER32(00000000), ref: 00430833
                                                  • LoadCursorW.USER32(00000000,00007F84), ref: 00430844
                                                  • SetCursor.USER32(00000000), ref: 0043084B
                                                  • LoadCursorW.USER32(00000000,00007F04), ref: 0043085C
                                                  • SetCursor.USER32(00000000), ref: 00430863
                                                  • LoadCursorW.USER32(00000000,00007F02), ref: 00430874
                                                  • SetCursor.USER32(00000000), ref: 0043087B
                                                  • SetCursor.USER32(00000000), ref: 00430887
                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00430898
                                                  • SetCursor.USER32(00000000), ref: 0043089F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Cursor$Load
                                                  • String ID:
                                                  • API String ID: 1675784387-0
                                                  • Opcode ID: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                  • Instruction ID: ada3a8d1d263842f4cf6b5ed80e179871947c4c62c163598e9ab22da256eac1d
                                                  • Opcode Fuzzy Hash: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                  • Instruction Fuzzy Hash: AF3101729C8205B7EA546BE0BE1DF5D3618AB28727F004836F309B54D09AF551509B6D
                                                  Function 004308EF Relevance: 42.2, APIs: 28, Instructions: 200windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSysColor.USER32(0000000E), ref: 00430913
                                                  • SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                  • GetSysColor.USER32(00000012), ref: 00430933
                                                  • SetTextColor.GDI32(?,?), ref: 0043093B
                                                  • GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                  • GetSysColor.USER32(0000000F), ref: 00430959
                                                  • CreateSolidBrush.GDI32(?), ref: 00430962
                                                  • GetSysColor.USER32(00000011), ref: 00430979
                                                  • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                  • SelectObject.GDI32(?,00000000), ref: 0043099C
                                                  • SetBkColor.GDI32(?,?), ref: 004309A6
                                                  • SelectObject.GDI32(?,?), ref: 004309B4
                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                  • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                  • GetWindowTextW.USER32(00000000,00000000,?), ref: 00430A5A
                                                  • InflateRect.USER32(?,000000FD,000000FD), ref: 00430A86
                                                  • DrawFocusRect.USER32(?,?), ref: 00430A91
                                                  • GetSysColor.USER32(00000011), ref: 00430A9F
                                                  • SetTextColor.GDI32(?,00000000), ref: 00430AA7
                                                  • DrawTextW.USER32(?,?,000000FF,?,00000105), ref: 00430ABC
                                                  • SelectObject.GDI32(?,?), ref: 00430AD0
                                                  • DeleteObject.GDI32(00000105), ref: 00430ADC
                                                  • SelectObject.GDI32(?,?), ref: 00430AE3
                                                  • DeleteObject.GDI32(?), ref: 00430AE9
                                                  • SetTextColor.GDI32(?,?), ref: 00430AF0
                                                  • SetBkColor.GDI32(?,?), ref: 00430AFB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                  • String ID:
                                                  • API String ID: 1582027408-0
                                                  • Opcode ID: 550e896c7567608c30fce12d6ed7134b72d55419159f0474b5285c649df46e98
                                                  • Instruction ID: b12033eb3fa9204049de4d7caedd8dcf025edfa44633034d6aae7949f8ecba99
                                                  • Opcode Fuzzy Hash: 550e896c7567608c30fce12d6ed7134b72d55419159f0474b5285c649df46e98
                                                  • Instruction Fuzzy Hash: 6F713071900209BFDB04DFA8DD88EAEBBB9FF48710F104619F915A7290D774A941CFA8
                                                  Function 0046B9D7 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046BAE6
                                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,00484EA8,00000000,?,00000000,?,?,?), ref: 0046BB40
                                                  • RegCloseKey.ADVAPI32(?,00000001,00000000,00000000,00000000), ref: 0046BB8A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: CloseConnectCreateRegistry
                                                  • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                  • API String ID: 3217815495-966354055
                                                  • Opcode ID: c70c32215588f8ec8bb03fc6aa478a266b625616447da64362da41b73b816162
                                                  • Instruction ID: 14c723365299aea1e32a80c9e2d98689f85295d348ed372ee81e16963ac3f886
                                                  • Opcode Fuzzy Hash: c70c32215588f8ec8bb03fc6aa478a266b625616447da64362da41b73b816162
                                                  • Instruction Fuzzy Hash: BCE18171604200ABD710EF65C885F1BB7E8EF88704F14895EB949DB352D739ED41CBA9
                                                  Function 004565B2 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCursorPos.USER32(?), ref: 004566AE
                                                  • GetDesktopWindow.USER32 ref: 004566C3
                                                  • GetWindowRect.USER32(00000000), ref: 004566CA
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00456722
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00456735
                                                  • DestroyWindow.USER32(?), ref: 00456746
                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456794
                                                  • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 004567B2
                                                  • SendMessageW.USER32(?,00000418,00000000,?), ref: 004567C6
                                                  • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567D6
                                                  • SendMessageW.USER32(?,00000421,?,?), ref: 004567F6
                                                  • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 0045680C
                                                  • IsWindowVisible.USER32(?), ref: 0045682C
                                                  • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00456848
                                                  • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 0045685C
                                                  • GetWindowRect.USER32(?,?), ref: 00456873
                                                  • MonitorFromPoint.USER32(?,00000001,00000002), ref: 00456891
                                                  • GetMonitorInfoW.USER32(00000000,?), ref: 004568A9
                                                  • CopyRect.USER32(?,?), ref: 004568BE
                                                  • SendMessageW.USER32(?,00000412,00000000), ref: 00456914
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                                                  • String ID: ($,$tooltips_class32
                                                  • API String ID: 225202481-3320066284
                                                  • Opcode ID: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                  • Instruction ID: fcdb4dd5bfb9c4cfeeadc9569793f3eee26ed74f2078e1bfb0220ba6a1b85fea
                                                  • Opcode Fuzzy Hash: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                  • Instruction Fuzzy Hash: 4CB17170A00205AFDB54DFA4CD85BAEB7B4BF48304F10895DE919BB282D778A949CB58
                                                  Function 0046DCB4 Relevance: 36.2, APIs: 24, Instructions: 247clipboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenClipboard.USER32(?), ref: 0046DCE7
                                                  • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                  • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                  • CloseClipboard.USER32 ref: 0046DD0D
                                                  • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                  • CloseClipboard.USER32 ref: 0046DD41
                                                  • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                  • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                  • CloseClipboard.USER32 ref: 0046DD99
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                  • String ID:
                                                  • API String ID: 15083398-0
                                                  • Opcode ID: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                  • Instruction ID: c6f05cb0c77453757aa6b00544986da50a17ac1627668c5aecb5782462309948
                                                  • Opcode Fuzzy Hash: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                  • Instruction Fuzzy Hash: CE81B072704201ABD310EF65DD8AB5EB7A8FF94315F00482EF605E72D1EB74E905879A
                                                  Function 00471BC9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 313windowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                  • GetWindowRect.USER32(?,?), ref: 00471CF7
                                                  • GetClientRect.USER32(?,?), ref: 00471D05
                                                  • GetSystemMetrics.USER32(00000007), ref: 00471D0D
                                                  • GetSystemMetrics.USER32(00000008), ref: 00471D20
                                                  • GetSystemMetrics.USER32(00000004), ref: 00471D42
                                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471D71
                                                  • GetSystemMetrics.USER32(00000007), ref: 00471D79
                                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471DA3
                                                  • GetSystemMetrics.USER32(00000008), ref: 00471DAB
                                                  • GetSystemMetrics.USER32(00000004), ref: 00471DCF
                                                  • SetRect.USER32(?,00000000,00000000,?,?), ref: 00471DEE
                                                  • AdjustWindowRectEx.USER32(?,?,00000000,00000040), ref: 00471DFF
                                                  • CreateWindowExW.USER32(00000040,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 00471E35
                                                  • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00471E6E
                                                  • GetClientRect.USER32(?,?), ref: 00471E8A
                                                  • GetStockObject.GDI32(00000011), ref: 00471EA6
                                                  • SendMessageW.USER32(?,00000030,00000000), ref: 00471EB2
                                                  • SetTimer.USER32(00000000,00000000,00000028,00462986), ref: 00471ED9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                                                  • String ID: @$AutoIt v3 GUI
                                                  • API String ID: 867697134-3359773793
                                                  • Opcode ID: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                                  • Instruction ID: 8cf5fd9e7b0abf2f472dad9b41bae804ea9cb1b32c1b51d65689880f1cfe2d6c
                                                  • Opcode Fuzzy Hash: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                                  • Instruction Fuzzy Hash: 7DC17F71A402059FDB14DFA8DD85BAF77B4FB58714F10862EFA09A7290DB78A840CB58
                                                  Function 00433A13 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 196COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
                                                  • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                  • API String ID: 1503153545-1459072770
                                                  • Opcode ID: 76acf26b61918e0ebafe3e9c460c5efedcc98b6992261bc6c4f6588f91b2aee1
                                                  • Instruction ID: bf9a9138137c8e48d15734b0b0bf1383f69a7efb75f9ce998fc77f2ad016157b
                                                  • Opcode Fuzzy Hash: 76acf26b61918e0ebafe3e9c460c5efedcc98b6992261bc6c4f6588f91b2aee1
                                                  • Instruction Fuzzy Hash: D551F672A402043BD610BB269C43EFFB36C9F49715F10055FFE09A6242EA7DEA5183AD
                                                  Function 00469296 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: __wcsicoll$__wcsnicmp
                                                  • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:$pQH
                                                  • API String ID: 790654849-32604322
                                                  • Opcode ID: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                  • Instruction ID: c91e69f26a1c2718e03151092e39642ccf44f92bf630fd0466772f198d10bc2a
                                                  • Opcode Fuzzy Hash: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                  • Instruction Fuzzy Hash: CA317731A0420966DB10FAA2DD46BAE736C9F15315F20053BBD00BB2D5E7BC6E4587AE
                                                  Function 00455A89 Relevance: 31.9, APIs: 21, Instructions: 395COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7b3c0986a6774ad4839bdf3b3ab280162fe8917d12771473e04c5712f0602a0a
                                                  • Instruction ID: 62dae473257cc2caee0a49c5626d46440081d624880130feb25903cd50123649
                                                  • Opcode Fuzzy Hash: 7b3c0986a6774ad4839bdf3b3ab280162fe8917d12771473e04c5712f0602a0a
                                                  • Instruction Fuzzy Hash: 84C128727002046BE724CFA8DC46FAFB7A4EF55311F00416AFA05DA2C1EBB99909C795
                                                  Function 00452AC7 Relevance: 31.8, APIs: 21, Instructions: 343COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00442C5A: __time64.LIBCMT ref: 00442C66
                                                  • _fseek.LIBCMT ref: 00452B3B
                                                  • __wsplitpath.LIBCMT ref: 00452B9B
                                                  • _wcscpy.LIBCMT ref: 00452BB0
                                                  • _wcscat.LIBCMT ref: 00452BC5
                                                  • __wsplitpath.LIBCMT ref: 00452BEF
                                                  • _wcscat.LIBCMT ref: 00452C07
                                                  • _wcscat.LIBCMT ref: 00452C1C
                                                  • __fread_nolock.LIBCMT ref: 00452C53
                                                  • __fread_nolock.LIBCMT ref: 00452C64
                                                  • __fread_nolock.LIBCMT ref: 00452C83
                                                  • __fread_nolock.LIBCMT ref: 00452C94
                                                  • __fread_nolock.LIBCMT ref: 00452CB5
                                                  • __fread_nolock.LIBCMT ref: 00452CC6
                                                  • __fread_nolock.LIBCMT ref: 00452CD7
                                                  • __fread_nolock.LIBCMT ref: 00452CE8
                                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                    • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                    • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                  • __fread_nolock.LIBCMT ref: 00452D78
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                                                  • String ID:
                                                  • API String ID: 2054058615-0
                                                  • Opcode ID: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                                  • Instruction ID: 04d0e47ed4a2b248740d2851a73093f1b496c65d3ae4d984919b8c0089c9d159
                                                  • Opcode Fuzzy Hash: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                                  • Instruction Fuzzy Hash: 6FC14EB2508340ABD720DF65D881EEFB7E8EFC9704F40492FF68987241E6759548CB66
                                                  Function 0044870C Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004487BD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Window
                                                  • String ID: 0
                                                  • API String ID: 2353593579-4108050209
                                                  • Opcode ID: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                  • Instruction ID: 06508bea8339de1511a48146ac1d08a96458f0089f80555ee302a354f7131a6f
                                                  • Opcode Fuzzy Hash: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                  • Instruction Fuzzy Hash: 35B18BB0204341ABF324CF24CC89BABBBE4FB89744F14491EF591962D1DBB8A845CB59
                                                  Function 0044A032 Relevance: 31.7, APIs: 21, Instructions: 198windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSysColor.USER32(0000000F), ref: 0044A05E
                                                  • GetClientRect.USER32(?,?), ref: 0044A0D1
                                                  • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A0E9
                                                  • GetWindowDC.USER32(?), ref: 0044A0F6
                                                  • GetPixel.GDI32(00000000,?,?), ref: 0044A108
                                                  • ReleaseDC.USER32(?,?), ref: 0044A11B
                                                  • GetSysColor.USER32(0000000F), ref: 0044A131
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 0044A140
                                                  • GetSysColor.USER32(0000000F), ref: 0044A14F
                                                  • GetSysColor.USER32(00000005), ref: 0044A15B
                                                  • GetWindowDC.USER32(?), ref: 0044A1BE
                                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A1CB
                                                  • GetPixel.GDI32(00000000,?,00000000), ref: 0044A1E4
                                                  • GetPixel.GDI32(00000000,00000000,?), ref: 0044A1FD
                                                  • GetPixel.GDI32(00000000,?,?), ref: 0044A21D
                                                  • ReleaseDC.USER32(?,00000000), ref: 0044A229
                                                  • SetBkColor.GDI32(?,00000000), ref: 0044A24C
                                                  • GetSysColor.USER32(00000008), ref: 0044A265
                                                  • SetTextColor.GDI32(?,00000000), ref: 0044A270
                                                  • SetBkMode.GDI32(?,00000001), ref: 0044A282
                                                  • GetStockObject.GDI32(00000005), ref: 0044A28A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                                                  • String ID:
                                                  • API String ID: 1744303182-0
                                                  • Opcode ID: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                  • Instruction ID: 0380b5c53d8a23173c1b90063483f03488caaf4f58ae5d2001aea5c06c56dff4
                                                  • Opcode Fuzzy Hash: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                  • Instruction Fuzzy Hash: E6612531140101ABE7109F78CC88BAB7764FB46320F14876AFD659B3D0DBB49C529BAA
                                                  Function 00417C20 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004164DE), ref: 00417C28
                                                  • __mtterm.LIBCMT ref: 00417C34
                                                    • Part of subcall function 004178FF: TlsFree.KERNEL32(00000017,00417D96,?,004164DE), ref: 0041792A
                                                    • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000000,00000000,00410E44,?,00417D96,?,004164DE), ref: 004181B8
                                                    • Part of subcall function 004178FF: _free.LIBCMT ref: 004181BB
                                                    • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000017,00410E44,?,00417D96,?,004164DE), ref: 004181E2
                                                  • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00417C4A
                                                  • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00417C57
                                                  • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00417C64
                                                  • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00417C71
                                                  • TlsAlloc.KERNEL32(?,004164DE), ref: 00417CC1
                                                  • TlsSetValue.KERNEL32(00000000,?,004164DE), ref: 00417CDC
                                                  • __init_pointers.LIBCMT ref: 00417CE6
                                                  • __calloc_crt.LIBCMT ref: 00417D54
                                                  • GetCurrentThreadId.KERNEL32 ref: 00417D80
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                  • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                  • API String ID: 4163708885-3819984048
                                                  • Opcode ID: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                  • Instruction ID: ca22d9d2e1075830452d52834408fe47c465c3b6ac2468b12672dd77d4d5938c
                                                  • Opcode Fuzzy Hash: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                  • Instruction Fuzzy Hash: D5315A75808710DECB10AF75BD0865A3EB8BB60764B12093FE914932B0DB7D8881CF9C
                                                  Function 0046E1A6 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 231COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: >>>AUTOIT SCRIPT<<<$\
                                                  • API String ID: 0-1896584978
                                                  • Opcode ID: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                                                  • Instruction ID: daa296ce3da71eb1ea4b2d74bac6de3536c6b190185545f0361092b1072d42a3
                                                  • Opcode Fuzzy Hash: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                                                  • Instruction Fuzzy Hash: 4081B9B1900204ABCB20EB61CD85FDB73ED9F54304F40859EF505AB142EA39EA85CB99
                                                  Function 0046ED8E Relevance: 26.7, APIs: 6, Strings: 9, Instructions: 471COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                  • GetForegroundWindow.USER32(?,?,?,?,?,?,?), ref: 0046EE79
                                                  • GetForegroundWindow.USER32(?,?,?,?,?,?), ref: 0046F265
                                                  • IsWindow.USER32(?), ref: 0046F29A
                                                  • GetDesktopWindow.USER32 ref: 0046F356
                                                  • EnumChildWindows.USER32(00000000), ref: 0046F35D
                                                  • EnumWindows.USER32(0046130D,?), ref: 0046F365
                                                    • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Window$EnumForegroundWindows_wcslen$ChildDesktop_memmove
                                                  • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                  • API String ID: 329138477-1919597938
                                                  • Opcode ID: 7eb0f3ae9a0304a5d069b7ca5d1222961736e80184ced8954434bc01324a9774
                                                  • Instruction ID: 15289122aec5319afe5b60ce0d71565fabc5791e0031d8771947120ab82528ab
                                                  • Opcode Fuzzy Hash: 7eb0f3ae9a0304a5d069b7ca5d1222961736e80184ced8954434bc01324a9774
                                                  • Instruction Fuzzy Hash: 83F10B714143019BDB00FF61D885AAFB3A4BF85308F44496FF94567282E779E909CBA7
                                                  Function 004341E6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: __wcsicoll$IconLoad
                                                  • String ID: blank$info$question$stop$warning
                                                  • API String ID: 2485277191-404129466
                                                  • Opcode ID: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                  • Instruction ID: a4c8356a5cb7371e963c7ba7671977edd7eb5cf64b0a9c0e84f2fcb3e6131cad
                                                  • Opcode Fuzzy Hash: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                  • Instruction Fuzzy Hash: 9121A732B4021566DB00AB65BC05FEF3358DB98762F040837FA05E2282E3A9A52093BD
                                                  Function 00454639 Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadIconW.USER32(?,00000063), ref: 0045464C
                                                  • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0045465E
                                                  • SetWindowTextW.USER32(?,?), ref: 00454678
                                                  • GetDlgItem.USER32(?,000003EA), ref: 00454690
                                                  • SetWindowTextW.USER32(00000000,?), ref: 00454697
                                                  • GetDlgItem.USER32(?,000003E9), ref: 004546A8
                                                  • SetWindowTextW.USER32(00000000,?), ref: 004546AF
                                                  • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004546D1
                                                  • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 004546EB
                                                  • GetWindowRect.USER32(?,?), ref: 004546F5
                                                  • SetWindowTextW.USER32(?,?), ref: 00454765
                                                  • GetDesktopWindow.USER32 ref: 0045476F
                                                  • GetWindowRect.USER32(00000000), ref: 00454776
                                                  • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004547C4
                                                  • GetClientRect.USER32(?,?), ref: 004547D2
                                                  • PostMessageW.USER32(?,00000005,00000000,00000080), ref: 004547FC
                                                  • SetTimer.USER32(?,0000040A,?,00000000), ref: 0045483F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                  • String ID:
                                                  • API String ID: 3869813825-0
                                                  • Opcode ID: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                  • Instruction ID: 23cbb84c7db07f79204f7fb68ef1a354279dd66d41dce19f663d7a5246859b32
                                                  • Opcode Fuzzy Hash: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                  • Instruction Fuzzy Hash: 06619D75A00705ABD720DFA8CE89F6FB7F8AB48705F00491DEA46A7290D778E944CB54
                                                  Function 004649A3 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 395COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcslen.LIBCMT ref: 00464B28
                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B38
                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B60
                                                  • _wcslen.LIBCMT ref: 00464C28
                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 00464C3C
                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00464C64
                                                  • _wcslen.LIBCMT ref: 00464CBA
                                                  • _wcslen.LIBCMT ref: 00464CD0
                                                  • _wcslen.LIBCMT ref: 00464CEF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _wcslen$Directory$CurrentSystem
                                                  • String ID: D
                                                  • API String ID: 1914653954-2746444292
                                                  • Opcode ID: 44be7054643fd4ba856d6b2e359bfbfbb3de9f7e14d5395c76b411fe07bee919
                                                  • Instruction ID: cb0983c86ca1fa87ccea60adda1cf5635047c5df12380c224dcb23d097980814
                                                  • Opcode Fuzzy Hash: 44be7054643fd4ba856d6b2e359bfbfbb3de9f7e14d5395c76b411fe07bee919
                                                  • Instruction Fuzzy Hash: 98E101716043409BD710EF65C845B6BB7E4AFC4308F148D2EF98987392EB39E945CB9A
                                                  Function 0045CD1E Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcsncpy.LIBCMT ref: 0045CE39
                                                  • __wsplitpath.LIBCMT ref: 0045CE78
                                                  • _wcscat.LIBCMT ref: 0045CE8B
                                                  • _wcscat.LIBCMT ref: 0045CE9E
                                                  • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEB2
                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEC5
                                                    • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                  • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF05
                                                  • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF1D
                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF2E
                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF3F
                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF53
                                                  • _wcscpy.LIBCMT ref: 0045CF61
                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CFA4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                                                  • String ID: *.*
                                                  • API String ID: 1153243558-438819550
                                                  • Opcode ID: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                                  • Instruction ID: eacc2f87ca0c49a88fd160cf35c0ab61f7b8ac52d7ffc0430f804bda47b2a69a
                                                  • Opcode Fuzzy Hash: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                                  • Instruction Fuzzy Hash: F071D572900208AEDB24DB54CCC5AEEB7B5AB44305F1489ABE805D7242D67C9ECDCB99
                                                  Function 0044B98C Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 80COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: __wcsicoll
                                                  • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                                                  • API String ID: 3832890014-4202584635
                                                  • Opcode ID: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                  • Instruction ID: 3b59ed03df0c76d23b576b9f0bbd6b5c96606bf3e4c0b80e5c93e428ec3f30be
                                                  • Opcode Fuzzy Hash: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                  • Instruction Fuzzy Hash: AB117772A4422512E91072657C03BFF219CCF1177AF14487BF90DE5A82FB4EDA9541ED
                                                  Function 0046A07E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 0046A0C9
                                                  • GetFocus.USER32 ref: 0046A0DD
                                                  • GetDlgCtrlID.USER32(00000000), ref: 0046A0E8
                                                  • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046A13C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: MessagePost$CtrlFocus
                                                  • String ID: 0
                                                  • API String ID: 1534620443-4108050209
                                                  • Opcode ID: d1db05db4fd2a56646a253bb82972057caa917eb73d061b61dca20a17b51d953
                                                  • Instruction ID: bf3f5449e9a8ba554bb586fd0597798874618ae7c394ba8af81d11134a55f14d
                                                  • Opcode Fuzzy Hash: d1db05db4fd2a56646a253bb82972057caa917eb73d061b61dca20a17b51d953
                                                  • Instruction Fuzzy Hash: 9791AD71604711AFE710CF14D884BABB7A4FB85314F004A1EF991A7381E7B9D895CBAB
                                                  Function 004557E0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 220COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DestroyWindow.USER32(?), ref: 004558E3
                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0045592C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Window$CreateDestroy
                                                  • String ID: ,$tooltips_class32
                                                  • API String ID: 1109047481-3856767331
                                                  • Opcode ID: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                  • Instruction ID: 3e2a402d8ef05c983ab6a33f0f0d51d253aadf8c8a2d9d50fdabec1795fb524a
                                                  • Opcode Fuzzy Hash: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                  • Instruction Fuzzy Hash: AE71AD71650208AFE720CF58DC84FBA77B8FB59310F20851AFD45AB391DA74AD46CB98
                                                  Function 00468B0E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetMenuItemInfoW.USER32(?,00000007,00000000,00000030), ref: 00468BB1
                                                  • GetMenuItemCount.USER32(?), ref: 00468C45
                                                  • DeleteMenu.USER32(?,00000005,00000000,?,?,?), ref: 00468CD9
                                                  • DeleteMenu.USER32(?,00000004,00000000,?,?), ref: 00468CE2
                                                  • DeleteMenu.USER32(00000000,00000006,00000000,?,00000004,00000000,?,?), ref: 00468CEB
                                                  • DeleteMenu.USER32(?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468CF4
                                                  • GetMenuItemCount.USER32 ref: 00468CFD
                                                  • SetMenuItemInfoW.USER32(?,00000004,00000000,00000030), ref: 00468D35
                                                  • GetCursorPos.USER32(?), ref: 00468D3F
                                                  • SetForegroundWindow.USER32(?), ref: 00468D49
                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468D5F
                                                  • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468D6C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow
                                                  • String ID: 0
                                                  • API String ID: 1441871840-4108050209
                                                  • Opcode ID: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                                                  • Instruction ID: 6d2915cdebcc0779354c8c01805c07fba6dcd836026253be2713676dcba25ca6
                                                  • Opcode Fuzzy Hash: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                                                  • Instruction Fuzzy Hash: F571A0B0644300BBE720DB58CC45F5AB7A4AF85724F20470EF5656B3D1DBB8B8448B2A
                                                  Function 00460879 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                  • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                  • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                  • __swprintf.LIBCMT ref: 00460915
                                                  • __swprintf.LIBCMT ref: 0046092D
                                                  • _wprintf.LIBCMT ref: 004609E1
                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004609FA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
                                                  • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                  • API String ID: 3631882475-2268648507
                                                  • Opcode ID: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                  • Instruction ID: 03c51728676f919c2e33c8c13cfd5c1cee97c3d48cab2dbcdd3400b30208eb52
                                                  • Opcode Fuzzy Hash: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                  • Instruction Fuzzy Hash: F5416071900209ABDB00FB91CD46AEF7778AF44314F44447AF50577192EA786E45CBA9
                                                  Function 004716B8 Relevance: 22.7, APIs: 15, Instructions: 179windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004716C7
                                                  • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 004716E1
                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00471711
                                                  • SendMessageW.USER32 ref: 00471740
                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 00471779
                                                  • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0047179A
                                                  • ImageList_Create.COMCTL32(00000020,00000020,00000021,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 004717B0
                                                  • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 004717D3
                                                  • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004717F8
                                                  • ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 00471807
                                                  • SendMessageW.USER32 ref: 0047184F
                                                  • SendMessageW.USER32(?,0000104C,00000000,00000002), ref: 00471872
                                                  • SendMessageW.USER32(?,00001015,00000000,00000000), ref: 00471890
                                                  • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 0047189C
                                                  • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004718A2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Icon$ImageList_$CreateDestroyExtractReplace
                                                  • String ID:
                                                  • API String ID: 4116747274-0
                                                  • Opcode ID: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                  • Instruction ID: aa77b4eb3e0d334a4980849760fe45b072e458157f6a66894e70986bfe60c355
                                                  • Opcode Fuzzy Hash: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                  • Instruction Fuzzy Hash: 39617D75A00209AFEB10DF68CD85FEEB7B4FB48710F10855AF618AB2D0D7B4A981CB54
                                                  Function 0046163E Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetClassNameW.USER32(?,?,00000100), ref: 00461678
                                                  • _wcslen.LIBCMT ref: 00461683
                                                  • __swprintf.LIBCMT ref: 00461721
                                                  • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00461794
                                                  • GetClassNameW.USER32(?,?,00000400), ref: 00461811
                                                  • GetDlgCtrlID.USER32(?), ref: 00461869
                                                  • GetWindowRect.USER32(?,?), ref: 004618A4
                                                  • GetParent.USER32(?), ref: 004618C3
                                                  • ScreenToClient.USER32(00000000), ref: 004618CA
                                                  • GetClassNameW.USER32(?,?,00000100), ref: 00461941
                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 0046197E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                                                  • String ID: %s%u
                                                  • API String ID: 1899580136-679674701
                                                  • Opcode ID: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                                  • Instruction ID: 362d1c13b2509f288ecdbc272899e32e1bd8f20a7ba75cfa55bfcaf2deda5cb5
                                                  • Opcode Fuzzy Hash: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                                  • Instruction Fuzzy Hash: 1DA1B2715043019FDB10DF55C884BAB73A8FF84314F08896EFD899B255E738E94ACBA6
                                                  Function 0045FD57 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 227windowsleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FDDB
                                                  • SetMenuItemInfoW.USER32(00000008,00000004,00000000,00000030), ref: 0045FE14
                                                  • Sleep.KERNEL32(000001F4,?,FFFFFFFF,00000000,00000030,?,?,?,?,?,?), ref: 0045FE26
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: InfoItemMenu$Sleep
                                                  • String ID: 0
                                                  • API String ID: 1196289194-4108050209
                                                  • Opcode ID: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                                                  • Instruction ID: 163fe6e236f433162160dce37f71c375d73f8c96772172175a1e07f10d517f7e
                                                  • Opcode Fuzzy Hash: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                                                  • Instruction Fuzzy Hash: 12710172500244ABDB20CF55EC49FAFBBA8EB95316F00842FFD0197292C374A94DCB69
                                                  Function 004313CA Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDC.USER32(00000000), ref: 0043143E
                                                  • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0043144F
                                                  • CreateCompatibleDC.GDI32(00000000), ref: 00431459
                                                  • SelectObject.GDI32(00000000,?), ref: 00431466
                                                  • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 004314CC
                                                  • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00431505
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                                                  • String ID: (
                                                  • API String ID: 3300687185-3887548279
                                                  • Opcode ID: 54198b849531af9165e9bec096bf8ea3e4974b91d89a9c814b262d795432971a
                                                  • Instruction ID: 70523424e9a4c52fdd53d867b9eeb1eac2d89839f103c71a78559f5a5eece38f
                                                  • Opcode Fuzzy Hash: 54198b849531af9165e9bec096bf8ea3e4974b91d89a9c814b262d795432971a
                                                  • Instruction Fuzzy Hash: 63514971A00209AFDB14CF98C884FAFBBB8EF49310F10891DFA5997290D774A940CBA4
                                                  Function 0045DA73 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 141COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                    • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                  • GetDriveTypeW.KERNEL32 ref: 0045DB32
                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DB78
                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBB3
                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBED
                                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: SendString$_wcslen$BuffCharDriveLowerType_memmove
                                                  • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                  • API String ID: 1976180769-4113822522
                                                  • Opcode ID: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                  • Instruction ID: 81dc6b2e9a5b1b7ac5bd11c7175921e379baf9e0c2b27e14ed053c07c028f3b1
                                                  • Opcode Fuzzy Hash: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                  • Instruction Fuzzy Hash: 75516E715043049FD710EF21C981B5EB3E4BF88304F14896FF995AB292D7B8E909CB5A
                                                  Function 00432A10 Relevance: 21.1, APIs: 14, Instructions: 140timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _wcslen$_wcsncpy$LocalTime__fassign
                                                  • String ID:
                                                  • API String ID: 461458858-0
                                                  • Opcode ID: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                  • Instruction ID: 9848deb76f2cd1bd94a84263f46e444e1138d8b87e7a9916e51222e649cc75ea
                                                  • Opcode Fuzzy Hash: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                  • Instruction Fuzzy Hash: B1417372D10204B6CF10EFA5C946ADFF3B8DF49314F90885BE909E3121F6B4E65583A9
                                                  Function 0043009D Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004300C3
                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 004300DE
                                                  • GlobalAlloc.KERNEL32(00000002,00000000), ref: 004300E9
                                                  • GlobalLock.KERNEL32(00000000), ref: 004300F6
                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00430105
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0043010C
                                                  • CloseHandle.KERNEL32(00000000), ref: 00430113
                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00430120
                                                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,004829F8,?), ref: 0043013E
                                                  • GlobalFree.KERNEL32(00000000), ref: 00430150
                                                  • GetObjectW.GDI32(?,00000018,?), ref: 00430177
                                                  • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004301A8
                                                  • DeleteObject.GDI32(?), ref: 004301D0
                                                  • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004301E7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                  • String ID:
                                                  • API String ID: 3969911579-0
                                                  • Opcode ID: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                  • Instruction ID: 40287395d2d29e4935595b2baf4d6657c54b4003bec4d35786bf86d2452689d1
                                                  • Opcode Fuzzy Hash: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                  • Instruction Fuzzy Hash: 41414C75600208AFDB10DF64DD88FAE77B8EF48711F108659FA05AB290D7B5AD01CB68
                                                  Function 004551F5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow
                                                  • String ID: 0
                                                  • API String ID: 956284711-4108050209
                                                  • Opcode ID: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                  • Instruction ID: b5af5d15e8ca477bb279da78e69062a53aed449fe0dbaae2e4c2ef00f9b57ed5
                                                  • Opcode Fuzzy Hash: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                  • Instruction Fuzzy Hash: 91412770200601AFD714DF64D9A8B6B77A8BF48302F10896DFD45CB292D778E848CFA9
                                                  Function 00433493 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                  • String ID: 0.0.0.0
                                                  • API String ID: 1965227024-3771769585
                                                  • Opcode ID: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                                                  • Instruction ID: 28916de6e65f37ac85efecafd260a3a31c9a3caf28ae6c56f7260ddb0d4b80cb
                                                  • Opcode Fuzzy Hash: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                                                  • Instruction Fuzzy Hash: 4F213A32A00114BBC710AF65DC05EEF736CEF99716F0045AFF90993151EEB99A8187E8
                                                  Function 0045F56D Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                  • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045F5D5
                                                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F5EC
                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045F5FE
                                                  • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045F611
                                                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F61E
                                                  • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045F634
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: SendString$_memmove_wcslen
                                                  • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                  • API String ID: 369157077-1007645807
                                                  • Opcode ID: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                  • Instruction ID: e81aaa69409cfefceaf3864659f825962b2ddf67c6d06b6a861a29a56a66176d
                                                  • Opcode Fuzzy Hash: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                  • Instruction Fuzzy Hash: 7F21A83168021D66E720FB95DC46FFE7368AF40700F20087BFA14B71D1DAB4A949879D
                                                  Function 00445BE4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 77windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetParent.USER32 ref: 00445BF8
                                                  • GetClassNameW.USER32(00000000,?,00000100), ref: 00445C0D
                                                  • __wcsicoll.LIBCMT ref: 00445C33
                                                  • __wcsicoll.LIBCMT ref: 00445C4F
                                                  • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445CA9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: __wcsicoll$ClassMessageNameParentSend
                                                  • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                  • API String ID: 3125838495-3381328864
                                                  • Opcode ID: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                  • Instruction ID: b9a51c7f116d0e73852bd225d20f6d8bcb5f39b8f57bd3164038c04ed7d94027
                                                  • Opcode Fuzzy Hash: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                  • Instruction Fuzzy Hash: C6110AB1E447017BFE10BA659D46EBB339C9B54B11F00051BFE44D7242F6ACA94147A9
                                                  Function 004491B9 Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,?,000000FF,?), ref: 004492A4
                                                  • SendMessageW.USER32(?,?,00000000,00000000), ref: 004492B7
                                                  • CharNextW.USER32(?,?,?,000000FF,?), ref: 004492E9
                                                  • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449301
                                                  • SendMessageW.USER32(?,?,00000000,?), ref: 00449332
                                                  • SendMessageW.USER32(?,?,000000FF,?), ref: 00449349
                                                  • SendMessageW.USER32(?,?,00000000,00000000), ref: 0044935C
                                                  • SendMessageW.USER32(?,00000402,?), ref: 00449399
                                                  • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0044940D
                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$CharNext
                                                  • String ID:
                                                  • API String ID: 1350042424-0
                                                  • Opcode ID: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                  • Instruction ID: 867fdc7b80e212b75fe5daf06e5219747a853435bb2a874e280223eddbea68d3
                                                  • Opcode Fuzzy Hash: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                  • Instruction Fuzzy Hash: 5B81D535A00119BBEB10CF85DD80FFFB778FB55720F10825AFA14AA280D7B99D4197A4
                                                  Function 00478656 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 197COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                    • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                  • GetDriveTypeW.KERNEL32(?), ref: 004787B9
                                                  • _wcscpy.LIBCMT ref: 004787E5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                                                  • String ID: \VH$a$all$cdrom$fixed$network$ramdisk$removable$unknown
                                                  • API String ID: 3052893215-2127371420
                                                  • Opcode ID: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                  • Instruction ID: 541bc2b2506c052d744bcb7e7e177e26c036821b53f5a58429f0f0853ea8de24
                                                  • Opcode Fuzzy Hash: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                  • Instruction Fuzzy Hash: 4761C1716443018BD700EF14CC85B9BB7D4AB84348F14892FF949AB382DB79E94987AB
                                                  Function 0045E737 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E77F
                                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                  • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E7A0
                                                  • __swprintf.LIBCMT ref: 0045E7F7
                                                  • _wprintf.LIBCMT ref: 0045E8B3
                                                  • _wprintf.LIBCMT ref: 0045E8D7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                  • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                  • API String ID: 2295938435-2354261254
                                                  • Opcode ID: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                  • Instruction ID: 453f5dd12ee62c270a242db3517b58e8b6225e49c0ff470bc5072f32437c925c
                                                  • Opcode Fuzzy Hash: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                  • Instruction Fuzzy Hash: 6A519E71A10219ABDB14EB91CC85EEF7778AF44314F14407EF90477292DB78AE49CBA8
                                                  Function 004531B1 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: __swprintf_wcscpy$__i64tow__itow
                                                  • String ID: %.15g$0x%p$False$True
                                                  • API String ID: 3038501623-2263619337
                                                  • Opcode ID: dbd07ee36d68efbdb82b47f6bbdb5a558a403895529f1bd62c5843a789ef215e
                                                  • Instruction ID: fd507a47f7d2c8f7f5848ea17d112ce969af4838d766d220e6d3988dad71e25c
                                                  • Opcode Fuzzy Hash: dbd07ee36d68efbdb82b47f6bbdb5a558a403895529f1bd62c5843a789ef215e
                                                  • Instruction Fuzzy Hash: 264108729001005BDB10EF75DC42FAAB364EF55306F0445ABFE09CB242EA39DA48C79A
                                                  Function 0045E538 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E580
                                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                  • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E59F
                                                  • __swprintf.LIBCMT ref: 0045E5F6
                                                  • _wprintf.LIBCMT ref: 0045E6A3
                                                  • _wprintf.LIBCMT ref: 0045E6C7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                  • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                  • API String ID: 2295938435-8599901
                                                  • Opcode ID: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                  • Instruction ID: ff3e2b23dced8a629e5b21f12e79e468b5cd48208a3d74017576322ff0354a8f
                                                  • Opcode Fuzzy Hash: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                  • Instruction Fuzzy Hash: 9A519171D00109ABDB14EBA1C845EEF7778EF44304F50847EF91477292EA78AE49CBA8
                                                  Function 00443B61 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99sleepwindowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • timeGetTime.WINMM ref: 00443B67
                                                    • Part of subcall function 0040C620: timeGetTime.WINMM(0042DD5D), ref: 0040C620
                                                  • Sleep.KERNEL32(0000000A), ref: 00443B9F
                                                  • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00443BC8
                                                  • SetActiveWindow.USER32(00000000), ref: 00443BEC
                                                  • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00443BFC
                                                  • SendMessageW.USER32(00000000,00000010,00000000,00000000), ref: 00443C22
                                                  • Sleep.KERNEL32(000000FA), ref: 00443C2D
                                                  • IsWindow.USER32(00000000), ref: 00443C3A
                                                  • EndDialog.USER32(00000000,00000000), ref: 00443C4C
                                                    • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                    • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                    • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                  • EnumThreadWindows.USER32(00000000,Function_00033D09,00000000), ref: 00443C6B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ThreadWindow$MessageSendSleepTimetime$ActiveAttachCurrentDialogEnumFindInputProcessWindows
                                                  • String ID: BUTTON
                                                  • API String ID: 1834419854-3405671355
                                                  • Opcode ID: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                  • Instruction ID: 3c6370bb7d17ad47abda0b7088cfd3672c19e1ca6c3f529de1b12449ce3ad6f8
                                                  • Opcode Fuzzy Hash: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                  • Instruction Fuzzy Hash: 6B31E676784200BFE3349F74FD99F5A3B58AB55B22F10083AF600EA2A1D6B5A441876C
                                                  Function 00454014 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 93windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,?,?,0042820D,?,?,?,#include depth exceeded. Make sure there are no recursive includes,?), ref: 00454039
                                                  • LoadStringW.USER32(00000000), ref: 00454040
                                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                  • _wprintf.LIBCMT ref: 00454074
                                                  • __swprintf.LIBCMT ref: 004540A3
                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045410F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: HandleLoadMessageModuleString__swprintf_memmove_wcslen_wprintf
                                                  • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                  • API String ID: 455036304-4153970271
                                                  • Opcode ID: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                  • Instruction ID: e2f14448b15a7dab571624068eda089460c560eca1c8ebe4dd0daaccfe0aa2c5
                                                  • Opcode Fuzzy Hash: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                  • Instruction Fuzzy Hash: 3B31E872B0011997CB00EF95CD069AE3378AF88714F50445EFA0877282D678AE45C7A9
                                                  Function 00467C8E Relevance: 18.3, APIs: 12, Instructions: 310COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467D63
                                                  • SafeArrayAccessData.OLEAUT32(0000007F,0000007F), ref: 00467DDC
                                                  • SafeArrayGetVartype.OLEAUT32(0000007F,?), ref: 00467E71
                                                  • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00467E9D
                                                  • _memmove.LIBCMT ref: 00467EB8
                                                  • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00467EC1
                                                  • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467EDE
                                                  • _memmove.LIBCMT ref: 00467F6C
                                                  • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467FC1
                                                  • SafeArrayUnaccessData.OLEAUT32(00000004), ref: 00467FAB
                                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                    • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                  • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00467E48
                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                  • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00468030
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ArraySafe$Data$Access$Unaccess$_memmovestd::exception::exception$Exception@8ThrowVartype_malloc
                                                  • String ID:
                                                  • API String ID: 2170234536-0
                                                  • Opcode ID: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                                  • Instruction ID: 6369f5c3f22445f0d5bf5c4520e4337682cbd46778e63a39b460943b9460954a
                                                  • Opcode Fuzzy Hash: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                                  • Instruction Fuzzy Hash: 26B124716042059FD700CF59D884BAEB7B5FF88308F24856EEA05DB351EB3AD845CB6A
                                                  Function 00453C57 Relevance: 18.2, APIs: 12, Instructions: 190keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyboardState.USER32(?), ref: 00453CE0
                                                  • SetKeyboardState.USER32(?), ref: 00453D3B
                                                  • GetAsyncKeyState.USER32(000000A0), ref: 00453D5E
                                                  • GetKeyState.USER32(000000A0), ref: 00453D75
                                                  • GetAsyncKeyState.USER32(000000A1), ref: 00453DA4
                                                  • GetKeyState.USER32(000000A1), ref: 00453DB5
                                                  • GetAsyncKeyState.USER32(00000011), ref: 00453DE1
                                                  • GetKeyState.USER32(00000011), ref: 00453DEF
                                                  • GetAsyncKeyState.USER32(00000012), ref: 00453E18
                                                  • GetKeyState.USER32(00000012), ref: 00453E26
                                                  • GetAsyncKeyState.USER32(0000005B), ref: 00453E4F
                                                  • GetKeyState.USER32(0000005B), ref: 00453E5D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: State$Async$Keyboard
                                                  • String ID:
                                                  • API String ID: 541375521-0
                                                  • Opcode ID: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                  • Instruction ID: 009fbf1908f75ed0a62addf5985db529f64a747a45b1090b1102dc3b9208550d
                                                  • Opcode Fuzzy Hash: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                  • Instruction Fuzzy Hash: BC61DD3190478829FB329F6488057EBBBF45F12346F08459ED9C2162C3D7AC6B4CCB65
                                                  Function 004357B7 Relevance: 18.2, APIs: 12, Instructions: 184COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32(?,00000001), ref: 004357DB
                                                  • GetWindowRect.USER32(00000000,?), ref: 004357ED
                                                  • MoveWindow.USER32(?,0000000A,?,?,?,00000000), ref: 00435857
                                                  • GetDlgItem.USER32(?,00000002), ref: 0043586A
                                                  • GetWindowRect.USER32(00000000,?), ref: 0043587C
                                                  • MoveWindow.USER32(?,?,00000000,?,00000001,00000000), ref: 004358CE
                                                  • GetDlgItem.USER32(?,000003E9), ref: 004358DC
                                                  • GetWindowRect.USER32(00000000,?), ref: 004358EE
                                                  • MoveWindow.USER32(?,0000000A,00000000,?,?,00000000), ref: 00435933
                                                  • GetDlgItem.USER32(?,000003EA), ref: 00435941
                                                  • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 0043595A
                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00435967
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Window$ItemMoveRect$Invalidate
                                                  • String ID:
                                                  • API String ID: 3096461208-0
                                                  • Opcode ID: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                  • Instruction ID: 6af1b44a8b8b1dd3dfd8c00d901dfbe31295268d39f582813a56aed3f3dd18d2
                                                  • Opcode Fuzzy Hash: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                  • Instruction Fuzzy Hash: 7C515FB1B00609ABCB18DF68CD95AAEB7B9EF88310F148529F905E7390E774ED008B54
                                                  Function 004714D9 Relevance: 18.1, APIs: 12, Instructions: 132windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 004714DC
                                                  • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 004714F7
                                                  • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 00471510
                                                  • DeleteObject.GDI32(?), ref: 0047151E
                                                  • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,000000F0), ref: 0047152C
                                                  • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0047156F
                                                  • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 00471588
                                                  • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004715A9
                                                  • DestroyIcon.USER32(?,?,?,?,?,?,000000F0), ref: 004715CD
                                                  • SendMessageW.USER32(?,000000F7,00000001,?), ref: 004715DC
                                                  • DeleteObject.GDI32(?), ref: 004715EA
                                                  • DestroyIcon.USER32(?,?,000000F7,00000001,?,?,?,?,?,?,000000F0), ref: 004715F8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Icon$DestroyMessageSend$DeleteImageLoadObject$ExtractLongWindow
                                                  • String ID:
                                                  • API String ID: 3218148540-0
                                                  • Opcode ID: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                  • Instruction ID: 6a50b90733f0312424b7b906018c15bc054940e4c1588362709ca6bab20dc4d5
                                                  • Opcode Fuzzy Hash: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                  • Instruction Fuzzy Hash: D2419231740206ABDB209F69DD49FEB77A8EB84711F10452AFA46E72D0DBB4E805C768
                                                  Function 00433784 Relevance: 18.1, APIs: 12, Instructions: 119COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                  • String ID:
                                                  • API String ID: 136442275-0
                                                  • Opcode ID: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                  • Instruction ID: 55d98b2249b58b9b89d53d2d63704957c70a659fb5fc0040d5683289e7d9fa4f
                                                  • Opcode Fuzzy Hash: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                  • Instruction Fuzzy Hash: C24174B381021C66CB24EB55CC41DEE737DAB98705F0085DEB60963141EA796BC8CFA5
                                                  Function 00467408 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 308COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcsncpy.LIBCMT ref: 00467490
                                                  • _wcsncpy.LIBCMT ref: 004674BC
                                                    • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                    • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                  • _wcstok.LIBCMT ref: 004674FF
                                                    • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                  • _wcstok.LIBCMT ref: 004675B2
                                                  • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                  • _wcslen.LIBCMT ref: 00467793
                                                  • _wcscpy.LIBCMT ref: 00467641
                                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                  • _wcslen.LIBCMT ref: 004677BD
                                                  • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                    • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _wcslen$FileName_memmove_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                                                  • String ID: X
                                                  • API String ID: 3104067586-3081909835
                                                  • Opcode ID: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                                                  • Instruction ID: 683e1e2944aeccc99b179fad4e52216d38d827d7da526ed866e93360804c4864
                                                  • Opcode Fuzzy Hash: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                                                  • Instruction Fuzzy Hash: 69C1C5306083009BD310FF65C985A5FB7E4AF84318F108D2EF559972A2EB78ED45CB9A
                                                  Function 00461014 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetClassNameW.USER32(?,?,00000400), ref: 00461056
                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 00461092
                                                  • _wcslen.LIBCMT ref: 004610A3
                                                  • CharUpperBuffW.USER32(?,00000000), ref: 004610B1
                                                  • GetClassNameW.USER32(?,?,00000400), ref: 00461124
                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 0046115D
                                                  • GetClassNameW.USER32(?,?,00000400), ref: 004611A1
                                                  • GetClassNameW.USER32(?,?,00000400), ref: 004611D9
                                                  • GetWindowRect.USER32(?,?), ref: 00461248
                                                    • Part of subcall function 00436299: _memmove.LIBCMT ref: 004362D9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ClassName$Window$Text$BuffCharRectUpper_memmove_wcslen
                                                  • String ID: ThumbnailClass
                                                  • API String ID: 4136854206-1241985126
                                                  • Opcode ID: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                  • Instruction ID: 9bdbaadfe46dce382da1609a4111f175dadd43cf518d3c7fb815d390e9d71813
                                                  • Opcode Fuzzy Hash: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                  • Instruction Fuzzy Hash: D991F3715043009FCB14DF51C881BAB77A8EF89719F08895FFD84A6252E738E946CBA7
                                                  Function 004718BA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 004718C7
                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00471922
                                                  • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 00471947
                                                  • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 00471960
                                                  • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004719E0
                                                  • SendMessageW.USER32(?,0000113F,00000000,00000032), ref: 00471A0D
                                                  • GetClientRect.USER32(?,?), ref: 00471A1A
                                                  • RedrawWindow.USER32(?,?,00000000,00000000), ref: 00471A29
                                                  • DestroyIcon.USER32(?), ref: 00471AF4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                                                  • String ID: 2
                                                  • API String ID: 1331449709-450215437
                                                  • Opcode ID: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                  • Instruction ID: 8a8bfaa361b8e4ad447499ed02e60938d35b352fbee86dd909721fc396438cf5
                                                  • Opcode Fuzzy Hash: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                  • Instruction Fuzzy Hash: 19519070A00209AFDB10CF98CD95BEEB7B5FF49310F10815AEA09AB3A1D7B4AD41CB55
                                                  Function 0046081F Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                  • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                  • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                  • __swprintf.LIBCMT ref: 00460915
                                                  • __swprintf.LIBCMT ref: 0046092D
                                                  • _wprintf.LIBCMT ref: 004609E1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: HandleLoadModuleString__swprintf$_memmove_wcslen_wprintf
                                                  • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d:$^ ERROR
                                                  • API String ID: 3054410614-2561132961
                                                  • Opcode ID: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                  • Instruction ID: 8ea7bd36613c7ff98b4c02c5a019b599898316a67ab96f708308d0ed756dbd7a
                                                  • Opcode Fuzzy Hash: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                  • Instruction Fuzzy Hash: 654183B29001099BDB00FBD1DC9AAEF7778EF44354F45403AF504B7192EB78AA45CBA9
                                                  Function 00458651 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                  • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00458721
                                                  • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0045873E
                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 0045875C
                                                  • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0045878A
                                                  • CLSIDFromString.OLE32(?,?), ref: 004587B3
                                                  • RegCloseKey.ADVAPI32(000001FE), ref: 004587BF
                                                  • RegCloseKey.ADVAPI32(?), ref: 004587C5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_wcslen
                                                  • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                  • API String ID: 600699880-22481851
                                                  • Opcode ID: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                  • Instruction ID: 095cb2d92039a6881e8bf561e9cb0619f72fc8c68408713302cc045b8cca0367
                                                  • Opcode Fuzzy Hash: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                  • Instruction Fuzzy Hash: 58415275D0020DABCB04EBA4DC45ADE77B8EF48304F10846EE914B7291EF78A909CB94
                                                  Function 00450C41 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: DestroyWindow
                                                  • String ID: static
                                                  • API String ID: 3375834691-2160076837
                                                  • Opcode ID: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                  • Instruction ID: e571488c54e010bbe3192cf51c39f0d33963e2fa0fa89bc12fd4c8100c345edb
                                                  • Opcode Fuzzy Hash: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                  • Instruction Fuzzy Hash: 2C41B375200205ABDB149F64DC85FEB33A8EF89725F20472AFA15E72C0D7B4E841CB68
                                                  Function 0045D94B Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D959
                                                  • GetDriveTypeW.KERNEL32(?,?), ref: 0045D9AB
                                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045DA4B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$DriveType
                                                  • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$\VH
                                                  • API String ID: 2907320926-3566645568
                                                  • Opcode ID: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                  • Instruction ID: 8c6a7395db7573f60177d60b7e789de744ab79b943898383e565048f237880a7
                                                  • Opcode Fuzzy Hash: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                  • Instruction Fuzzy Hash: B7316E35A042049BCB10FFA9C48595EB771FF88315B1088ABFD05AB392C739DD45CB6A
                                                  Function 00470928 Relevance: 16.7, APIs: 11, Instructions: 166windowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                  • DestroyAcceleratorTable.USER32(?), ref: 0047094A
                                                  • ImageList_Destroy.COMCTL32(?), ref: 004709AD
                                                  • ImageList_Destroy.COMCTL32(?), ref: 004709C5
                                                  • ImageList_Destroy.COMCTL32(?), ref: 004709D5
                                                  • DeleteObject.GDI32(00550000), ref: 00470A04
                                                  • DestroyIcon.USER32(00650073), ref: 00470A1C
                                                  • DeleteObject.GDI32(02F844A0), ref: 00470A34
                                                  • DestroyWindow.USER32(006D0065), ref: 00470A4C
                                                  • DestroyIcon.USER32(?), ref: 00470A73
                                                  • DestroyIcon.USER32(?), ref: 00470A81
                                                  • KillTimer.USER32(00000000,00000000), ref: 00470B00
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateKillRectTableTimerWindow
                                                  • String ID:
                                                  • API String ID: 1237572874-0
                                                  • Opcode ID: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                  • Instruction ID: 3938066daea6daae9dc0c39577387909b3bcb8112bd91d3310d64c2ecda3814a
                                                  • Opcode Fuzzy Hash: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                  • Instruction Fuzzy Hash: 24616874601201CFE714DF65DD94FAA77B8FB6A304B54856EE6098B3A2CB38EC41CB58
                                                  Function 00479362 Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,004795FD), ref: 00479380
                                                  • SafeArrayAllocData.OLEAUT32(004795FD), ref: 004793CF
                                                  • VariantInit.OLEAUT32(?), ref: 004793E1
                                                  • SafeArrayAccessData.OLEAUT32(004795FD,?), ref: 00479402
                                                  • VariantCopy.OLEAUT32(?,?), ref: 00479461
                                                  • SafeArrayUnaccessData.OLEAUT32(004795FD), ref: 00479474
                                                  • VariantClear.OLEAUT32(?), ref: 00479489
                                                  • SafeArrayDestroyData.OLEAUT32(004795FD), ref: 004794AE
                                                  • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794B8
                                                  • VariantClear.OLEAUT32(?), ref: 004794CA
                                                  • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794E7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                  • String ID:
                                                  • API String ID: 2706829360-0
                                                  • Opcode ID: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                                  • Instruction ID: 8c269571b42c1441f814514f03b92edd351012a73d8239c9f379a0a89e1b4ae1
                                                  • Opcode Fuzzy Hash: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                                  • Instruction Fuzzy Hash: F6515E76A00119ABCB00DFA5DD849DEB7B9FF88704F10856EE905A7241DB749E06CBA4
                                                  Function 004447E0 Relevance: 16.6, APIs: 11, Instructions: 130keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyboardState.USER32(?), ref: 0044480E
                                                  • GetAsyncKeyState.USER32(000000A0), ref: 00444899
                                                  • GetKeyState.USER32(000000A0), ref: 004448AA
                                                  • GetAsyncKeyState.USER32(000000A1), ref: 004448C8
                                                  • GetKeyState.USER32(000000A1), ref: 004448D9
                                                  • GetAsyncKeyState.USER32(00000011), ref: 004448F5
                                                  • GetKeyState.USER32(00000011), ref: 00444903
                                                  • GetAsyncKeyState.USER32(00000012), ref: 0044491F
                                                  • GetKeyState.USER32(00000012), ref: 0044492D
                                                  • GetAsyncKeyState.USER32(0000005B), ref: 00444949
                                                  • GetKeyState.USER32(0000005B), ref: 00444958
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: State$Async$Keyboard
                                                  • String ID:
                                                  • API String ID: 541375521-0
                                                  • Opcode ID: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                  • Instruction ID: 827c2ee343902556a703916e37c968ecd50c133e95067caf6822082f003788d3
                                                  • Opcode Fuzzy Hash: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                  • Instruction Fuzzy Hash: 27412B34A047C969FF31A6A4C8043A7BBA16FA1314F04805FD5C5477C1DBED99C8C7A9
                                                  Function 00470B6C Relevance: 16.6, APIs: 11, Instructions: 125COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: InitVariant$_malloc_wcscpy_wcslen
                                                  • String ID:
                                                  • API String ID: 3413494760-0
                                                  • Opcode ID: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                                                  • Instruction ID: 93a03e1dde4748921c3f7e50244c45dc9774a8ad470eaa8d68eb3f4e8808ad8d
                                                  • Opcode Fuzzy Hash: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                                                  • Instruction Fuzzy Hash: 33414BB260070AAFC754DF69C880A86BBE8FF48314F00862AE619C7750D775E564CBE5
                                                  Function 004542ED Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: AddressProc_free_malloc$_strcat_strlen
                                                  • String ID: AU3_FreeVar
                                                  • API String ID: 2634073740-771828931
                                                  • Opcode ID: da08cc041a21d481ca46116ab47081ac4fbb3e56b80667e79e82d75b6ee56f55
                                                  • Instruction ID: 8d08e60933d1045585c44e473594da8d0bbfd8a8652ecee4fcef853dc29158a1
                                                  • Opcode Fuzzy Hash: da08cc041a21d481ca46116ab47081ac4fbb3e56b80667e79e82d75b6ee56f55
                                                  • Instruction Fuzzy Hash: 00B1ADB4A00206DFCB00DF55C880A6AB7A5FF88319F2485AEED058F352D739ED95CB94
                                                  Function 0046C5FA Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 208comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoInitialize.OLE32 ref: 0046C63A
                                                  • CoUninitialize.OLE32 ref: 0046C645
                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                    • Part of subcall function 0044CB87: CreateDispTypeInfo.OLEAUT32(?,00000800,?), ref: 0044CBD4
                                                    • Part of subcall function 0044CB87: CreateStdDispatch.OLEAUT32(00000000,?,?,?), ref: 0044CBF4
                                                  • CLSIDFromProgID.OLE32(00000000,?), ref: 0046C694
                                                  • CLSIDFromString.OLE32(00000000,?), ref: 0046C6A4
                                                  • CoCreateInstance.OLE32(?,00000000,00000017,00482998,?), ref: 0046C6CD
                                                  • IIDFromString.OLE32(?,?), ref: 0046C705
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: CreateFrom$String$DispDispatchInfoInitializeInstanceProgTypeUninitialize_malloc
                                                  • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                  • API String ID: 2294789929-1287834457
                                                  • Opcode ID: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                                  • Instruction ID: adb6a6f601bf1a612e569d1fac1689f55b30b767fcafa950e0578031a668eb85
                                                  • Opcode Fuzzy Hash: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                                  • Instruction Fuzzy Hash: B861BC712043019FD710EF21D885B7BB3E8FB84715F10891EF9859B241E779E909CBAA
                                                  Function 004710F1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00456391: GetCursorPos.USER32(?), ref: 004563A6
                                                    • Part of subcall function 00456391: ScreenToClient.USER32(?,?), ref: 004563C3
                                                    • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456400
                                                    • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456410
                                                  • DefDlgProcW.USER32(?,00000205,?,?), ref: 00471145
                                                  • ImageList_DragLeave.COMCTL32(00000000), ref: 00471163
                                                  • ImageList_EndDrag.COMCTL32 ref: 00471169
                                                  • ReleaseCapture.USER32 ref: 0047116F
                                                  • SetWindowTextW.USER32(?,00000000), ref: 00471206
                                                  • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00471216
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                                                  • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                  • API String ID: 2483343779-2107944366
                                                  • Opcode ID: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                                                  • Instruction ID: f70d9246110d4513cc5ea0640624bfdb04bec8758509bedf4130776013c57ff9
                                                  • Opcode Fuzzy Hash: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                                                  • Instruction Fuzzy Hash: D751E5706002109FD700EF59CC85BAF77A5FB89310F004A6EF945A72E2DB789D45CBAA
                                                  Function 004505F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004506A0
                                                  • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004506B4
                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004506D5
                                                  • _wcslen.LIBCMT ref: 00450720
                                                  • _wcscat.LIBCMT ref: 00450733
                                                  • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045074C
                                                  • SendMessageW.USER32(?,00001061,?,?), ref: 0045077E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Window_wcscat_wcslen
                                                  • String ID: -----$SysListView32
                                                  • API String ID: 4008455318-3975388722
                                                  • Opcode ID: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                  • Instruction ID: d83f74bd31ff7b91e94eebeff09b40632409ca0fd113a8de7250d6f1aa6a1b31
                                                  • Opcode Fuzzy Hash: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                  • Instruction Fuzzy Hash: 9C51D470500308ABDB24CF64CD89FEE77A5EF98304F10065EF944A72C2D3B99959CB58
                                                  Function 00433D9E Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 107COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EnumProcesses.PSAPI(?,00000800,?,?,00443D49,?,?,?,004A8178), ref: 00433DBB
                                                  • OpenProcess.KERNEL32(00000410,00000000,?,?,?,004A8178), ref: 00433E19
                                                  • EnumProcessModules.PSAPI(00000000,?,00000004,?), ref: 00433E2C
                                                  • GetModuleBaseNameW.PSAPI(00000000,?,?,00000104), ref: 00433E43
                                                  • __wsplitpath.LIBCMT ref: 00433E6D
                                                  • _wcscat.LIBCMT ref: 00433E80
                                                  • __wcsicoll.LIBCMT ref: 00433E90
                                                  • CloseHandle.KERNEL32(00000000), ref: 00433EC8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: EnumProcess$BaseCloseHandleModuleModulesNameOpenProcesses__wcsicoll__wsplitpath_wcscat
                                                  • String ID: I=D
                                                  • API String ID: 2903788889-2605949546
                                                  • Opcode ID: e2a61d30099513a4b86aa9445ff639564bac9cad2a304c62a227ff9d1443cd16
                                                  • Instruction ID: 36098e5712afd53b5e3c4de91d69c0015cf2cbbc5c01d2287a97767e02e0faf1
                                                  • Opcode Fuzzy Hash: e2a61d30099513a4b86aa9445ff639564bac9cad2a304c62a227ff9d1443cd16
                                                  • Instruction Fuzzy Hash: 05319376600108AFDB11CFA4CD85EEF73B9AF8C701F10419AFA0987250DB75AB85CBA4
                                                  Function 00469BF3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                  • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469C73
                                                  • GetDlgCtrlID.USER32(00000000), ref: 00469C84
                                                  • GetParent.USER32 ref: 00469C98
                                                  • SendMessageW.USER32(00000000,?,00000111), ref: 00469C9F
                                                  • GetDlgCtrlID.USER32(00000000), ref: 00469CA5
                                                  • GetParent.USER32 ref: 00469CBC
                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 00469CC3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$CtrlParent$_memmove_wcslen
                                                  • String ID: ComboBox$ListBox
                                                  • API String ID: 2360848162-1403004172
                                                  • Opcode ID: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                  • Instruction ID: b77daa4920d68b7dc7b38413de7e2b04daab878370679d8231203fb1b5b646ea
                                                  • Opcode Fuzzy Hash: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                  • Instruction Fuzzy Hash: 0121E7716001187BDB00AB69CC85ABF779CEB85320F00855BFA149B2D1D6B8D845C7A5
                                                  Function 00469DF3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 87windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                  • SendMessageW.USER32(00000186,00000186,?,00000000), ref: 00469E71
                                                  • GetDlgCtrlID.USER32(00000000), ref: 00469E82
                                                  • GetParent.USER32 ref: 00469E96
                                                  • SendMessageW.USER32(00000000,?,00000111), ref: 00469E9D
                                                  • GetDlgCtrlID.USER32(00000000), ref: 00469EA3
                                                  • GetParent.USER32 ref: 00469EBA
                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 00469EC1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$CtrlParent$_memmove_wcslen
                                                  • String ID: ComboBox$ListBox
                                                  • API String ID: 2360848162-1403004172
                                                  • Opcode ID: 986fe2d2ad3502a89dd9d9f189f0f45c93be64f12821e5ba271ad6af13960510
                                                  • Instruction ID: 3a0c9dd1fa5fd4c1d1a647422213a645dfa1e4764d365342f395b6f430504e68
                                                  • Opcode Fuzzy Hash: 986fe2d2ad3502a89dd9d9f189f0f45c93be64f12821e5ba271ad6af13960510
                                                  • Instruction Fuzzy Hash: D121F7716001187BDB00ABA9CC85BBF77ACEB85310F00855FFA44EB2D5D6B8DC4587A5
                                                  Function 0045DC4C Relevance: 15.2, APIs: 10, Instructions: 190COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _wcscpy$FolderUninitialize$BrowseDesktopFromInitializeListMallocPath
                                                  • String ID:
                                                  • API String ID: 262282135-0
                                                  • Opcode ID: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                  • Instruction ID: f209a7e015878e5ef66622a864ec89938c936514b9877fb167e893f071c19078
                                                  • Opcode Fuzzy Hash: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                  • Instruction Fuzzy Hash: 25718275900208AFCB14EF95C9849DEB7B9EF88304F00899AE9099B312D735EE45CF64
                                                  Function 00448123 Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004481A8
                                                  • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004481AB
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 004481CF
                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481F2
                                                  • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00448266
                                                  • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482B4
                                                  • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482CF
                                                  • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482F1
                                                  • SendMessageW.USER32(?,0000101E,00000001,?), ref: 00448308
                                                  • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448320
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$LongWindow
                                                  • String ID:
                                                  • API String ID: 312131281-0
                                                  • Opcode ID: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                  • Instruction ID: c7c5d5d6f9bf0949bb943eac7ac5a8ec30049dd2ce11923e35461b50cec8bdb0
                                                  • Opcode Fuzzy Hash: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                  • Instruction Fuzzy Hash: 97617C70A00208AFEB10DF94DC81FEE77B9FF49714F10429AF914AB291DBB5AA41CB54
                                                  Function 00448D62 Relevance: 15.2, APIs: 10, Instructions: 174windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                                                  • SendMessageW.USER32(770823D0,00001001,00000000,?), ref: 00448E16
                                                  • SendMessageW.USER32(770823D0,00001026,00000000,?), ref: 00448E25
                                                    • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                  • String ID:
                                                  • API String ID: 3771399671-0
                                                  • Opcode ID: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                  • Instruction ID: 7c26134f999fedcb31daf2d1c178305a5bad5d5d588b7e0560cc3c70a69cf84e
                                                  • Opcode Fuzzy Hash: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                  • Instruction Fuzzy Hash: C7511570300214ABF720DF24DC85FAE77A9EF14724F10491EFA59AB291CB79E9498B18
                                                  Function 00434621 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentThreadId.KERNEL32 ref: 00434643
                                                  • GetForegroundWindow.USER32(00000000), ref: 00434655
                                                  • GetWindowThreadProcessId.USER32(00000000), ref: 0043465C
                                                  • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434671
                                                  • GetWindowThreadProcessId.USER32(?,?), ref: 0043467F
                                                  • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434698
                                                  • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004346A6
                                                  • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004346F3
                                                  • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434707
                                                  • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434712
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                  • String ID:
                                                  • API String ID: 2156557900-0
                                                  • Opcode ID: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                  • Instruction ID: 33c2ceff45d8cb0672f592c0823183733d26e7ad7419b63083ab10cfbc882f35
                                                  • Opcode Fuzzy Hash: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                  • Instruction Fuzzy Hash: 98313EB2600204BFDB11DF69DC859AEB7A9FB9A310F00552AF905D7250E778AD40CB6C
                                                  Function 0046943F Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 287COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                  • API String ID: 0-1603158881
                                                  • Opcode ID: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                  • Instruction ID: 400245e8055df5988f0e80dfbae95eacb55e3b8a933f722a5dc1e2c8929bf265
                                                  • Opcode Fuzzy Hash: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                  • Instruction Fuzzy Hash: FAA162B5800204ABDF00EF61D8C1BEA3368AF54349F58857BEC096B146EB7D6909D77A
                                                  Function 00401CB0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 240COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D06
                                                  • DestroyWindow.USER32(?), ref: 00426F50
                                                  • UnregisterHotKey.USER32(?), ref: 00426F77
                                                  • FreeLibrary.KERNEL32(?), ref: 0042701F
                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00427050
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                                                  • String ID: close all$Mw
                                                  • API String ID: 4174999648-882598956
                                                  • Opcode ID: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                                                  • Instruction ID: 89fc9d45334329c88beddca7a6314a06ce6e15860ee53b488cbf8147960762b2
                                                  • Opcode Fuzzy Hash: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                                                  • Instruction Fuzzy Hash: 9BA1C174710212CFC710EF15C985B5AF3A8BF48304F5045AEE909672A2CB78BD96CF99
                                                  Function 004485CB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateMenu.USER32 ref: 00448603
                                                  • SetMenu.USER32(?,00000000), ref: 00448613
                                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448697
                                                  • IsMenu.USER32(?), ref: 004486AB
                                                  • CreatePopupMenu.USER32 ref: 004486B5
                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004486EC
                                                  • DrawMenuBar.USER32 ref: 004486F5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                  • String ID: 0
                                                  • API String ID: 161812096-4108050209
                                                  • Opcode ID: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                  • Instruction ID: 1651b4fd0bf3e4e6d8e032b2651979207be8780685d2f09cc615cc8e1c1775d8
                                                  • Opcode Fuzzy Hash: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                  • Instruction Fuzzy Hash: 9D418B75A01209AFEB40DF98D884ADEB7B4FF49314F10815EED189B340DB74A851CFA8
                                                  Function 00434034 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(00000000,004A90E8,?,00000100,?,C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe), ref: 00434057
                                                  • LoadStringW.USER32(00000000), ref: 00434060
                                                  • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00434075
                                                  • LoadStringW.USER32(00000000), ref: 00434078
                                                  • _wprintf.LIBCMT ref: 004340A1
                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004340B9
                                                  Strings
                                                  • C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe, xrefs: 00434040
                                                  • %s (%d) : ==> %s: %s %s, xrefs: 0043409C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: HandleLoadModuleString$Message_wprintf
                                                  • String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe
                                                  • API String ID: 3648134473-2320749209
                                                  • Opcode ID: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                  • Instruction ID: 3f99f1473d628bc1a501e0113e735bb0cc043e2cca9b2706ac47da9b95460e2a
                                                  • Opcode Fuzzy Hash: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                  • Instruction Fuzzy Hash: EB016CB26903187EE710E754DD06FFA376CEBC4B11F00459AB708A61C49AF469848BB5
                                                  Function 0047679F Relevance: 13.8, APIs: 9, Instructions: 307COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dfbce8e1a613c74e072c21ad89e7d3e14579d4917e2b3053f757fec35ca8a5d3
                                                  • Instruction ID: 0df76164974c5272bb459d6cb57aadea20bc0786d7edd9cc69ce034119999088
                                                  • Opcode Fuzzy Hash: dfbce8e1a613c74e072c21ad89e7d3e14579d4917e2b3053f757fec35ca8a5d3
                                                  • Instruction Fuzzy Hash: 10A1CE726083009FD310EF65D886B5BB3E9EBC4718F108E2EF559E7281D679E804CB96
                                                  Function 004561DA Relevance: 13.7, APIs: 9, Instructions: 164COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                                  • Instruction ID: d12da5a9263b129e99c802cec43d72d92cc496201e336192e500ad81068e5f87
                                                  • Opcode Fuzzy Hash: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                                  • Instruction Fuzzy Hash: D7519C70600305ABEB20DF69CC81F9B77A8AB08715F50462AFE05DB3C1E7B5E8588B58
                                                  Function 00453893 Relevance: 13.7, APIs: 9, Instructions: 158filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe,0040F545,C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe,004A90E8,C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe,?,0040F545), ref: 0041013C
                                                    • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                  • lstrcmpiW.KERNEL32(?,?), ref: 00453900
                                                  • MoveFileW.KERNEL32(?,?), ref: 00453932
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: File$AttributesFullMoveNamePathlstrcmpi
                                                  • String ID:
                                                  • API String ID: 978794511-0
                                                  • Opcode ID: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                  • Instruction ID: 27746a5f3a3ee1b1e58f24b17d6851fe0efcb48f315c8e59f2eb92c6bb7fc6f1
                                                  • Opcode Fuzzy Hash: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                  • Instruction Fuzzy Hash: 295155B2C0021996CF20EFA1DD45BEEB379AF44305F0445DEEA0DA3101EB79AB98CB55
                                                  Function 00441165 Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                  • Instruction ID: 5433ce91f60fc94fc18d391a2a535eeaa569d09d9a52eba385401fd30cec28f3
                                                  • Opcode Fuzzy Hash: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                  • Instruction Fuzzy Hash: 5B41C4322142405AF3619B6DFCC4BEBBB98FBA6324F10056FF185E55A0C3EA74C58769
                                                  Function 00445E52 Relevance: 13.6, APIs: 9, Instructions: 69sleepkeyboardwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00445AA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00445AC7
                                                    • Part of subcall function 00445AA7: GetCurrentThreadId.KERNEL32 ref: 00445ACE
                                                    • Part of subcall function 00445AA7: AttachThreadInput.USER32(00000000), ref: 00445AD5
                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445E6F
                                                  • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00445E88
                                                  • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00445E96
                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445E9C
                                                  • PostMessageW.USER32(00000000,00000100,00000027,00000000), ref: 00445EBD
                                                  • Sleep.KERNEL32(00000000), ref: 00445ECB
                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445ED1
                                                  • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00445EE6
                                                  • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000), ref: 00445EEE
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                  • String ID:
                                                  • API String ID: 2014098862-0
                                                  • Opcode ID: 5ca03ddf5c5627d7609a553b695717aade5f72ce3845e2189486292beca2fa90
                                                  • Instruction ID: 3cb45b36699f005c3339592b7719367c9fd6f04972b18b3a4454280c1561912d
                                                  • Opcode Fuzzy Hash: 5ca03ddf5c5627d7609a553b695717aade5f72ce3845e2189486292beca2fa90
                                                  • Instruction Fuzzy Hash: 44115671390300BBF6209B959D8AF5A775DEB98B11F20490DFB80AB1C1C5F5A4418B7C
                                                  Function 00432704 Relevance: 13.5, APIs: 9, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ClearVariant
                                                  • String ID:
                                                  • API String ID: 1473721057-0
                                                  • Opcode ID: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                  • Instruction ID: 82c0e5a8bed1f7f82a0371e607e4af2e63fad7cf90771a3a9635cac59f663638
                                                  • Opcode Fuzzy Hash: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                  • Instruction Fuzzy Hash: C301ECB6000B486AD630E7B9DC84FD7B7ED6B85600F018E1DE69A82514DA75F188CB64
                                                  Function 0045EA0F Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VariantInit.OLEAUT32(00000000), ref: 0045EA56
                                                  • VariantCopy.OLEAUT32(00000000), ref: 0045EA60
                                                  • VariantClear.OLEAUT32 ref: 0045EA6D
                                                  • VariantTimeToSystemTime.OLEAUT32 ref: 0045EC06
                                                  • __swprintf.LIBCMT ref: 0045EC33
                                                  • VariantInit.OLEAUT32(00000000), ref: 0045ECEE
                                                  Strings
                                                  • %4d%02d%02d%02d%02d%02d, xrefs: 0045EC2D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Variant$InitTime$ClearCopySystem__swprintf
                                                  • String ID: %4d%02d%02d%02d%02d%02d
                                                  • API String ID: 2441338619-1568723262
                                                  • Opcode ID: 35eb9c3aeff660f135fd63a8918d5c45c4a90ea0b18b9c33d96ad8571bc730e4
                                                  • Instruction ID: 6ef9d3a4897ddb850998a39013325e9d2daf595bbef4806ea59c93c68b265cd6
                                                  • Opcode Fuzzy Hash: 35eb9c3aeff660f135fd63a8918d5c45c4a90ea0b18b9c33d96ad8571bc730e4
                                                  • Instruction Fuzzy Hash: F8A10873A0061487CB209F5AE48066AF7B0FF84721F1485AFED849B341C736AD99D7E5
                                                  Function 004091B0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C659
                                                  • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C677
                                                  • Sleep.KERNEL32(0000000A), ref: 0042C67F
                                                  • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C68A
                                                  • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C73C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Interlocked$DecrementIncrement$Sleep
                                                  • String ID: @COM_EVENTOBJ
                                                  • API String ID: 327565842-2228938565
                                                  • Opcode ID: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                                                  • Instruction ID: 079f2a2c733a9a3e151bbe14bd9981fb61a061d6167fc58a91b905d371dd4d86
                                                  • Opcode Fuzzy Hash: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                                                  • Instruction Fuzzy Hash: 18D1D271A002198FDB10EF94C985BEEB7B0FF45304F60856AE5057B392D778AE46CB98
                                                  Function 0047025C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VariantClear.OLEAUT32(?), ref: 0047031B
                                                  • VariantClear.OLEAUT32(?), ref: 0047044F
                                                  • VariantInit.OLEAUT32(?), ref: 004704A3
                                                  • DispCallFunc.OLEAUT32(?,?,?,00000015,?,?,?,?), ref: 00470504
                                                  • VariantClear.OLEAUT32(?), ref: 00470516
                                                    • Part of subcall function 00435481: VariantCopy.OLEAUT32(?,?), ref: 00435492
                                                  • VariantCopy.OLEAUT32(?,?), ref: 0047057A
                                                    • Part of subcall function 00435403: VariantClear.OLEAUT32(?), ref: 00435414
                                                  • VariantClear.OLEAUT32(00000000), ref: 0047060D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Variant$Clear$Copy$CallDispFuncInit
                                                  • String ID: H
                                                  • API String ID: 3613100350-2852464175
                                                  • Opcode ID: f2b9533c7a0a825d738ebca76906f6301bd96a0988b7340563647801aa66eb79
                                                  • Instruction ID: 4e55d858753f5aac0b63ea9498fb9ef25a468b81cfd7169f1740116cc4944d08
                                                  • Opcode Fuzzy Hash: f2b9533c7a0a825d738ebca76906f6301bd96a0988b7340563647801aa66eb79
                                                  • Instruction Fuzzy Hash: 93B15BB5605311EFD710DF54C880A6BB3A4FF88308F049A2EFA8997351D738E951CB9A
                                                  Function 0044AA86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AAC5
                                                  • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AAFA
                                                  • InternetQueryOptionW.WININET(00000000,0000001F,00000000,00001000), ref: 0044AB5E
                                                  • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0044AB74
                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB83
                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,00001000,00000000), ref: 0044ABBB
                                                    • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                                                  • String ID:
                                                  • API String ID: 1291720006-3916222277
                                                  • Opcode ID: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                  • Instruction ID: 89538bfc19842651326e528327905a39262a83d8aa3acd63c003c629d13479a9
                                                  • Opcode Fuzzy Hash: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                  • Instruction Fuzzy Hash: FA51B1756403087BF710DF56DC86FEBB7A8FB88715F00851EFB0196281D7B8A5148BA8
                                                  Function 0045FBAC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FC48
                                                  • IsMenu.USER32(?), ref: 0045FC5F
                                                  • CreatePopupMenu.USER32 ref: 0045FC97
                                                  • GetMenuItemCount.USER32(?), ref: 0045FCFD
                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0045FD26
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                  • String ID: 0$2
                                                  • API String ID: 93392585-3793063076
                                                  • Opcode ID: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                  • Instruction ID: a5f6d3c146e885c54ead74f35c39eec4acd60bc9fc93d28bc39e3d14768ea649
                                                  • Opcode Fuzzy Hash: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                  • Instruction Fuzzy Hash: B55192719002099BDB11DF69D888BAF7BB4BB44319F14853EEC15DB282D3B8984CCB66
                                                  Function 004352C2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 004352E6
                                                  • VariantClear.OLEAUT32(?), ref: 00435320
                                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 00435340
                                                  • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00435373
                                                  • VariantClear.OLEAUT32(?), ref: 004353B3
                                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 004353F6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
                                                  • String ID: crts
                                                  • API String ID: 586820018-3724388283
                                                  • Opcode ID: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                  • Instruction ID: e94501f388d0d73ced66c0aa9444ce68fa972137b9c89e1913ae9ea64c05cbbc
                                                  • Opcode Fuzzy Hash: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                  • Instruction Fuzzy Hash: DE418BB5200208EBDB10CF1CD884A9AB7B5FF9C314F20852AEE49CB351E775E911CBA4
                                                  Function 0044BBD2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe,0040F545,C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe,004A90E8,C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe,?,0040F545), ref: 0041013C
                                                  • lstrcmpiW.KERNEL32(?,?), ref: 0044BC09
                                                  • MoveFileW.KERNEL32(?,?), ref: 0044BC3F
                                                  • _wcscat.LIBCMT ref: 0044BCAF
                                                  • _wcslen.LIBCMT ref: 0044BCBB
                                                  • _wcslen.LIBCMT ref: 0044BCD1
                                                  • SHFileOperationW.SHELL32(?), ref: 0044BD17
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                                                  • String ID: \*.*
                                                  • API String ID: 2326526234-1173974218
                                                  • Opcode ID: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                  • Instruction ID: cfb238852dc788c6f4e4306d35388aa956c556a9525b71239849112dc74cb112
                                                  • Opcode Fuzzy Hash: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                  • Instruction Fuzzy Hash: 5C3184B1800219AACF14EFB1DC85ADEB3B5AF48304F5095EEE90997211EB35D748CB98
                                                  Function 004335CD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00433244: _wcsncpy.LIBCMT ref: 0043325C
                                                  • _wcslen.LIBCMT ref: 004335F2
                                                  • GetFileAttributesW.KERNEL32(?), ref: 0043361C
                                                  • GetLastError.KERNEL32 ref: 0043362B
                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 0043363F
                                                  • _wcsrchr.LIBCMT ref: 00433666
                                                    • Part of subcall function 004335CD: CreateDirectoryW.KERNEL32(?,00000000), ref: 004336A7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                                                  • String ID: \
                                                  • API String ID: 321622961-2967466578
                                                  • Opcode ID: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                                                  • Instruction ID: 66c6ecc179b40ab72a0151a8d865592f5e80cbeaaa2383c239fb12261b929cf9
                                                  • Opcode Fuzzy Hash: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                                                  • Instruction Fuzzy Hash: C72129719013146ADF30AF25AC06BEB73AC9B05715F10569AFD18C2241E6799A888BE9
                                                  Function 0044C7DD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: __wcsnicmp
                                                  • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                  • API String ID: 1038674560-2734436370
                                                  • Opcode ID: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                                                  • Instruction ID: d05ed79ef8649e951018b8bbb1c2d61e3c33a7345c6b0b1fc41c187b8edaa79f
                                                  • Opcode Fuzzy Hash: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                                                  • Instruction Fuzzy Hash: 1221003365151066E72176199C82FDBB3989FA5314F04442BFE049B242D26EF99A83E9
                                                  Function 0041793C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048D148,00000008,00417A44,00000000,00000000,?,004115F6,?,00401BAC,?,?,?), ref: 0041794D
                                                  • __lock.LIBCMT ref: 00417981
                                                    • Part of subcall function 004182CB: __mtinitlocknum.LIBCMT ref: 004182E1
                                                    • Part of subcall function 004182CB: __amsg_exit.LIBCMT ref: 004182ED
                                                    • Part of subcall function 004182CB: EnterCriticalSection.KERNEL32(004115F6,004115F6,?,00417986,0000000D,?,004115F6,?,00401BAC,?,?,?), ref: 004182F5
                                                  • InterlockedIncrement.KERNEL32(FF00482A), ref: 0041798E
                                                  • __lock.LIBCMT ref: 004179A2
                                                  • ___addlocaleref.LIBCMT ref: 004179C0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                  • String ID: KERNEL32.DLL$pI
                                                  • API String ID: 637971194-197072765
                                                  • Opcode ID: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                  • Instruction ID: a50d44c6e21ae10dfe2421e8c890a682036196f235240147777d58dc068d601e
                                                  • Opcode Fuzzy Hash: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                  • Instruction Fuzzy Hash: A401A171404B00EFD720AF66C90A78DBBF0AF50324F20890FE496536A1CBB8A684CB5D
                                                  Function 0046822A Relevance: 12.3, APIs: 8, Instructions: 267COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _memmove$_malloc
                                                  • String ID:
                                                  • API String ID: 1938898002-0
                                                  • Opcode ID: ed671e0929b530e8a80a3994f14b14e6c4fa5d49d1ff8bec0f484948025a4d18
                                                  • Instruction ID: bb51e0d14dcfee45c4d36839732496dc4400bff611838f67d83ec86e680bb9ef
                                                  • Opcode Fuzzy Hash: ed671e0929b530e8a80a3994f14b14e6c4fa5d49d1ff8bec0f484948025a4d18
                                                  • Instruction Fuzzy Hash: FC81CB726001195BDB00EF66DC42AFF7368EF84318F040A6FFD04A7282EE7D995587A9
                                                  Function 00448D38 Relevance: 12.2, APIs: 8, Instructions: 165windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                                                  • SendMessageW.USER32(770823D0,00001001,00000000,?), ref: 00448E16
                                                  • SendMessageW.USER32(770823D0,00001026,00000000,?), ref: 00448E25
                                                    • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                  • String ID:
                                                  • API String ID: 3771399671-0
                                                  • Opcode ID: 66a9d50f8c9d6af755a83d84fc10a8c9f79f913464eba51571b63e3dd0d935a7
                                                  • Instruction ID: 7a731ed810a83f1ebb4df5e1cc4d29f9b75a103154dfe2ed632c3d1cef216bf4
                                                  • Opcode Fuzzy Hash: 66a9d50f8c9d6af755a83d84fc10a8c9f79f913464eba51571b63e3dd0d935a7
                                                  • Instruction Fuzzy Hash: 72513970204244AFF720DF24CC85FAE7BB9AF15314F10495EFA999B292CB79E549CB18
                                                  Function 0044B489 Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B4A7
                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                  • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4DA
                                                  • EnterCriticalSection.KERNEL32(?), ref: 0044B4F7
                                                  • _memmove.LIBCMT ref: 0044B555
                                                  • _memmove.LIBCMT ref: 0044B578
                                                  • LeaveCriticalSection.KERNEL32(?), ref: 0044B587
                                                  • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0044B5A3
                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5B8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
                                                  • String ID:
                                                  • API String ID: 2737351978-0
                                                  • Opcode ID: c49c3180d4577c37a1564da55573a5370bada98f09f15d951758cfc7caeaac8d
                                                  • Instruction ID: 70cbfa243a2dcbaabd352bc30cb9c3ad46017a318630e818b765f133545e4983
                                                  • Opcode Fuzzy Hash: c49c3180d4577c37a1564da55573a5370bada98f09f15d951758cfc7caeaac8d
                                                  • Instruction Fuzzy Hash: 4F41BC71900308EFDB20DF55D984EAFB7B8EF48704F10896EF54696650D7B4EA80CB58
                                                  Function 00415214 Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ___set_flsgetvalue.LIBCMT ref: 0041523A
                                                  • __calloc_crt.LIBCMT ref: 00415246
                                                  • __getptd.LIBCMT ref: 00415253
                                                  • CreateThread.KERNEL32(00000000,?,004151BB,00000000,00000004,00000000), ref: 0041527A
                                                  • ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041528A
                                                  • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00415295
                                                  • _free.LIBCMT ref: 0041529E
                                                  • __dosmaperr.LIBCMT ref: 004152A9
                                                    • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                  • String ID:
                                                  • API String ID: 3638380555-0
                                                  • Opcode ID: ceb77f577b932ecc061a214adf97d6bda1f2bbbde8b0acc1a90a04adb45bcfac
                                                  • Instruction ID: 1ae632b5747f25178f06b1f704b10109f3b838f12a9538f44878b4cc3517b2ff
                                                  • Opcode Fuzzy Hash: ceb77f577b932ecc061a214adf97d6bda1f2bbbde8b0acc1a90a04adb45bcfac
                                                  • Instruction Fuzzy Hash: 31110A33105B00ABD2102BB69C45ADB37A4DF85734B24065FF924862D1CA7C98814AAD
                                                  Function 0046C84C Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VariantInit.OLEAUT32(?), ref: 0046C96E
                                                    • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                    • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                    • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                                                    • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                                                    • Part of subcall function 00451B42: VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Variant$Copy$ClearErrorInitLast
                                                  • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                  • API String ID: 3207048006-625585964
                                                  • Opcode ID: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                  • Instruction ID: 684ba17e2c3ca727561f7970afa8535519679aefa5cdc663b381c32651820a10
                                                  • Opcode Fuzzy Hash: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                  • Instruction Fuzzy Hash: F6A19472600209ABDB10DF99DCC1EFEB3B9FB84714F10852EF604A7281E7B59D458BA5
                                                  Function 00465489 Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WSAStartup.WSOCK32(00000101,?), ref: 00465559
                                                    • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                  • inet_addr.WSOCK32(?,00000000,?,?), ref: 0046559B
                                                  • gethostbyname.WSOCK32(?), ref: 004655A6
                                                  • GlobalAlloc.KERNEL32(00000040,00000040), ref: 0046561C
                                                  • _memmove.LIBCMT ref: 004656CA
                                                  • GlobalFree.KERNEL32(00000000), ref: 0046575C
                                                  • WSACleanup.WSOCK32 ref: 00465762
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmovegethostbynameinet_addr
                                                  • String ID:
                                                  • API String ID: 2945290962-0
                                                  • Opcode ID: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                  • Instruction ID: 472bd1bc5547e678c188051989a3a6c7a671c7751f2ff3ad056c489052ad9926
                                                  • Opcode Fuzzy Hash: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                  • Instruction Fuzzy Hash: CAA19E72604300AFD310EF65C981F5FB7E8AF88704F544A1EF64597291E778E905CB9A
                                                  Function 004404E8 Relevance: 10.8, APIs: 7, Instructions: 271windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemMetrics.USER32(0000000F), ref: 00440527
                                                  • MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00440763
                                                  • SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 00440782
                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 004407A5
                                                  • SendMessageW.USER32(?,00000469,?,00000000), ref: 004407DA
                                                  • ShowWindow.USER32(?,00000000,?,00000469,?,00000000), ref: 004407FD
                                                  • DefDlgProcW.USER32(?,00000005,?,?), ref: 00440817
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: MessageSendWindow$InvalidateMetricsMoveProcRectShowSystem
                                                  • String ID:
                                                  • API String ID: 1457242333-0
                                                  • Opcode ID: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                  • Instruction ID: 469fbb3f3db71b9324cb07d082b932f31bc4dcc79b85a5821822f518eef070f3
                                                  • Opcode Fuzzy Hash: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                  • Instruction Fuzzy Hash: 0BB19F71600619EFEB14CF68C984BAFBBF1FF48301F15851AEA5597280D738BA61CB54
                                                  Function 0046B6AB Relevance: 10.8, APIs: 7, Instructions: 258registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B799
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ConnectRegistry_memmove_wcslen
                                                  • String ID:
                                                  • API String ID: 15295421-0
                                                  • Opcode ID: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                  • Instruction ID: 8aea567fc0405534ed4901798b67d501f7e0ea7b8d3e81485b6dc33093e60a2a
                                                  • Opcode Fuzzy Hash: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                  • Instruction Fuzzy Hash: 96A170B12043019FD710EF65CC85B1BB7E8EF85304F14892EF6859B291DB78E945CB9A
                                                  Function 00467511 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 213COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                  • _wcstok.LIBCMT ref: 004675B2
                                                    • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                  • _wcscpy.LIBCMT ref: 00467641
                                                  • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                  • _wcslen.LIBCMT ref: 00467793
                                                  • _wcslen.LIBCMT ref: 004677BD
                                                    • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                  • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _wcslen$FileName_memmove$OpenSave__getptd_wcscpy_wcstok
                                                  • String ID: X
                                                  • API String ID: 780548581-3081909835
                                                  • Opcode ID: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                                                  • Instruction ID: 4d78316a312392ccd7929e5b9cc6f9f998d70627324fd0ae594e8e4bf7546d1d
                                                  • Opcode Fuzzy Hash: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                                                  • Instruction Fuzzy Hash: 1381A3315083008FD310EF65C985A5FB7E5AF84318F108A2FF599572A1EB78ED46CB9A
                                                  Function 0044734F Relevance: 10.7, APIs: 7, Instructions: 210COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                    • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                    • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                    • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                    • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                  • Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 004474C4
                                                  • MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 004474D4
                                                  • AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 0044750F
                                                  • LineTo.GDI32(?,?,FFFFFFFE), ref: 00447518
                                                  • CloseFigure.GDI32(?), ref: 0044751F
                                                  • SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 0044752E
                                                  • Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 0044754A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                  • String ID:
                                                  • API String ID: 4082120231-0
                                                  • Opcode ID: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                  • Instruction ID: e674395c2b36b0b5590bf657e4107f8d2570055e184bc57fe517c57e0a53fcaf
                                                  • Opcode Fuzzy Hash: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                  • Instruction Fuzzy Hash: 36713CB4904109EFEB04CF94C884EBEBBB9EF85310F24855AE9156B341D774AE42CBA5
                                                  Function 0046B280 Relevance: 10.7, APIs: 7, Instructions: 196registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B3A6
                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0046B3D2
                                                  • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 0046B3FD
                                                  • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0046B430
                                                  • RegCloseKey.ADVAPI32(?,000000FF,00000000), ref: 0046B459
                                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0046B492
                                                  • RegCloseKey.ADVAPI32(?), ref: 0046B49D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
                                                  • String ID:
                                                  • API String ID: 2027346449-0
                                                  • Opcode ID: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                                  • Instruction ID: e744fe3a0f0af3658e2b80b3541497a384b181c150b1b14c88f03688e4e42502
                                                  • Opcode Fuzzy Hash: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                                  • Instruction Fuzzy Hash: 92613D71218301ABD304EF65C985E6BB7A8FFC8704F008A2EF945D7281DB75E945CBA6
                                                  Function 0047A66E Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                    • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                  • GetMenu.USER32 ref: 0047A703
                                                  • GetMenuItemCount.USER32(00000000), ref: 0047A74F
                                                  • GetMenuStringW.USER32(00000000,?,?,00007FFF,00000400), ref: 0047A783
                                                  • _wcslen.LIBCMT ref: 0047A79E
                                                  • GetMenuItemID.USER32(00000000,?), ref: 0047A7E0
                                                  • GetSubMenu.USER32(00000000,?), ref: 0047A7F2
                                                  • PostMessageW.USER32(?,00000111,?,00000000), ref: 0047A884
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Menu$Item$CountMessagePostStringWindow_malloc_wcslen
                                                  • String ID:
                                                  • API String ID: 3257027151-0
                                                  • Opcode ID: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                                  • Instruction ID: 02f8ada5611b6a2978ded3aa89f74167ce8c021908d800e5e23178b580333db3
                                                  • Opcode Fuzzy Hash: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                                  • Instruction Fuzzy Hash: AA51FA71504301ABD310EF25DC81B9FB7E8FF88314F108A2EF989A7241D779E95487A6
                                                  Function 0046D230 Relevance: 10.7, APIs: 7, Instructions: 170networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 0046D3D3
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 0046D3E4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastselect
                                                  • String ID:
                                                  • API String ID: 215497628-0
                                                  • Opcode ID: a2339aeea388287f00fab5c9ba0e4a7d07c2007cb3e616b5232981a1bd598a56
                                                  • Instruction ID: fadcceb5308e48970113ceaff65c18732520a09434288b0a98514d96d8681c7b
                                                  • Opcode Fuzzy Hash: a2339aeea388287f00fab5c9ba0e4a7d07c2007cb3e616b5232981a1bd598a56
                                                  • Instruction Fuzzy Hash: 65510772E001046BD710EF69DC85FAEB3A8EB94320F14856EF905D7381EA35DD41C7A5
                                                  Function 004443FC Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetParent.USER32(?), ref: 0044443B
                                                  • GetKeyboardState.USER32(?), ref: 00444450
                                                  • SetKeyboardState.USER32(?), ref: 004444A4
                                                  • PostMessageW.USER32(?,00000101,00000010,?), ref: 004444D4
                                                  • PostMessageW.USER32(?,00000101,00000011,?), ref: 004444F5
                                                  • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444541
                                                  • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444566
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: MessagePost$KeyboardState$Parent
                                                  • String ID:
                                                  • API String ID: 87235514-0
                                                  • Opcode ID: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                  • Instruction ID: 8f44bbd55e3387c5fecf3766ecc31f273ddc6601011f0052083f6d8a5cbafb33
                                                  • Opcode Fuzzy Hash: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                  • Instruction Fuzzy Hash: 2051D6A05047D53AFB3682748846BA7BFE42F86704F08868BE1D5559C3D3ECE994CB68
                                                  Function 004445F4 Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetParent.USER32(?), ref: 00444633
                                                  • GetKeyboardState.USER32(?), ref: 00444648
                                                  • SetKeyboardState.USER32(?), ref: 0044469C
                                                  • PostMessageW.USER32(?,00000100,00000010,?), ref: 004446C9
                                                  • PostMessageW.USER32(?,00000100,00000011,?), ref: 004446E7
                                                  • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444730
                                                  • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444752
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: MessagePost$KeyboardState$Parent
                                                  • String ID:
                                                  • API String ID: 87235514-0
                                                  • Opcode ID: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                  • Instruction ID: 3b822c4357a53f38689f34ecdfb8cd013e642acfd09065eaf4f6fa9230d15588
                                                  • Opcode Fuzzy Hash: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                  • Instruction Fuzzy Hash: 7451D4B05047D139F73692688C45BA7BFD86B8B304F08868FF1D5156C2D3ACB895CB69
                                                  Function 0047DDC2 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 170COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: __snwprintf__wcsicoll_wcscpy
                                                  • String ID: , $$AUTOITCALLVARIABLE%d$CALLARGARRAY
                                                  • API String ID: 1729044348-3025626884
                                                  • Opcode ID: 4b9553ffb05bb61a93765f5dfb1e0a66324b60b4a152289245f0c89c86547163
                                                  • Instruction ID: fa375d034fa7217e9d4d929611683fd4ef9c76ca58110cba6d833e9902d6ecd0
                                                  • Opcode Fuzzy Hash: 4b9553ffb05bb61a93765f5dfb1e0a66324b60b4a152289245f0c89c86547163
                                                  • Instruction Fuzzy Hash: 5D5184719002099BCB10EF51C982AEFB779EF84308F10856BF905B7281D779AE45CBE9
                                                  Function 0045537F Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,00001308,?,00000000), ref: 0045539F
                                                  • ImageList_Remove.COMCTL32(?,?), ref: 004553D3
                                                  • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004554BB
                                                  • DeleteObject.GDI32(?), ref: 00455736
                                                  • DeleteObject.GDI32(?), ref: 00455744
                                                  • DestroyIcon.USER32(?), ref: 00455752
                                                  • DestroyWindow.USER32(?), ref: 00455760
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                                                  • String ID:
                                                  • API String ID: 2354583917-0
                                                  • Opcode ID: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                  • Instruction ID: c6eb43681ca9132c11a6020d2ba108f27148fdc9c8ef1f50c91adec3b3f4716e
                                                  • Opcode Fuzzy Hash: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                  • Instruction Fuzzy Hash: 76516B74204A419FC714DF24C4A4BB677F5FF8A302F1486AAED998B392D738A849CB54
                                                  Function 00464812 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 145libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 0046485D
                                                  • GetProcAddress.KERNEL32(?,?), ref: 004648F7
                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 00464916
                                                  • GetProcAddress.KERNEL32(?,?), ref: 0046495A
                                                  • FreeLibrary.KERNEL32(?,?,?,?), ref: 0046497C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$Library$FreeLoad
                                                  • String ID: Mw
                                                  • API String ID: 2449869053-2910736759
                                                  • Opcode ID: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                  • Instruction ID: 8919579e2c9fc9b2d94c4928dd3202a5bdd7863bc063e44bf2a6fba2f1eed130
                                                  • Opcode Fuzzy Hash: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                  • Instruction Fuzzy Hash: 2351BF756002049FCB00EFA4C985A9EB7B4EF88304F14856EFD05AB392DB79ED45CB99
                                                  Function 0044982A Relevance: 10.6, APIs: 7, Instructions: 135COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                  • Instruction ID: 5d193f65ffce5f3a1406795a0d9a37a93f2f4887bdc9b14e5c8c629f49d9966a
                                                  • Opcode Fuzzy Hash: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                  • Instruction Fuzzy Hash: 0A413871900114ABE710DF58CC84FAF7765EB46320F14826EF858AB3C1C7745D02EB98
                                                  Function 0044882A Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004488BD
                                                  • SendMessageW.USER32(?,00000469,?,00000000), ref: 004488D3
                                                  • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                  • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                  • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                  • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                  • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Window$Enable$Show$MessageMoveSend
                                                  • String ID:
                                                  • API String ID: 896007046-0
                                                  • Opcode ID: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                  • Instruction ID: 578be1c3660e2fd518c7beccd973f741d6ce186f3db94e5441c29ef1e5fc56da
                                                  • Opcode Fuzzy Hash: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                  • Instruction Fuzzy Hash: 5F419D742003809FF724DB24C894BAB77E0FF96305F18446EF5859B291DB78A845CB59
                                                  Function 00440D98 Relevance: 10.6, APIs: 7, Instructions: 119windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00440DB8
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00440DFA
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00440E3A
                                                  • SendMessageW.USER32(02F51B28,000000F1,00000000,00000000), ref: 00440E6E
                                                  • SendMessageW.USER32(02F51B28,000000F1,00000001,00000000), ref: 00440E9A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$LongWindow
                                                  • String ID:
                                                  • API String ID: 312131281-0
                                                  • Opcode ID: 8e011b54ce9cde448a93fe9bb8036a6d541319eb6c66cabd8f3e8fc2f85cf438
                                                  • Instruction ID: 2c169baf4234265a3f6c05f50e500cf46f5ce099e15a3d3a23704bf731ec4cbe
                                                  • Opcode Fuzzy Hash: 8e011b54ce9cde448a93fe9bb8036a6d541319eb6c66cabd8f3e8fc2f85cf438
                                                  • Instruction Fuzzy Hash: 944189342402119FE720CF58DDC4F2A77A1FF9A710F6049A9E2119B3A1CB74ACA2CB58
                                                  Function 00448AB2 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448AC9
                                                  • GetFocus.USER32 ref: 00448ACF
                                                  • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                  • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                  • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                  • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                  • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Window$Enable$Show$FocusMessageSend
                                                  • String ID:
                                                  • API String ID: 3429747543-0
                                                  • Opcode ID: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                  • Instruction ID: 6f3afe48a64986b2df7f4b22be5166ca64fe0b5af1f2aee4406df3dc20f3ce1d
                                                  • Opcode Fuzzy Hash: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                  • Instruction Fuzzy Hash: F331C4706043805BF7248F24CCC8BAFB7D4FB95305F08491EF581A6291DBBCA845CB59
                                                  Function 0045D448 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D459
                                                  • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CF
                                                  • __swprintf.LIBCMT ref: 0045D4E9
                                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D52D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$InformationVolume__swprintf
                                                  • String ID: %lu$\VH
                                                  • API String ID: 3164766367-2432546070
                                                  • Opcode ID: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                  • Instruction ID: a5bcfc38f1a54d16d783223dfbe865d4bc924dff4e6617147b97584b2165572c
                                                  • Opcode Fuzzy Hash: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                  • Instruction Fuzzy Hash: 11317171A00209AFCB14EF95DD85EAEB7B8FF48304F1084AAF905A7291D774EA45CB94
                                                  Function 00450B7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450BE7
                                                  • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450BF8
                                                  • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450C06
                                                  • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450C17
                                                  • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450C25
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID: Msctls_Progress32
                                                  • API String ID: 3850602802-3636473452
                                                  • Opcode ID: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                  • Instruction ID: 3e9a69ee1b5e3cb2ffa50bc712587bba9ef5757239c838e11c91c46d95a842ac
                                                  • Opcode Fuzzy Hash: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                  • Instruction Fuzzy Hash: 7A21667135030477EB20DEA9DC82F97B3AD9F94B24F21460AFB54A72D1C5B5F8418B58
                                                  Function 00455531 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
                                                  • String ID:
                                                  • API String ID: 3985565216-0
                                                  • Opcode ID: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                                  • Instruction ID: 510e71718d61fb01ae158a6e5fa7ad280301b7661e5b3aef53c80a3471921dd4
                                                  • Opcode Fuzzy Hash: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                                  • Instruction Fuzzy Hash: 70217E70200A00EFCB20DF25D9D4A2A77AABF48712F10896DE906CB356D739EC45CB69
                                                  Function 00433DF5 Relevance: 10.6, APIs: 7, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenProcess.KERNEL32(00000410,00000000,?,?,?,004A8178), ref: 00433E19
                                                  • EnumProcessModules.PSAPI(00000000,?,00000004,?), ref: 00433E2C
                                                  • GetModuleBaseNameW.PSAPI(00000000,?,?,00000104), ref: 00433E43
                                                  • __wsplitpath.LIBCMT ref: 00433E6D
                                                    • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                  • _wcscat.LIBCMT ref: 00433E80
                                                  • __wcsicoll.LIBCMT ref: 00433E90
                                                  • CloseHandle.KERNEL32(00000000), ref: 00433EC8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Process$BaseCloseEnumHandleModuleModulesNameOpen__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                  • String ID:
                                                  • API String ID: 135935984-0
                                                  • Opcode ID: b9dd60fc789600814193b10c203562de5ce45e1fa765f6932a0e1556b25623f2
                                                  • Instruction ID: 66738fc5919b7c3a3c7c4a311c48fd84e22d6c2a66b6279363cc5d51ef299119
                                                  • Opcode Fuzzy Hash: b9dd60fc789600814193b10c203562de5ce45e1fa765f6932a0e1556b25623f2
                                                  • Instruction Fuzzy Hash: 832180B6500118AFDB11CF90CD85EEEB379EB8C700F10459AFA0997150DA75AA85CBA4
                                                  Function 0041F6F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • _malloc.LIBCMT ref: 0041F707
                                                    • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                    • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                    • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                  • _free.LIBCMT ref: 0041F71A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: AllocateHeap_free_malloc
                                                  • String ID: [B
                                                  • API String ID: 1020059152-632041663
                                                  • Opcode ID: 5ae3695c4899d33c0c5016eec090c96391fe5f6cd2bec6778d3ea2d81492c429
                                                  • Instruction ID: 066e14217b5799beb7557260d36092b09813ce611e9d099bbd870b86b34de80c
                                                  • Opcode Fuzzy Hash: 5ae3695c4899d33c0c5016eec090c96391fe5f6cd2bec6778d3ea2d81492c429
                                                  • Instruction Fuzzy Hash: 0211EB32454615AACB213F75EC086DB3BA49F443A5B20053BF824CA2D1DB7C88C7C7AC
                                                  Function 00413D7F Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ___set_flsgetvalue.LIBCMT ref: 00413DA4
                                                  • __calloc_crt.LIBCMT ref: 00413DB0
                                                  • __getptd.LIBCMT ref: 00413DBD
                                                  • CreateThread.KERNEL32(?,?,00413D1A,00000000,?,?), ref: 00413DF4
                                                  • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00413DFE
                                                  • _free.LIBCMT ref: 00413E07
                                                  • __dosmaperr.LIBCMT ref: 00413E12
                                                    • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                  • String ID:
                                                  • API String ID: 155776804-0
                                                  • Opcode ID: 2348856d60b5f8ae92a3c52096df9563f03509e61ea6f3f8618797eae5d9925f
                                                  • Instruction ID: a8fa495ec3ad1bcc0d525816251f0ff308f4c172cb7463a6c3574dd724ca7d0d
                                                  • Opcode Fuzzy Hash: 2348856d60b5f8ae92a3c52096df9563f03509e61ea6f3f8618797eae5d9925f
                                                  • Instruction Fuzzy Hash: 8E11E9321087066FD7107FA6DC459DB3BE8DF04775B20042FF91586292DB79D99186AC
                                                  Function 00436C6E Relevance: 10.5, APIs: 7, Instructions: 49threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00436B19: GetProcessHeap.KERNEL32(00000008,0000000C,00436C79), ref: 00436B1D
                                                    • Part of subcall function 00436B19: HeapAlloc.KERNEL32(00000000), ref: 00436B24
                                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00436C88
                                                  • GetCurrentProcess.KERNEL32(?,00000000), ref: 00436C91
                                                  • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 00436C9A
                                                  • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000), ref: 00436CA6
                                                  • GetCurrentProcess.KERNEL32(?,00000000,?,00000000), ref: 00436CAF
                                                  • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 00436CB2
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_00036C2B,00000000,00000000,00000000), ref: 00436CCA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                  • String ID:
                                                  • API String ID: 1957940570-0
                                                  • Opcode ID: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                  • Instruction ID: 99b39fe8e7f3ac854e5c8e3994335d5d6f6ef2f737fc2b72a46a077924210789
                                                  • Opcode Fuzzy Hash: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                  • Instruction Fuzzy Hash: A301E6753403047BD620EB65DC96F5B775CEB89B50F114819FA04DB1D1C6B5E8008B78
                                                  Function 00413D1A Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                                    • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                    • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                  • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                                    • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                  • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                                  • ExitThread.KERNEL32 ref: 00413D4E
                                                  • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                                  • __freefls@4.LIBCMT ref: 00413D74
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                  • String ID:
                                                  • API String ID: 259663610-0
                                                  • Opcode ID: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                                  • Instruction ID: 675159a2c5a9d795bd3e19fa90b6febf5cd616b5876767659bafc4934cd781b8
                                                  • Opcode Fuzzy Hash: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                                  • Instruction Fuzzy Hash: 0DF0FF75504700AFC704BF72D9498CE7BB9AF48349720846EB80987222DA3DD9C2DBA9
                                                  Function 0043028B Relevance: 9.3, APIs: 6, Instructions: 255COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetClientRect.USER32(?,?), ref: 004302E6
                                                  • GetWindowRect.USER32(00000000,?), ref: 00430316
                                                  • GetClientRect.USER32(?,?), ref: 00430364
                                                  • GetSystemMetrics.USER32(0000000F), ref: 004303B1
                                                  • GetWindowRect.USER32(?,?), ref: 004303C3
                                                  • ScreenToClient.USER32(?,?), ref: 004303EC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Rect$Client$Window$MetricsScreenSystem
                                                  • String ID:
                                                  • API String ID: 3220332590-0
                                                  • Opcode ID: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                  • Instruction ID: e4235e81f7515d2978e088f6fadb01cec8eb5fe04dcc4a3bbd5a83ea815e8f28
                                                  • Opcode Fuzzy Hash: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                  • Instruction Fuzzy Hash: 13A14875A0070A9BCB10CFA8C594BEFB7B1FF58314F00961AE9A9E7350E734AA44CB54
                                                  Function 004577E9 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _malloc_wcslen$_strcat_wcscpy
                                                  • String ID:
                                                  • API String ID: 1612042205-0
                                                  • Opcode ID: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                                                  • Instruction ID: da8a40d04f443fc8bffa22af6bb0a7b3fb41b3e40a14b17b7fca75945af8e81c
                                                  • Opcode Fuzzy Hash: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                                                  • Instruction Fuzzy Hash: 40914A74604205EFCB10DF98D4C09A9BBA5FF48305B60C66AEC0A8B35AD738EE55CBD5
                                                  Function 0044C514 Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyboardState.USER32(?), ref: 0044C570
                                                  • SetKeyboardState.USER32(00000080), ref: 0044C594
                                                  • PostMessageW.USER32(?,00000100,?,?), ref: 0044C5D5
                                                  • PostMessageW.USER32(?,00000104,?,?), ref: 0044C60D
                                                  • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C62F
                                                  • SendInput.USER32(00000001,?,0000001C), ref: 0044C6C2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: MessagePost$KeyboardState$InputSend
                                                  • String ID:
                                                  • API String ID: 2221674350-0
                                                  • Opcode ID: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                  • Instruction ID: 625ea0eb49cc588760ebb6bc0eb208289033378f73eea84c13a2ca11a8b118cf
                                                  • Opcode Fuzzy Hash: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                  • Instruction Fuzzy Hash: D1514A725001187AEB109FA99C81BFFBB68AF9E311F44815BFD8496242C379D941CBA8
                                                  Function 00444BFC Relevance: 9.2, APIs: 6, Instructions: 163COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _wcscpy$_wcscat
                                                  • String ID:
                                                  • API String ID: 2037614760-0
                                                  • Opcode ID: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                                  • Instruction ID: 99b1098f8f7a3a84d55f117cb3556dd5d93458401dda30520ad7f1c57b96c0d6
                                                  • Opcode Fuzzy Hash: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                                  • Instruction Fuzzy Hash: 0741357190011466DB34EF5998C1BFF7368EFE6314F84455FFC4287212DB2DAA92C2A9
                                                  Function 00451B42 Relevance: 9.1, APIs: 6, Instructions: 144memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                  • VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                  • VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                                                  • VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                                                  • VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                                                  • SysAllocString.OLEAUT32(00000000), ref: 00451CBA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Variant$Copy$AllocClearErrorLastString
                                                  • String ID:
                                                  • API String ID: 960795272-0
                                                  • Opcode ID: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                  • Instruction ID: e234943060a9aef7ccdf580943a4f321f6ba3cfb1df2bc58669f78ff50eabc4c
                                                  • Opcode Fuzzy Hash: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                  • Instruction Fuzzy Hash: C751AE719042099FCB14DF65CC84BAAB7B4FF48300F14856EED05A7361DB79AE45CBA8
                                                  Function 00447BA8 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • BeginPaint.USER32(00000000,?), ref: 00447BDF
                                                  • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                  • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                  • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                  • EndPaint.USER32(?,?), ref: 00447D13
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                                                  • String ID:
                                                  • API String ID: 4189319755-0
                                                  • Opcode ID: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                  • Instruction ID: 4e3fb435071a661ad846631c1082d1486cc319c76cae6976ccfd06e2d512f03c
                                                  • Opcode Fuzzy Hash: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                  • Instruction Fuzzy Hash: DC417F706042019FE310DF14D8C4F7B7BA8EB86724F14466EF9A487391CB74A806CB69
                                                  Function 0044900D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,00001024,00000000,00000000), ref: 0044908B
                                                  • SendMessageW.USER32(?,00000409,00000000,?), ref: 0044909F
                                                  • SendMessageW.USER32(?,0000111E,00000000,00000000), ref: 004490B3
                                                  • InvalidateRect.USER32(?,00000000,00000001,?,0000111E,00000000,00000000,?,00000409,00000000,?), ref: 004490C9
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 004490D4
                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004490E1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$LongWindow$InvalidateRect
                                                  • String ID:
                                                  • API String ID: 1976402638-0
                                                  • Opcode ID: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                  • Instruction ID: 8674d855734444f977eaeabaa32478bd653fbe911923e0a4a3d3eb28cec46bd0
                                                  • Opcode Fuzzy Hash: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                  • Instruction Fuzzy Hash: 2531E135240104AFF724CF48DC89FBB77B9EB49320F10851AFA559B290CA79AD41DB69
                                                  Function 00440A0D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShowWindow.USER32(?,00000000), ref: 00440A8A
                                                  • EnableWindow.USER32(?,00000000), ref: 00440AAF
                                                  • ShowWindow.USER32(?,00000000), ref: 00440B18
                                                  • ShowWindow.USER32(?,00000004), ref: 00440B2B
                                                  • EnableWindow.USER32(?,00000001), ref: 00440B50
                                                  • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00440B75
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Window$Show$Enable$MessageSend
                                                  • String ID:
                                                  • API String ID: 642888154-0
                                                  • Opcode ID: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                  • Instruction ID: a5db896fb2ae06c85211a956f566d4ff66a2da6af11bfa2c2b637766cd700386
                                                  • Opcode Fuzzy Hash: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                  • Instruction Fuzzy Hash: F4413C346003409FEB25CF24C588BA67BE1FF55304F1885AAEB599B3A1CB78A851CB58
                                                  Function 00448804 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044881F
                                                  • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                  • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                  • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                  • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                  • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Window$Enable$Show$MessageSend
                                                  • String ID:
                                                  • API String ID: 1871949834-0
                                                  • Opcode ID: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                  • Instruction ID: ab733961f10eda6fa12bc0977b233c6b2b6736debfa9bed553c9f015fe8cd40e
                                                  • Opcode Fuzzy Hash: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                  • Instruction Fuzzy Hash: 6931B3B17443815BF7258E24CCC4BAFB7D0EB95345F08482EF58196291DBAC9845C75A
                                                  Function 00441078 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                  • Instruction ID: c6101d665a98d140be62f029472ab7f8db1b0ce4c02a7c647e8453833b83309f
                                                  • Opcode Fuzzy Hash: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                  • Instruction Fuzzy Hash: 5F21B672204110ABEB108F699C85B6F7798EB49370F24463BF625C62E0DB74D8C1C76D
                                                  Function 00471A38 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00471A45
                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,00000000,?,00000001), ref: 00471A86
                                                  • SendMessageW.USER32(?,00001303,00000000,00000000), ref: 00471AA8
                                                  • ImageList_ReplaceIcon.COMCTL32(?,?,?,?,00000000,?,00000001), ref: 00471ABF
                                                  • SendMessageW.USER32 ref: 00471AE3
                                                  • DestroyIcon.USER32(?), ref: 00471AF4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Icon$ImageList_MessageSend$CreateDestroyExtractReplace
                                                  • String ID:
                                                  • API String ID: 3611059338-0
                                                  • Opcode ID: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                  • Instruction ID: ff529b192773d28f9e5fe2f6f8d7a9043cb056f7fe4a3f7912da33dbd9270a4a
                                                  • Opcode Fuzzy Hash: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                  • Instruction Fuzzy Hash: FB21AB71600204AFEB10CF64DD85FAA73B5FF88700F10846EFA05AB290DBB4A9428B64
                                                  Function 00455616 Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: DestroyWindow$DeleteObject$IconMove
                                                  • String ID:
                                                  • API String ID: 1640429340-0
                                                  • Opcode ID: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                  • Instruction ID: 1af524ae86da71fe4f89171a472fc693caa25f853ed14bd6ff7d4c509651bbe6
                                                  • Opcode Fuzzy Hash: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                  • Instruction Fuzzy Hash: C6311874200A41DFC710DF24D9D8B3A77E9FB48712F0445AAE946CB262D778E848CB69
                                                  Function 0044389A Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                    • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                  • _wcslen.LIBCMT ref: 004438CD
                                                  • _wcslen.LIBCMT ref: 004438E6
                                                  • _wcstok.LIBCMT ref: 004438F8
                                                  • _wcslen.LIBCMT ref: 0044390C
                                                  • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0044391A
                                                  • _wcstok.LIBCMT ref: 00443931
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _wcslen$_wcstok$ExtentPoint32Text_wcscpy
                                                  • String ID:
                                                  • API String ID: 3632110297-0
                                                  • Opcode ID: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                  • Instruction ID: d12b8bce329459066c03420e1b0c57cf331e6d1a2def9435cce8fb2ce1fb425a
                                                  • Opcode Fuzzy Hash: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                  • Instruction Fuzzy Hash: 9621B072900305ABDB10AF559C82AAFB7F8FF48711F64482EF95993301E678EA5087A5
                                                  Function 00455168 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Destroy$DeleteMenuObject$IconWindow
                                                  • String ID:
                                                  • API String ID: 752480666-0
                                                  • Opcode ID: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                  • Instruction ID: 7b220c8407ffc283b2c26cc65a644285b0b18e1ed163c7e0472fb9f2b18bc557
                                                  • Opcode Fuzzy Hash: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                  • Instruction Fuzzy Hash: B7215970600A01DFD714DF29D9E8B3A7BA9BF49312F04855AE8468B352C738EC89CB59
                                                  Function 004552FA Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                  • String ID:
                                                  • API String ID: 3275902921-0
                                                  • Opcode ID: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                  • Instruction ID: 11d86efc281b6c380d974b68bd8b9632be9d9c574e85584f431c859402bfc888
                                                  • Opcode Fuzzy Hash: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                  • Instruction Fuzzy Hash: 9C217C70200A01DFC714DF39D998A6AB7E4BF49311F10862EE959C7392D778D845CB58
                                                  Function 004556C8 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                  • String ID:
                                                  • API String ID: 3275902921-0
                                                  • Opcode ID: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                  • Instruction ID: f2615e71845bffb995fe2c2b9381f89f67980fa6d4eb7dd8f13843e5971e4781
                                                  • Opcode Fuzzy Hash: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                  • Instruction Fuzzy Hash: 54213D70200A01DFD710EF25D9D4A2B37E9BF49312F10896EE945CB352D739D845CB69
                                                  Function 004331A2 Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                  • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331D4
                                                  • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331DE
                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331E6
                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331F0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: PerformanceQuery$CounterSleep$Frequency
                                                  • String ID:
                                                  • API String ID: 2833360925-0
                                                  • Opcode ID: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                  • Instruction ID: f8c058edd9890a080c9b5d5c764251204f1987641da473bf5ecf7e3e358c806a
                                                  • Opcode Fuzzy Hash: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                  • Instruction Fuzzy Hash: 1911B632D0011DABCF00DFD9EA489EEB778FF49722F1145AAED04A6204DB755A01CBA4
                                                  Function 004555A8 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32 ref: 004555C7
                                                  • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004555E2
                                                  • DeleteObject.GDI32(?), ref: 00455736
                                                  • DeleteObject.GDI32(?), ref: 00455744
                                                  • DestroyIcon.USER32(?), ref: 00455752
                                                  • DestroyWindow.USER32(?), ref: 00455760
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: DeleteDestroyMessageObjectSend$IconWindow
                                                  • String ID:
                                                  • API String ID: 3691411573-0
                                                  • Opcode ID: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                                  • Instruction ID: 7bbaf3a525edecc9c7f674a1bc178dbce74773f27e06def1294b58b6a87c9b54
                                                  • Opcode Fuzzy Hash: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                                  • Instruction Fuzzy Hash: 3D116071204601DBC710DF69EDC8A2A77A8FB58322F10466AFD10DB292D779D849CB68
                                                  Function 00447275 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                    • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                    • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                    • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                    • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                  • MoveToEx.GDI32(?,?,?,00000000), ref: 004472A0
                                                  • LineTo.GDI32(?,?,?), ref: 004472AC
                                                  • MoveToEx.GDI32(?,?,?,00000000), ref: 004472BA
                                                  • LineTo.GDI32(?,?,?), ref: 004472C6
                                                  • EndPath.GDI32(?), ref: 004472D6
                                                  • StrokePath.GDI32(?), ref: 004472E4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                                  • String ID:
                                                  • API String ID: 372113273-0
                                                  • Opcode ID: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                  • Instruction ID: 9972a7b2ea06d4c5ad2b855a17b8a9a0d98d12ec42d2644493c4a69bc6448ed6
                                                  • Opcode Fuzzy Hash: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                  • Instruction Fuzzy Hash: 7701BC76101214BBE3119B44ED8DFDF7B6CEF4A710F104259FA01A629187F42A02CBBD
                                                  Function 0044CC51 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDC.USER32(00000000), ref: 0044CC6D
                                                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC78
                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC84
                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0044CC90
                                                  • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCA8
                                                  • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCB9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: CapsDevice$Release
                                                  • String ID:
                                                  • API String ID: 1035833867-0
                                                  • Opcode ID: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                  • Instruction ID: 48d0fedbc9b5ed1f8cca1220e36c4d83aa6571d18a2c693a8c9b468b660f0fbb
                                                  • Opcode Fuzzy Hash: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                  • Instruction Fuzzy Hash: 60015276240214BFFB009F95DD89F5A7BACFF54751F14802EFF089B240D6B098008BA4
                                                  Function 00417082 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • __getptd.LIBCMT ref: 0041708E
                                                    • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                    • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                  • __amsg_exit.LIBCMT ref: 004170AE
                                                  • __lock.LIBCMT ref: 004170BE
                                                  • InterlockedDecrement.KERNEL32(?), ref: 004170DB
                                                  • _free.LIBCMT ref: 004170EE
                                                  • InterlockedIncrement.KERNEL32(02F52D00), ref: 00417106
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                  • String ID:
                                                  • API String ID: 3470314060-0
                                                  • Opcode ID: 24516f4010ce0b93e8566e6a8de288d1d1524a4de8e6263f522fbb499f39661f
                                                  • Instruction ID: d92c7102fc6d098775a0f5363b9b5483e5b10d08a1c29475ed017091780ded1e
                                                  • Opcode Fuzzy Hash: 24516f4010ce0b93e8566e6a8de288d1d1524a4de8e6263f522fbb499f39661f
                                                  • Instruction Fuzzy Hash: 3301AD32905711ABC721ABA698497DE7BB0AB04724F15416BF950A7381CB3CAAC1CFDD
                                                  Function 0044B63B Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(?,?), ref: 0044B655
                                                  • EnterCriticalSection.KERNEL32(?), ref: 0044B666
                                                  • TerminateThread.KERNEL32(?,000001F6), ref: 0044B674
                                                  • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B682
                                                    • Part of subcall function 00432614: CloseHandle.KERNEL32(00000000,00000000,?,0044B68E,00000000,?,000003E8,?,000001F6), ref: 00432622
                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B697
                                                  • LeaveCriticalSection.KERNEL32(?), ref: 0044B69E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                  • String ID:
                                                  • API String ID: 3495660284-0
                                                  • Opcode ID: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                  • Instruction ID: c0d5b59c8b9084ef0a5212f46b36de0b3fb5a8468090cd03c061fc2099eb7203
                                                  • Opcode Fuzzy Hash: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                  • Instruction Fuzzy Hash: A8F0AF72141201BBD210AB64EE8CDAFB77CFF88311F40092AFA0192560CBB4E420CBB6
                                                  Function 00410AB0 Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00410AE8
                                                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410AF0
                                                  • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00410AFB
                                                  • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00410B06
                                                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 00410B0E
                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00410B16
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Virtual
                                                  • String ID:
                                                  • API String ID: 4278518827-0
                                                  • Opcode ID: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                  • Instruction ID: ec5b0e47a8727e2ef01e8325cfcf1e1c5a721ad9102a6d662b709b351e7b749c
                                                  • Opcode Fuzzy Hash: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                  • Instruction Fuzzy Hash: 79016770106B88ADD3309F668C84B47FFF8EF95704F01491DD1D507A52C6B5A84CCB69
                                                  Function 004151BB Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                    • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                    • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                  • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                    • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                  • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                  • ExitThread.KERNEL32 ref: 004151ED
                                                  • __freefls@4.LIBCMT ref: 00415209
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                  • String ID:
                                                  • API String ID: 442100245-0
                                                  • Opcode ID: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                  • Instruction ID: 28e435cdead01fd65333368df2891c86ea6a44e569ea48f613a140ff37384f5b
                                                  • Opcode Fuzzy Hash: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                  • Instruction Fuzzy Hash: FEF01975544700AFC704BF76C54D9CE7BB99F94349720845EB80887222DA3CD8C2C669
                                                  Function 0045F790 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                    • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                  • GetMenuItemInfoW.USER32(?,00000000), ref: 0045F85C
                                                  • _wcslen.LIBCMT ref: 0045F94A
                                                  • SetMenuItemInfoW.USER32(00000011,00000000,00000000,?), ref: 0045F9AE
                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                  • SetMenuDefaultItem.USER32(00000000,000000FF,00000000,?,00000000), ref: 0045F9CA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ItemMenu$Info_wcslen$Default_malloc_wcscpy
                                                  • String ID: 0
                                                  • API String ID: 621800784-4108050209
                                                  • Opcode ID: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                                  • Instruction ID: 8916cda2fcff4f3da81aa675480f1736598f59ba0f795e6899437ff2d0190f01
                                                  • Opcode Fuzzy Hash: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                                  • Instruction Fuzzy Hash: E061EDB1604301AAD710EF69D885B6B77A4AF99315F04493FF98087292E7BCD84CC79B
                                                  Function 00478172 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                  • SetErrorMode.KERNEL32 ref: 004781CE
                                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00478387
                                                    • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                  • SetErrorMode.KERNEL32(?), ref: 00478270
                                                  • SetErrorMode.KERNEL32(?), ref: 00478340
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$AttributesFile_memmove_wcslen
                                                  • String ID: \VH
                                                  • API String ID: 3884216118-234962358
                                                  • Opcode ID: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                  • Instruction ID: 3f1cdca54a202f1bd1938e87a451cd9606667cca5306a7eaf6ab6c0a6d737147
                                                  • Opcode Fuzzy Hash: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                  • Instruction Fuzzy Hash: F9619F715043019BC310EF25C585A5BB7E0BFC8708F04896EFA996B392CB76ED45CB96
                                                  Function 00434B02 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 108libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(?), ref: 00434B10
                                                  • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00434B88
                                                  • FreeLibrary.KERNEL32(?), ref: 00434B9F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Library$AddressFreeLoadProc
                                                  • String ID: AU3_GetPluginDetails$Mw
                                                  • API String ID: 145871493-1446986698
                                                  • Opcode ID: 525874d34911f66d3e6dd89a42f64d0fb8abb6a055dcd3ee386d4a3c405b38ac
                                                  • Instruction ID: fc8523f5daf935d660d2a9c884068eb8da3e2fc1adb06f3317e0194b47a185ca
                                                  • Opcode Fuzzy Hash: 525874d34911f66d3e6dd89a42f64d0fb8abb6a055dcd3ee386d4a3c405b38ac
                                                  • Instruction Fuzzy Hash: C24107B9600605EFC710DF59D8C0E9AF7A5FF89304B1082AAEA1A8B311D735FD52CB95
                                                  Function 00448480 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448539
                                                  • IsMenu.USER32(?), ref: 0044854D
                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0044859B
                                                  • DrawMenuBar.USER32 ref: 004485AF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Menu$Item$DrawInfoInsert
                                                  • String ID: 0
                                                  • API String ID: 3076010158-4108050209
                                                  • Opcode ID: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                  • Instruction ID: 7b58e0297b022ec9ba855d833b0382692745775969200e6848d17b537ef0d45f
                                                  • Opcode Fuzzy Hash: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                  • Instruction Fuzzy Hash: 1F417975A00209AFEB10DF55D884B9FB7B5FF59300F14852EE9059B390DB74A845CFA8
                                                  Function 00469CDB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                  • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469D69
                                                  • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00469D7C
                                                  • SendMessageW.USER32(?,00000189,00000000,00000000), ref: 00469DAC
                                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$_memmove_wcslen
                                                  • String ID: ComboBox$ListBox
                                                  • API String ID: 1589278365-1403004172
                                                  • Opcode ID: 4395ff4c2c8cdf0c8fa99ec605851f177d12593d5a8a66f2884a0b9051c55526
                                                  • Instruction ID: b025c67d46b61e1fa51b41144ded2117d8c1ab71acdc4e5cb50a5164a05e923b
                                                  • Opcode Fuzzy Hash: 4395ff4c2c8cdf0c8fa99ec605851f177d12593d5a8a66f2884a0b9051c55526
                                                  • Instruction Fuzzy Hash: 8D31287160010477DB10BB69CC45BEF775C9F86324F10852FF918AB2D1DABC9E4583A6
                                                  Function 00443442 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Handle
                                                  • String ID: nul
                                                  • API String ID: 2519475695-2873401336
                                                  • Opcode ID: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                  • Instruction ID: 058e2060cb23de8d889deff533ab301820a4ae088d702658d54b05e79d5a48de
                                                  • Opcode Fuzzy Hash: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                  • Instruction Fuzzy Hash: 84319571500204ABEB20DF68DC46BEB77A8EF04721F104A4EFD50973D1E7B59A50CBA5
                                                  Function 0044334F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetStdHandle.KERNEL32(000000F6), ref: 0044337D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Handle
                                                  • String ID: nul
                                                  • API String ID: 2519475695-2873401336
                                                  • Opcode ID: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                  • Instruction ID: 7fb8f1e98e57093f7bc771e71f756598ee5282d4f5ffeaa4ddc08f3ab3272662
                                                  • Opcode Fuzzy Hash: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                  • Instruction Fuzzy Hash: 05219331600204ABE720DF689C49FAB77A8EF55731F20474EFDA0972D0EBB59A50C795
                                                  Function 00440C49 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: SysAnimate32
                                                  • API String ID: 0-1011021900
                                                  • Opcode ID: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                  • Instruction ID: b1a10ecfd0a3fc3d2af2854cd73c9de1262d8b9fd4b2252518a975ef6c54cff1
                                                  • Opcode Fuzzy Hash: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                  • Instruction Fuzzy Hash: 0D21C975600205ABFB149EA9EC81FAB73DCEB95324F20471BF711972C0D279EC518768
                                                  Function 00461554 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                    • Part of subcall function 0043646A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                    • Part of subcall function 0043646A: GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                    • Part of subcall function 0043646A: GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                    • Part of subcall function 0043646A: AttachThreadInput.USER32(00000000), ref: 004364AA
                                                  • GetFocus.USER32 ref: 0046157B
                                                    • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364C3
                                                    • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364CF
                                                  • GetClassNameW.USER32(?,?,00000100), ref: 004615C4
                                                  • EnumChildWindows.USER32(?,Function_00045B98,?), ref: 004615EF
                                                  • __swprintf.LIBCMT ref: 00461608
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_memmove_wcslen
                                                  • String ID: %s%d
                                                  • API String ID: 2645982514-1110647743
                                                  • Opcode ID: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                  • Instruction ID: 8eac61321038dbd32bfe14263504560db7c98c8fbeeeb2eb49a46d34c9d63f73
                                                  • Opcode Fuzzy Hash: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                  • Instruction Fuzzy Hash: 272180756007096BD610AF69DC89FAF73A8FB88704F00841FF918A7241DAB8A9418B69
                                                  Function 00462A31 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                  • Instruction ID: b0f148a0463f8e77612455c4d0488571574065cadd758f34d18f988e9301810f
                                                  • Opcode Fuzzy Hash: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                  • Instruction Fuzzy Hash: 2A819F74600604BFEB24CF95C994FBB7B68EF59350F10804EF8959B341E6B8AC45CB6A
                                                  Function 004757A7 Relevance: 7.7, APIs: 5, Instructions: 220COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcessId.KERNEL32(?), ref: 0047584D
                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047585B
                                                  • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047587F
                                                  • CloseHandle.KERNEL32(00000000), ref: 00475A4D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Process$CloseCountersCurrentHandleOpen
                                                  • String ID:
                                                  • API String ID: 3488606520-0
                                                  • Opcode ID: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                                                  • Instruction ID: 747e8e91012d04cc7bcfbda4f2b49d0ca9967bea8b965680eccea6cdbc9dea0c
                                                  • Opcode Fuzzy Hash: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                                                  • Instruction Fuzzy Hash: 82817170A047029FD310DF65C981B4BBBE1BF84704F10892EF6999B3D2DA75E944CB96
                                                  Function 0046B4CF Relevance: 7.7, APIs: 5, Instructions: 157registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B5B5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ConnectRegistry_memmove_wcslen
                                                  • String ID:
                                                  • API String ID: 15295421-0
                                                  • Opcode ID: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                  • Instruction ID: 481e56be03c4cee60d8ca92471cfa4b3875eab78bcfcbf7fb961631f720e0f99
                                                  • Opcode Fuzzy Hash: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                  • Instruction Fuzzy Hash: 7D515F71208301ABD304EF65C885E5BB7A8FF88704F10892EB54597291D774E945CBA6
                                                  Function 00456391 Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCursorPos.USER32(?), ref: 004563A6
                                                  • ScreenToClient.USER32(?,?), ref: 004563C3
                                                  • GetAsyncKeyState.USER32(?), ref: 00456400
                                                  • GetAsyncKeyState.USER32(?), ref: 00456410
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00456466
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: AsyncState$ClientCursorLongScreenWindow
                                                  • String ID:
                                                  • API String ID: 3539004672-0
                                                  • Opcode ID: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                  • Instruction ID: 60090bce41a6de58f2ab96a8453d1e3558661e38fd0c916b19f374a884add038
                                                  • Opcode Fuzzy Hash: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                  • Instruction Fuzzy Hash: 49414C74504204BBDB24CF65C884EEFBBB8EB46326F60464EFC6593281CB34A944CB68
                                                  Function 0047D40F Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D438
                                                  • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D44D
                                                  • Sleep.KERNEL32(0000000A), ref: 0047D455
                                                  • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D460
                                                  • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D56A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Interlocked$DecrementIncrement$Sleep
                                                  • String ID:
                                                  • API String ID: 327565842-0
                                                  • Opcode ID: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                  • Instruction ID: e00c67d4cb89bf1d5311357fb713975cbca1e0cfcee7190b0451066ade77f289
                                                  • Opcode Fuzzy Hash: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                  • Instruction Fuzzy Hash: CC412571A002055FEB10DF65CD84AEE7774EF45304B10852EF609A7351E738EE46CB99
                                                  Function 0045C3C1 Relevance: 7.6, APIs: 5, Instructions: 118COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C44F
                                                  • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C477
                                                  • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C4C3
                                                  • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C4E7
                                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C4F6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: PrivateProfile$SectionWrite$String
                                                  • String ID:
                                                  • API String ID: 2832842796-0
                                                  • Opcode ID: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                                  • Instruction ID: 1eb5009190fa999c36a74edd43b7bd9b51adbc8f8691a9c3f5840d50e9073e8b
                                                  • Opcode Fuzzy Hash: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                                  • Instruction Fuzzy Hash: D1413075A00209BFDB10EFA1DC85FAAB7A8BF44305F10855EF9049B292DA79EE44CB54
                                                  Function 00441C7B Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00441CA9
                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00441CDD
                                                  • RegCloseKey.ADVAPI32(?), ref: 00441CFE
                                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 00441D40
                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00441D6E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Enum$CloseDeleteOpen
                                                  • String ID:
                                                  • API String ID: 2095303065-0
                                                  • Opcode ID: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                  • Instruction ID: 7ca4c7ada97503ad9332fce322fe5d5fc03c2789ff93db080e75f28165cdf273
                                                  • Opcode Fuzzy Hash: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                  • Instruction Fuzzy Hash: 69317CB2940108BAEB10DBD4DC85FFEB77CEB49304F04456EF605A7241D774AA858BA8
                                                  Function 00436A0B Relevance: 7.6, APIs: 5, Instructions: 103COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowRect.USER32(?,?), ref: 00436A24
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: RectWindow
                                                  • String ID:
                                                  • API String ID: 861336768-0
                                                  • Opcode ID: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                  • Instruction ID: 0a42da3bb0701689e96ef39581243ed39d97d4ba46bd7cd8c1f057aae640e0d3
                                                  • Opcode Fuzzy Hash: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                  • Instruction Fuzzy Hash: E531EA7160021EAFDB00DF68D988AAE77A5EB49324F11C62AFD24E7380D774EC11CB90
                                                  Function 00449555 Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32 ref: 00449598
                                                    • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                  • SendMessageW.USER32(?,00001074,?,?), ref: 004495F8
                                                  • _wcslen.LIBCMT ref: 0044960D
                                                  • _wcslen.LIBCMT ref: 0044961A
                                                  • SendMessageW.USER32(?,00001074,?,?), ref: 0044964E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$_wcslen$_wcspbrk
                                                  • String ID:
                                                  • API String ID: 1856069659-0
                                                  • Opcode ID: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                  • Instruction ID: 683be220b4a5e9d86ccbf412c3bd2f13dbb60120779f28b1c577ab6eeef24407
                                                  • Opcode Fuzzy Hash: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                  • Instruction Fuzzy Hash: 77318F71A00218ABEB20DF59DC80BDFB374FF94314F10466AFA0497280E7B59D958B94
                                                  Function 004478AC Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCursorPos.USER32(?), ref: 004478E2
                                                  • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478FC
                                                  • DefDlgProcW.USER32(?,0000007B,?,?), ref: 0044791D
                                                  • GetCursorPos.USER32(00000000), ref: 0044796A
                                                  • TrackPopupMenuEx.USER32(02F564B0,00000000,00000000,?,?,00000000), ref: 00447991
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: CursorMenuPopupTrack$Proc
                                                  • String ID:
                                                  • API String ID: 1300944170-0
                                                  • Opcode ID: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                  • Instruction ID: 8079d3ea29232e2d8a780d7c6517a0c600664366e77620ab1eef72d1e193e80f
                                                  • Opcode Fuzzy Hash: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                  • Instruction Fuzzy Hash: EF31CF75600108AFE724CF59DC88FABB768EB89310F20455AF94587391C775AC53CBA8
                                                  Function 004479A0 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetClientRect.USER32(?,?), ref: 004479CC
                                                  • GetCursorPos.USER32(?), ref: 004479D7
                                                  • ScreenToClient.USER32(?,?), ref: 004479F3
                                                  • WindowFromPoint.USER32(?,?), ref: 00447A34
                                                  • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447AAD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Client$CursorFromPointProcRectScreenWindow
                                                  • String ID:
                                                  • API String ID: 1822080540-0
                                                  • Opcode ID: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                  • Instruction ID: a7e7621e8492875af53c289f1ad187460d50aec5ad556b3834d9a5cb4abdf121
                                                  • Opcode Fuzzy Hash: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                  • Instruction Fuzzy Hash: B831A2741082029FE710DF69D884D7FB7A4FB89314F144A1EF850D7291D774E946CBA6
                                                  Function 00447BF1 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                  • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                  • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                  • EndPaint.USER32(?,?), ref: 00447D13
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ClientPaintRectRectangleScreenViewportWindow
                                                  • String ID:
                                                  • API String ID: 659298297-0
                                                  • Opcode ID: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                  • Instruction ID: 3c0582d8bc81ba5dadaaf244cb1f1d3939805113443e317e1f98b5bdeebaec33
                                                  • Opcode Fuzzy Hash: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                  • Instruction Fuzzy Hash: C33161706043019FE310CF25D8C8F7B7BE8EB86724F144A6EF9A5872A1C774A845DB69
                                                  Function 004487EA Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                  • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                  • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                  • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                  • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                    • Part of subcall function 00440D98: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00440DB8
                                                    • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440DFA
                                                    • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440E3A
                                                    • Part of subcall function 00440D98: SendMessageW.USER32(02F51B28,000000F1,00000000,00000000), ref: 00440E6E
                                                    • Part of subcall function 00440D98: SendMessageW.USER32(02F51B28,000000F1,00000001,00000000), ref: 00440E9A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Window$EnableMessageSend$LongShow
                                                  • String ID:
                                                  • API String ID: 142311417-0
                                                  • Opcode ID: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                  • Instruction ID: c941ec4e4e3d0536419715940b2668e48b64c275bb9f23e9dd6fd7b29375311a
                                                  • Opcode Fuzzy Hash: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                  • Instruction Fuzzy Hash: DE21F7B17443805BF7258E24CCC4BAFB7D0EF56345F08482EF98196391DBACA885C75A
                                                  Function 004550FC Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                  • Instruction ID: af34b986bc09d21a6a739d25b45c5a22770885c200d938a8bd6fc5fff5094107
                                                  • Opcode Fuzzy Hash: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                  • Instruction Fuzzy Hash: 5921AE75200600DBC710EF29E9D496B77B9EF49362B00466EFE5197392DB34EC09CB69
                                                  Function 00445870 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsWindowVisible.USER32(?), ref: 00445879
                                                  • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00445893
                                                  • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004458CD
                                                  • _wcslen.LIBCMT ref: 004458FB
                                                  • CharUpperBuffW.USER32(00000000,00000000), ref: 00445905
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                                                  • String ID:
                                                  • API String ID: 3087257052-0
                                                  • Opcode ID: f69ffadf962ece00da2d3b786a5ca76815724ee7e4437aac7967cccaf73e78c3
                                                  • Instruction ID: ced771b0f23340e5f55e8fdbc4e1763ce6d97a07fd0b425722e47bce61cb145a
                                                  • Opcode Fuzzy Hash: f69ffadf962ece00da2d3b786a5ca76815724ee7e4437aac7967cccaf73e78c3
                                                  • Instruction Fuzzy Hash: F51136726009017BFB10AB25DC06F9FB78CAF65360F04403AF909D7241EB69ED5983A9
                                                  Function 004653C8 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                  • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 004653FE
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 0046540D
                                                  • connect.WSOCK32(00000000,?,00000010), ref: 00465446
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 0046546D
                                                  • closesocket.WSOCK32(00000000,00000000), ref: 00465481
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$closesocketconnectinet_addrsocket
                                                  • String ID:
                                                  • API String ID: 245547762-0
                                                  • Opcode ID: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                  • Instruction ID: 0a95abeaf907522bb910ccff47ca5b8cdb65f95d12881c86cce1eb50970c9d0a
                                                  • Opcode Fuzzy Hash: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                  • Instruction Fuzzy Hash: E921F032200510ABD310EF29DC49F6EB7E8EF44725F008A6FF844E72D1DBB4A8418B99
                                                  Function 0044719B Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DeleteObject.GDI32(00000000), ref: 004471D8
                                                  • ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                  • SelectObject.GDI32(?,00000000), ref: 00447228
                                                  • BeginPath.GDI32(?), ref: 0044723D
                                                  • SelectObject.GDI32(?,00000000), ref: 00447266
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Object$Select$BeginCreateDeletePath
                                                  • String ID:
                                                  • API String ID: 2338827641-0
                                                  • Opcode ID: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                  • Instruction ID: fd3aca4fc88a528095528039be3f852d236b7ebb9f74560e76bd8f11b15fbd2f
                                                  • Opcode Fuzzy Hash: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                  • Instruction Fuzzy Hash: 92214F71905204AFEB10DF689D48A9E7FACFB16310F14466BF910D32A1DBB49C85CBAD
                                                  Function 00434582 Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(00000000), ref: 00434598
                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 004345B5
                                                  • Sleep.KERNEL32(00000000), ref: 004345D4
                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 004345DE
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: CounterPerformanceQuerySleep
                                                  • String ID:
                                                  • API String ID: 2875609808-0
                                                  • Opcode ID: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                  • Instruction ID: a92d15520113c221d818f77e193bed66bb4dcccdbbd961c90b57f37ba003579f
                                                  • Opcode Fuzzy Hash: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                  • Instruction Fuzzy Hash: 37118232D0011DA7CF00EF99DD49AEEBB78FF99721F00456AEE4473240DA3465618BE9
                                                  Function 00460C01 Relevance: 7.5, APIs: 5, Instructions: 48windowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32(?,000003E9), ref: 00460C17
                                                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 00460C2E
                                                  • MessageBeep.USER32(00000000), ref: 00460C46
                                                  • KillTimer.USER32(?,0000040A), ref: 00460C68
                                                  • EndDialog.USER32(?,00000001), ref: 00460C83
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                  • String ID:
                                                  • API String ID: 3741023627-0
                                                  • Opcode ID: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                  • Instruction ID: 069ac2582a8c3c153a507cef710a9e07e91c6f457c78871e3a9641c65eda6ae6
                                                  • Opcode Fuzzy Hash: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                  • Instruction Fuzzy Hash: AB01DD315403086BE7349B54EE8DBDB737CFB14705F00465FB645921C0E7F4A9948B95
                                                  Function 004556A0 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Destroy$DeleteObjectWindow$Icon
                                                  • String ID:
                                                  • API String ID: 4023252218-0
                                                  • Opcode ID: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                  • Instruction ID: b4c4dbb9b59ba1bd7f08d964dfa6937d7ad9fb038e30cf105cf785d591c64ca0
                                                  • Opcode Fuzzy Hash: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                  • Instruction Fuzzy Hash: D5014870301A01DBDB10EF65E9D8A2B77A8BF48762F10462AFD04D7352D739D849CBA9
                                                  Function 004555ED Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,00001101,00000000,?), ref: 004555FC
                                                  • DeleteObject.GDI32(?), ref: 00455736
                                                  • DeleteObject.GDI32(?), ref: 00455744
                                                  • DestroyIcon.USER32(?), ref: 00455752
                                                  • DestroyWindow.USER32(?), ref: 00455760
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: DeleteDestroyObject$IconMessageSendWindow
                                                  • String ID:
                                                  • API String ID: 1489400265-0
                                                  • Opcode ID: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                  • Instruction ID: 3262712e9a8127eed33bb9eb3d9864066e7dde5d47db0d590f2b6463dd6d37f9
                                                  • Opcode Fuzzy Hash: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                  • Instruction Fuzzy Hash: 07017C74300601DBCB10EF25EEC8A2A73A8BF48712F004569FE019B286D778DC49CB68
                                                  Function 00455607 Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                  • DestroyWindow.USER32(?), ref: 00455728
                                                  • DeleteObject.GDI32(?), ref: 00455736
                                                  • DeleteObject.GDI32(?), ref: 00455744
                                                  • DestroyIcon.USER32(?), ref: 00455752
                                                  • DestroyWindow.USER32(?), ref: 00455760
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                                                  • String ID:
                                                  • API String ID: 1042038666-0
                                                  • Opcode ID: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                  • Instruction ID: 2016740d4609c4bbd0e5f1cf6dc7522ca00853e433b5032f7809eda0dc31aff9
                                                  • Opcode Fuzzy Hash: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                  • Instruction Fuzzy Hash: 3701F670200601DBCB10EF69E9D8A2B37ACAF49762B00466AFD01D7256D769DC498B69
                                                  Function 0042FD29 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Path$ObjectStroke$DeleteFillSelect
                                                  • String ID:
                                                  • API String ID: 2625713937-0
                                                  • Opcode ID: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                                                  • Instruction ID: 382768f54733291aaafbd4c53fc5fd67df7ff3e11fccf1fbf51b229105ba29ed
                                                  • Opcode Fuzzy Hash: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                                                  • Instruction Fuzzy Hash: B3F036751125109BD3519F28FD4875E3B68E747321F94423AEA15923F0CB785449CB6D
                                                  Function 00417803 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • __getptd.LIBCMT ref: 0041780F
                                                    • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                    • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                  • __getptd.LIBCMT ref: 00417826
                                                  • __amsg_exit.LIBCMT ref: 00417834
                                                  • __lock.LIBCMT ref: 00417844
                                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 00417858
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                  • String ID:
                                                  • API String ID: 938513278-0
                                                  • Opcode ID: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                  • Instruction ID: 276dd8d19a6a3be70f37c916a71154ef36d62806621923b96dbf7b6e4fe89171
                                                  • Opcode Fuzzy Hash: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                  • Instruction Fuzzy Hash: 6DF09632A4C7009AD721BBA6940B7DD33B0AF10768F11415FF541572D2CB6C59C1CB9D
                                                  Function 00413D0E Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                  • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                                    • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                    • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                  • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                                    • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                  • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                                  • ExitThread.KERNEL32 ref: 00413D4E
                                                  • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                                  • __freefls@4.LIBCMT ref: 00413D74
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                  • String ID:
                                                  • API String ID: 2403457894-0
                                                  • Opcode ID: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                  • Instruction ID: 99982f4671f9afe760f134679f3a1374bf557b67af872bc9692f731b59fefeca
                                                  • Opcode Fuzzy Hash: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                  • Instruction Fuzzy Hash: 1AE04F318443056B8F013BB39C1E8CF363C9E0434AB20082ABE1493112DA2C99C1C6BE
                                                  Function 004151AF Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                  • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                    • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                    • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                  • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                    • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                  • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                  • ExitThread.KERNEL32 ref: 004151ED
                                                  • __freefls@4.LIBCMT ref: 00415209
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                  • String ID:
                                                  • API String ID: 4247068974-0
                                                  • Opcode ID: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                  • Instruction ID: 3b3fb4cf1982b2ada2e5851f983e2cc6228237abb2dca353483d11accd99f00a
                                                  • Opcode Fuzzy Hash: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                  • Instruction Fuzzy Hash: E5E0B631848705AECB013BB29D1E9DF3A799E54749B20082ABE1492122EE6C88D1C669
                                                  Function 0046E48D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                  • CoInitialize.OLE32(00000000), ref: 0046E505
                                                  • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                                                  • CoUninitialize.OLE32 ref: 0046E53D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                  • String ID: .lnk
                                                  • API String ID: 886957087-24824748
                                                  • Opcode ID: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                  • Instruction ID: 2644725dabb75134900838bfbf7f9974cf5b6b8c274c659ea1b0544ab4b4cf98
                                                  • Opcode Fuzzy Hash: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                  • Instruction Fuzzy Hash: A6A1CB756042019FC700EF65C980E5BB7E9AFC8308F108A5EF9859B392DB35EC45CBA6
                                                  Function 0044E180 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _memmove
                                                  • String ID: \
                                                  • API String ID: 4104443479-2967466578
                                                  • Opcode ID: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                                  • Instruction ID: 90b25fc4546a2c21e21e7939c456fa175a28996bec6c3309f7edcf8d77039fcb
                                                  • Opcode Fuzzy Hash: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                                  • Instruction Fuzzy Hash: 8AB1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                                  Function 0044E189 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _memmove
                                                  • String ID: \
                                                  • API String ID: 4104443479-2967466578
                                                  • Opcode ID: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                                  • Instruction ID: 47d8400a167da4587eb122393216330e55bf30386b581c043e0675457d4a745f
                                                  • Opcode Fuzzy Hash: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                                  • Instruction Fuzzy Hash: F1B1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                                  Function 0044E199 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 260COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _memmove
                                                  • String ID: \
                                                  • API String ID: 4104443479-2967466578
                                                  • Opcode ID: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                                  • Instruction ID: 4d1558bed40bbae7f26d93592334ac0d2c658ca85fbb7fec499742c135aa7d63
                                                  • Opcode Fuzzy Hash: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                                  • Instruction Fuzzy Hash: E5A1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED441AB381D7795946CB1A
                                                  Function 0046A6E1 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 241COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0046A75B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _memmovestd::exception::exception$Exception@8Throw_malloc_wcslen
                                                  • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                  • API String ID: 708495834-557222456
                                                  • Opcode ID: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                                  • Instruction ID: 9c514e09f8cb76db8ae150367893d7536957bb5c5403f45e3580b17af89e858a
                                                  • Opcode Fuzzy Hash: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                                  • Instruction Fuzzy Hash: 7C917F711087009FC310EF65C88186BB7E8AF89314F148D2FF595672A2E778E919CB9B
                                                  Function 0047839D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                  • CoInitialize.OLE32(00000000), ref: 00478442
                                                  • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0047845B
                                                  • CoUninitialize.OLE32 ref: 0047863C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                  • String ID: .lnk
                                                  • API String ID: 886957087-24824748
                                                  • Opcode ID: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                                  • Instruction ID: cf4755465b87a828534c2837f83e1451e93ee4f6fe559e45c0b7480b45348b92
                                                  • Opcode Fuzzy Hash: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                                  • Instruction Fuzzy Hash: 17816D70344301AFD210EB54CC82F5AB3E5AFC8B18F10896EF658DB2D1DAB5E945CB96
                                                  Function 0043659E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00434319: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043434A
                                                  • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004365EF
                                                    • Part of subcall function 004342DD: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043430E
                                                    • Part of subcall function 004343AD: GetWindowThreadProcessId.USER32(?,?), ref: 004343E0
                                                    • Part of subcall function 004343AD: OpenProcess.KERNEL32(00000438,00000000,?), ref: 004343F1
                                                    • Part of subcall function 004343AD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 00434408
                                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043665F
                                                  • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 004366DF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                  • String ID: @
                                                  • API String ID: 4150878124-2766056989
                                                  • Opcode ID: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                  • Instruction ID: 60a9f40d71a87185ad744a771aacdfc79ad0a16393efc777ae91d2f205fac39b
                                                  • Opcode Fuzzy Hash: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                  • Instruction Fuzzy Hash: 0D51B972A00218ABCB10DFA5DD42FDEB778EFC9304F00459AFA05EB180D6B4BA45CB65
                                                  Function 00457C53 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShellExecuteExW.SHELL32(0000003C), ref: 00457D67
                                                    • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                    • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                  • CloseHandle.KERNEL32(?), ref: 00457E09
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: CloseExecuteHandleShell_wcscpy_wcslen
                                                  • String ID: <$@
                                                  • API String ID: 2417854910-1426351568
                                                  • Opcode ID: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                                                  • Instruction ID: b88a15a70aa0ad5f6f29005b2a8070d35214d1ef645994392ec84fe4d9ca6df0
                                                  • Opcode Fuzzy Hash: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                                                  • Instruction Fuzzy Hash: C751D3719002089BDB10EFA1D985AAFB7B4EF44309F10446EED05AB352DB79ED49CB94
                                                  Function 0044A856 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A87A
                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A8C9
                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0044A901
                                                    • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                                                  • String ID:
                                                  • API String ID: 3705125965-3916222277
                                                  • Opcode ID: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                  • Instruction ID: d28fa13b4dde737238ce5dcfaacd3c540a76458eeabd88e5a6b3f8614e5f537b
                                                  • Opcode Fuzzy Hash: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                  • Instruction Fuzzy Hash: DB310B76A802047AE720EF56DC42FDFB7A8EBD9710F00851FFA0097281D6B5550987AC
                                                  Function 0045FA41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetMenuItemInfoW.USER32 ref: 0045FAC4
                                                  • DeleteMenu.USER32(?,?,00000000), ref: 0045FB15
                                                  • DeleteMenu.USER32(00000000,?,00000000), ref: 0045FB68
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Menu$Delete$InfoItem
                                                  • String ID: 0
                                                  • API String ID: 135850232-4108050209
                                                  • Opcode ID: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                  • Instruction ID: 2caf7e1b7ae413ca61a5456c92b2eab9e90ede26a48057f627e29f4096114103
                                                  • Opcode Fuzzy Hash: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                  • Instruction Fuzzy Hash: CC41D2B1604201ABD710CF25CC45F17B7A9AF84315F148A2EFDA49B2C2D378E849CBA6
                                                  Function 004507B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0045085F
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 0045087D
                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0045088E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Window$Long
                                                  • String ID: SysTreeView32
                                                  • API String ID: 847901565-1698111956
                                                  • Opcode ID: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                  • Instruction ID: 2f6c96d6d770cdd7f6b01965cae739f5ffbb06f7b8c4bfc7c6bf121f6b9a1f40
                                                  • Opcode Fuzzy Hash: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                  • Instruction Fuzzy Hash: 34418D75500205ABEB10DF29DC84FEB33A8FB49325F20471AF865972D1D778E895CBA8
                                                  Function 00450D6B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00450DFD
                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00450E16
                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00450E3E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Window
                                                  • String ID: SysMonthCal32
                                                  • API String ID: 2326795674-1439706946
                                                  • Opcode ID: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                  • Instruction ID: 97bf4b40409f6c90460d1384a7672ac630dd7a2161d32aee0dcf483843136ede
                                                  • Opcode Fuzzy Hash: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                  • Instruction Fuzzy Hash: A93195752002046BDB10DEA9DC85FEB73BDEB9C724F104619FA24A72C1D6B4FC558B64
                                                  Function 004509D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DestroyWindow.USER32(00000000), ref: 00450A2F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: DestroyWindow
                                                  • String ID: msctls_updown32
                                                  • API String ID: 3375834691-2298589950
                                                  • Opcode ID: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                  • Instruction ID: fccd3fcc05e4e2aaf5990a1cc96ccc3c6d01ef6560d5fec67e6c7c3c5f699695
                                                  • Opcode Fuzzy Hash: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                  • Instruction Fuzzy Hash: 213182767402056FE710DF58EC81FAB3368FF99710F10411AFA009B282C7B5AC96C7A8
                                                  Function 0044DC13 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _memmove
                                                  • String ID: $<
                                                  • API String ID: 4104443479-428540627
                                                  • Opcode ID: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                  • Instruction ID: e8c4ca86f7ae52158d8313b00b6d431508e51e3fea12eaab667d4a9530e7d8b8
                                                  • Opcode Fuzzy Hash: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                  • Instruction Fuzzy Hash: A331EF30D04258DEFF25CFAAC9847EEBBB1AF11310F18419AD455A7382D7789E48CB25
                                                  Function 0045D779 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$DiskFreeSpace
                                                  • String ID: \VH
                                                  • API String ID: 1682464887-234962358
                                                  • Opcode ID: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                  • Instruction ID: 72795a51c8fd7a71edb0939b11d44c3a5eb04741920228a3d2c34b8a4a3992bf
                                                  • Opcode Fuzzy Hash: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                  • Instruction Fuzzy Hash: B5217171D002089FCB00EFA5D98499EBBB8FF48314F1184AAE805AB351D7349E05CB64
                                                  Function 0045D78F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$DiskFreeSpace
                                                  • String ID: \VH
                                                  • API String ID: 1682464887-234962358
                                                  • Opcode ID: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                  • Instruction ID: ae55674c87016058c86dc8d4ad6f5a536cd264dc70ae423c542bf2f5a0a67e7a
                                                  • Opcode Fuzzy Hash: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                  • Instruction Fuzzy Hash: C9316F75E002089FCB00EFA5D985A9DBBB4FF48314F1080AAE904AB351CB75EE05CB94
                                                  Function 0045D86D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D87B
                                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D8F0
                                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D93A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$DiskFreeSpace
                                                  • String ID: \VH
                                                  • API String ID: 1682464887-234962358
                                                  • Opcode ID: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                  • Instruction ID: e5212c229d9c2069cdfe567d9572a18bb695f81ecf44ad0a977260396f8f3e20
                                                  • Opcode Fuzzy Hash: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                  • Instruction Fuzzy Hash: E6316D75E002089FCB00EFA5D984A9EBBB4FF48314F1084AAE904AB351CB35DE05CB94
                                                  Function 0045D36D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D37E
                                                  • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3F4
                                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D437
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$InformationVolume
                                                  • String ID: \VH
                                                  • API String ID: 2507767853-234962358
                                                  • Opcode ID: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                  • Instruction ID: 9072e4f9bd6fffdf4d5f5b526d3ef1379cf95bcdbb04681c41660468616ecd75
                                                  • Opcode Fuzzy Hash: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                  • Instruction Fuzzy Hash: E5213075A002099FC714EF95CD85EAEB7B8FF88300F1084AAE905A73A1D774EA45CB54
                                                  Function 0045D53E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D55C
                                                  • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D5D2
                                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D608
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$InformationVolume
                                                  • String ID: \VH
                                                  • API String ID: 2507767853-234962358
                                                  • Opcode ID: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                  • Instruction ID: 5d1496e5fec29648c5677f840c6a5ff7f703137340fc9510fe584f3610dc7e3a
                                                  • Opcode Fuzzy Hash: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                  • Instruction Fuzzy Hash: 88218271A00209AFC714EF95C885EAEB7B4FF48300F0084AEF505A72A1D774E905CB58
                                                  Function 00450ACC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450B3B
                                                  • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450B51
                                                  • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450B5F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID: msctls_trackbar32
                                                  • API String ID: 3850602802-1010561917
                                                  • Opcode ID: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                  • Instruction ID: cc80dcb7cd3031ad5716ab9229ca2671b5dcb2452333e47e40e099fef7a03d8b
                                                  • Opcode Fuzzy Hash: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                  • Instruction Fuzzy Hash: 301196757403197BEB109EA8DC81FDB339CAB58B64F204216FA10A72C1D6B4FC5187A8
                                                  Function 00435215 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                  • CLSIDFromString.OLE32(?,00000000), ref: 00435236
                                                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 00435285
                                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 004352B4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
                                                  • String ID: crts
                                                  • API String ID: 943502515-3724388283
                                                  • Opcode ID: 1c951fdfbdf5c5f88c618ab4611406fe4b678f9348836ee2954194ca176c3974
                                                  • Instruction ID: ec3ec3aa447b477297a9cb7ebc6a7fbeb91602aa87849f29064a6671b92f781e
                                                  • Opcode Fuzzy Hash: 1c951fdfbdf5c5f88c618ab4611406fe4b678f9348836ee2954194ca176c3974
                                                  • Instruction Fuzzy Hash: EC213876600A009FC714CF8AE444D97FBE8EF98760714C46AEA49CB721D334E851CB94
                                                  Function 0045D2C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D2D2
                                                  • SetVolumeLabelW.KERNEL32(?,00000000), ref: 0045D331
                                                  • SetErrorMode.KERNEL32(?), ref: 0045D35C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$LabelVolume
                                                  • String ID: \VH
                                                  • API String ID: 2006950084-234962358
                                                  • Opcode ID: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                  • Instruction ID: 93ef07912bcba266d24f4400c0aa25f887f93b2782b8649f9ae8f5902fc9f078
                                                  • Opcode Fuzzy Hash: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                  • Instruction Fuzzy Hash: 10115175900105DFCB00EFA5D94499EBBB4FF48315B1084AAEC09AB352D774ED45CBA5
                                                  Function 004496E9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                  • GetMenuItemInfoW.USER32 ref: 00449727
                                                  • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00449751
                                                  • DrawMenuBar.USER32 ref: 00449761
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Menu$InfoItem$Draw_malloc
                                                  • String ID: 0
                                                  • API String ID: 772068139-4108050209
                                                  • Opcode ID: 1167fa92614d233b3003e6fb28f1152d6dc9f7ab2b98f531c98f2f78594b2958
                                                  • Instruction ID: eb12e692e9d899ed3776fa10421b592e4983edb38958d2313c52402e3f8558b6
                                                  • Opcode Fuzzy Hash: 1167fa92614d233b3003e6fb28f1152d6dc9f7ab2b98f531c98f2f78594b2958
                                                  • Instruction Fuzzy Hash: 7711A3B1A10208AFEB10DF55DC49BAFB774EF85314F0041AEFA098B250DB759944DFA5
                                                  Function 00472A2B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _wcslen$_wcscpy
                                                  • String ID: 3, 3, 8, 1
                                                  • API String ID: 3469035223-357260408
                                                  • Opcode ID: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                  • Instruction ID: 583e1dd4926d5dc430cd1974fab242c37593855fc3f83b6d902887b8cb8118b3
                                                  • Opcode Fuzzy Hash: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                  • Instruction Fuzzy Hash: 44F06D61510655E2CB34A791AD917FF72546F44341F00947BD90ED2190F368CB85CF99
                                                  Function 004312CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312DE
                                                  • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 004312F0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: ICMP.DLL$IcmpCloseHandle
                                                  • API String ID: 2574300362-3530519716
                                                  • Opcode ID: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                  • Instruction ID: fe30dd6f995ef3e52e92cf139519288d45b371df6a06e7fbbc01cfddaae6e452
                                                  • Opcode Fuzzy Hash: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                  • Instruction Fuzzy Hash: 89E01275500316DFDB105F66D80564B77DCDB14751F10482AFD45E2A51DBB8D48087E8
                                                  Function 004312FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00431310
                                                  • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 00431322
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: ICMP.DLL$IcmpCreateFile
                                                  • API String ID: 2574300362-275556492
                                                  • Opcode ID: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                  • Instruction ID: 95e0d00128142f820e0a83de5ed484af687323a382b0c693d148963e73e99334
                                                  • Opcode Fuzzy Hash: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                  • Instruction Fuzzy Hash: E3E0C270400306EFD7107FA5D81464A77E8DB08310F104C2AFC40A2650C7B8D48087A8
                                                  Function 0043129A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312AC
                                                  • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004312BE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: ICMP.DLL$IcmpSendEcho
                                                  • API String ID: 2574300362-58917771
                                                  • Opcode ID: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                  • Instruction ID: f6e067919a3be2c94262fb81e38fb1c28335358536499f04279aa6303c0198c7
                                                  • Opcode Fuzzy Hash: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                  • Instruction Fuzzy Hash: ADE0C2B0400706DFC7105F65D80465B77D8DB04321F10482BFD80E2610C7B8E48087A8
                                                  Function 00430C7F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00430C91
                                                  • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00430CA3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: RegDeleteKeyExW$advapi32.dll
                                                  • API String ID: 2574300362-4033151799
                                                  • Opcode ID: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                  • Instruction ID: e1e112c22781e886f83f7ab60c8bc672304d94c0271b2a691c2b6ddb7eb549cd
                                                  • Opcode Fuzzy Hash: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                  • Instruction Fuzzy Hash: 3FE0C2B0440315AFCB106F6AD95460B7BD89B14321F10583BF980E2600C7B8E88087B8
                                                  Function 00430DC1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00430DD3
                                                  • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00430DE5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                  • API String ID: 2574300362-1816364905
                                                  • Opcode ID: 14bf9b0efbe06d93ad9dae09c2ad7cadeb51a6503e8f45336d859f06d84a08d6
                                                  • Instruction ID: 24515a708fc6b3a38513646dac5635f6d90a943ae1c03eade4216686bbe3791e
                                                  • Opcode Fuzzy Hash: 14bf9b0efbe06d93ad9dae09c2ad7cadeb51a6503e8f45336d859f06d84a08d6
                                                  • Instruction Fuzzy Hash: 51E0127154070A9BD7105FA5E91878A77D8DB14751F10882AFD45E2650D7B8E480C7BC
                                                  Function 00430E7B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00430E8D
                                                  • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00430E9F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: GetModuleHandleExW$kernel32.dll
                                                  • API String ID: 2574300362-199464113
                                                  • Opcode ID: 264f8e721adbed0a0a4958d5ac8267ac8e19a3b8732fd2a865be9a36fa944cb5
                                                  • Instruction ID: 757376e69a8637ab8385673bd519a3d20b1bca35ee4978b7889da1ae4d413b5b
                                                  • Opcode Fuzzy Hash: 264f8e721adbed0a0a4958d5ac8267ac8e19a3b8732fd2a865be9a36fa944cb5
                                                  • Instruction Fuzzy Hash: 4AE01271540706DFD7105F65D91964B77D8DF18762F104C2AFD85E2650D7B8E48087AC
                                                  Function 0046993E Relevance: 6.1, APIs: 4, Instructions: 149windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,0000110A,00000004,?), ref: 00469990
                                                  • __itow.LIBCMT ref: 004699CD
                                                    • Part of subcall function 00461C4A: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00461CC2
                                                  • SendMessageW.USER32(00000000,0000110A,00000001,?), ref: 00469A3D
                                                  • __itow.LIBCMT ref: 00469A97
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$__itow
                                                  • String ID:
                                                  • API String ID: 3379773720-0
                                                  • Opcode ID: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                  • Instruction ID: c5a9f548720e127460bbd30f9c4a1142764b372a0404ca0a71d180b9b8c9b2b0
                                                  • Opcode Fuzzy Hash: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                  • Instruction Fuzzy Hash: E8415671A002096BDB14EF95D981AEF77BC9F58314F00405EFA0567281E7789E46CBE9
                                                  Function 004499DB Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowRect.USER32(?,?), ref: 00449A4A
                                                  • ScreenToClient.USER32(?,?), ref: 00449A80
                                                  • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00449AEC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Window$ClientMoveRectScreen
                                                  • String ID:
                                                  • API String ID: 3880355969-0
                                                  • Opcode ID: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                  • Instruction ID: 772f2e9a8c44c8b90650fefa000f178a1b73e5e444e4323f54854131c67d2362
                                                  • Opcode Fuzzy Hash: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                  • Instruction Fuzzy Hash: 5A517C70A00249AFEB14CF68D8C1AAB77B6FF58314F10822EF91597390D774AD90DB98
                                                  Function 0041415F Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                  • String ID:
                                                  • API String ID: 2782032738-0
                                                  • Opcode ID: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                                  • Instruction ID: 72632960f292c6e9309c64fc9b7016af72cb639159fa0dd3c9cf05ee08d0b78d
                                                  • Opcode Fuzzy Hash: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                                  • Instruction Fuzzy Hash: CB41D531A00715ABDB248FA5C8486DFBBB5AFD0364F24856EF42597680D778DDC1CB48
                                                  Function 00441672 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ClientToScreen.USER32(00000000,?), ref: 0044169A
                                                  • GetWindowRect.USER32(?,?), ref: 00441722
                                                  • PtInRect.USER32(?,?,?), ref: 00441734
                                                  • MessageBeep.USER32(00000000), ref: 004417AD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Rect$BeepClientMessageScreenWindow
                                                  • String ID:
                                                  • API String ID: 1352109105-0
                                                  • Opcode ID: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                  • Instruction ID: 3e4d0a9d31bb6386801ef6381a7f0d6bf168684d8964ff5a195b0ca439f55e04
                                                  • Opcode Fuzzy Hash: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                  • Instruction Fuzzy Hash: 5141A539A002049FE714DF54D884E6AB7B5FF95721F1482AED9158B360DB34AC81CB94
                                                  Function 0045D1AF Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D248
                                                  • GetLastError.KERNEL32(?,00000000), ref: 0045D26C
                                                  • DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 0045D28C
                                                  • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0045D2AA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: CreateHardLink$DeleteErrorFileLast
                                                  • String ID:
                                                  • API String ID: 3321077145-0
                                                  • Opcode ID: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                  • Instruction ID: 6818256dd78c2cb29ac0ce267de24fb792dca3a41353b59757f5ace631f71379
                                                  • Opcode Fuzzy Hash: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                  • Instruction Fuzzy Hash: DC318DB1A00201EBDB10EFB5C945A1ABBE8AF45319F10885EFC44AB343CB79ED45CB94
                                                  Function 0042083F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00420873
                                                  • __isleadbyte_l.LIBCMT ref: 004208A6
                                                  • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,000001AC,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 004208D7
                                                  • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,00000001,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 00420945
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                  • String ID:
                                                  • API String ID: 3058430110-0
                                                  • Opcode ID: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                  • Instruction ID: f6550d230e50e909e13d2a99824cc28569674f7a7b9e5ef0daa2e7ce22e82e6e
                                                  • Opcode Fuzzy Hash: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                  • Instruction Fuzzy Hash: D731E231B00265EFDB20EF65E884AAF3BE5BF00310F55496AE4658B292D734CD80DB98
                                                  Function 0045039B Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetParent.USER32(?), ref: 004503C8
                                                  • DefDlgProcW.USER32(?,00000138,?,?), ref: 00450417
                                                  • DefDlgProcW.USER32(?,00000133,?,?), ref: 00450466
                                                  • DefDlgProcW.USER32(?,00000134,?,?), ref: 00450497
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Proc$Parent
                                                  • String ID:
                                                  • API String ID: 2351499541-0
                                                  • Opcode ID: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                  • Instruction ID: 48835c6935d03606f494e5d0f95072c3389227be5880c4b08380f2331de9f088
                                                  • Opcode Fuzzy Hash: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                  • Instruction Fuzzy Hash: F231B73A2001046BD720CF18DC94DAB7719EF97335B14461BFA298B3D3CB759856C769
                                                  Function 00442A83 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442AC9
                                                  • TranslateMessage.USER32(?), ref: 00442B01
                                                  • DispatchMessageW.USER32(?), ref: 00442B0B
                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442B21
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Message$Peek$DispatchTranslate
                                                  • String ID:
                                                  • API String ID: 1795658109-0
                                                  • Opcode ID: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                  • Instruction ID: 5e5183f3b0572ad37d893cec5a7cf9421d6c1ddc4b80b1975d6d8daaa3c1acd1
                                                  • Opcode Fuzzy Hash: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                  • Instruction Fuzzy Hash: 012126719583469AFB30DF649D85FB7BBA8CB24314F40407BF91097281EAB86848C769
                                                  Function 0047438B Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetForegroundWindow.USER32(?,?,?), ref: 0047439C
                                                    • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                    • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                    • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                  • GetCaretPos.USER32(?), ref: 004743B2
                                                  • ClientToScreen.USER32(00000000,?), ref: 004743E8
                                                  • GetForegroundWindow.USER32 ref: 004743EE
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                  • String ID:
                                                  • API String ID: 2759813231-0
                                                  • Opcode ID: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                  • Instruction ID: 29594bdffde582d62cf8cb535202cb0f6e37f5c0e74140e0e8dac686a3932322
                                                  • Opcode Fuzzy Hash: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                  • Instruction Fuzzy Hash: 2F21AC71A00305ABD710EF75CC86B9E77B9AF44708F14446EF644BB2C2DBF9A9408BA5
                                                  Function 004494A5 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                  • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 00449507
                                                  • _wcslen.LIBCMT ref: 00449519
                                                  • _wcslen.LIBCMT ref: 00449526
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: MessageSend_wcslen$_wcspbrk
                                                  • String ID:
                                                  • API String ID: 2886238975-0
                                                  • Opcode ID: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                  • Instruction ID: 7d4d19c59aaf55394df3596c947b25f6969e765268ec3300c5285dc4bbf20b28
                                                  • Opcode Fuzzy Hash: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                  • Instruction Fuzzy Hash: F7213A76B00208A6E730DF55ED81BEFB368EBA0310F10416FFF0896240E6794D55C799
                                                  Function 0046888B Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: __setmode$DebugOutputString_fprintf
                                                  • String ID:
                                                  • API String ID: 1792727568-0
                                                  • Opcode ID: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                                  • Instruction ID: 94d91137fd77379d51e6296772f15362c7f2cf1f8b16651245aa9cc134f84072
                                                  • Opcode Fuzzy Hash: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                                  • Instruction Fuzzy Hash: 5411A1B2D0020477DB107BB69C469AF7B2C8B55728F04416EF91573243E97C6A4947AB
                                                  Function 0047A26A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                  • GetWindowLongW.USER32(?,000000EC), ref: 0047A2DF
                                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A2FA
                                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A312
                                                  • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001), ref: 0047A321
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Window$Long$AttributesLayered
                                                  • String ID:
                                                  • API String ID: 2169480361-0
                                                  • Opcode ID: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                  • Instruction ID: 4b457c036b32d13d4d6aa44b7b333d7b15c6210fa1ac615a770d46c951a2b689
                                                  • Opcode Fuzzy Hash: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                  • Instruction Fuzzy Hash: E321C3322045146BD310AB19EC45F9BB798EF81334F20862BF859E72D1C779A855C7AC
                                                  Function 00434CC9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 75stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00434C09: lstrlenW.KERNEL32(?), ref: 00434C1C
                                                    • Part of subcall function 00434C09: lstrcpyW.KERNEL32(00000000,?), ref: 00434C44
                                                    • Part of subcall function 00434C09: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00434C78
                                                  • lstrlenW.KERNEL32(?), ref: 00434CF6
                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                  • lstrcpyW.KERNEL32(00000000,?), ref: 00434D1E
                                                  • lstrcmpiW.KERNEL32(00000002,cdecl), ref: 00434D64
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: lstrcmpilstrcpylstrlen$_malloc
                                                  • String ID: cdecl
                                                  • API String ID: 3850814276-3896280584
                                                  • Opcode ID: 21c69cf6c29ea855f725dfe2a9cb2720d4b8dbea94fc3a7d57af4f6d050de3c2
                                                  • Instruction ID: b4b7f9d7485e9dcc41445171e378d0673d7e4b3d8a31a27b28546bfa00bfc119
                                                  • Opcode Fuzzy Hash: 21c69cf6c29ea855f725dfe2a9cb2720d4b8dbea94fc3a7d57af4f6d050de3c2
                                                  • Instruction Fuzzy Hash: 1521D276200301ABD710AF25DC45AEBB3A9FF99354F10583FF90687250EB39E945C7A9
                                                  Function 0046D402 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                  • gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046D42D
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 0046D439
                                                  • _memmove.LIBCMT ref: 0046D475
                                                  • inet_ntoa.WSOCK32(?), ref: 0046D481
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ByteCharErrorLastMultiWide_memmovegethostbynameinet_ntoa
                                                  • String ID:
                                                  • API String ID: 2502553879-0
                                                  • Opcode ID: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                  • Instruction ID: 24c3f219ec43f49587972b4c28f02db1d16d05b11a5808876a7c02c26e676da9
                                                  • Opcode Fuzzy Hash: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                  • Instruction Fuzzy Hash: A7216F769001046BC700FBA6DD85C9FB7BCEF48318B10486BFC01B7241DA39EE058BA5
                                                  Function 00448C3C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32 ref: 00448C69
                                                  • GetWindowLongW.USER32(?,000000EC), ref: 00448C91
                                                  • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448CCA
                                                  • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D13
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$LongWindow
                                                  • String ID:
                                                  • API String ID: 312131281-0
                                                  • Opcode ID: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                  • Instruction ID: 9d65767971b32091eca868ce8e4b461936feaca2c152e776436a997c982fc1ac
                                                  • Opcode Fuzzy Hash: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                  • Instruction Fuzzy Hash: 782186711193009BE3209F18DD88B9FB7E4FBD5325F140B1EF994962D0DBB58448C755
                                                  Function 00458A61 Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00458ABD
                                                  • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00458ACF
                                                  • accept.WSOCK32(00000000,00000000,00000000), ref: 00458ADE
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00458B03
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastacceptselect
                                                  • String ID:
                                                  • API String ID: 385091864-0
                                                  • Opcode ID: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                  • Instruction ID: 6dce411450cb473f00463c700f03c36a20fe0f69cdcaeecb298670ce0bdbd9a3
                                                  • Opcode Fuzzy Hash: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                  • Instruction Fuzzy Hash: 032192716002049FD714EF69DD45BAAB7E8EB94310F10866EF988DB380DBB4A9808B94
                                                  Function 004368A0 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 004368C2
                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368D5
                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368EC
                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00436904
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID:
                                                  • API String ID: 3850602802-0
                                                  • Opcode ID: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                  • Instruction ID: 15055718653181d31d708d6839b45d2b231db9ad4f5f2f8f789da6f3b04ac486
                                                  • Opcode Fuzzy Hash: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                  • Instruction Fuzzy Hash: A7111275640208BFDB10DF68DC85F9AB7E8EF98750F11815AFD48DB340D6B1A9418FA0
                                                  Function 004301F8 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00400000,00000000), ref: 00430242
                                                  • GetStockObject.GDI32(00000011), ref: 00430258
                                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 00430262
                                                  • ShowWindow.USER32(00000000,00000000), ref: 0043027D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Window$CreateMessageObjectSendShowStock
                                                  • String ID:
                                                  • API String ID: 1358664141-0
                                                  • Opcode ID: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                  • Instruction ID: 87b955557270564ac2446a75def7de819d41fbc8528d619d8765837e6f615a12
                                                  • Opcode Fuzzy Hash: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                  • Instruction Fuzzy Hash: BD115172600504ABD755CF99DC59FDBB769AF8DB10F148319BA08932A0D774EC41CBA8
                                                  Function 00443C87 Relevance: 6.1, APIs: 4, Instructions: 57synchronizationthreadwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentThreadId.KERNEL32 ref: 00443CA6
                                                  • MessageBoxW.USER32(?,?,?,?), ref: 00443CDC
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00443CF2
                                                  • CloseHandle.KERNEL32(00000000), ref: 00443CF9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                  • String ID:
                                                  • API String ID: 2880819207-0
                                                  • Opcode ID: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                  • Instruction ID: e6f874550e00e623fb34483f391c95d80eb5f5bc6ce026338450b862d26ff76c
                                                  • Opcode Fuzzy Hash: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                  • Instruction Fuzzy Hash: 48112572804114ABD710CF68ED08ADF3FACDF99721F10026AFC0493381D6B09A1083E9
                                                  Function 00430B87 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowRect.USER32(?,?), ref: 00430BA2
                                                  • ScreenToClient.USER32(?,?), ref: 00430BC1
                                                  • ScreenToClient.USER32(?,?), ref: 00430BE2
                                                  • InvalidateRect.USER32(?,?,?,?,?), ref: 00430BFB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ClientRectScreen$InvalidateWindow
                                                  • String ID:
                                                  • API String ID: 357397906-0
                                                  • Opcode ID: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                  • Instruction ID: ace0395ef2957b48f9d17fb026497d1a369c9e3160b5fb36bd9a4683c33ce433
                                                  • Opcode Fuzzy Hash: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                  • Instruction Fuzzy Hash: 561174B9D00209AFCB14DF98C8849AEFBB9FF98310F10855EE855A3304D774AA41CFA0
                                                  Function 00433908 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __wsplitpath.LIBCMT ref: 0043392E
                                                    • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                  • __wsplitpath.LIBCMT ref: 00433950
                                                  • __wcsicoll.LIBCMT ref: 00433974
                                                  • __wcsicoll.LIBCMT ref: 0043398A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                                                  • String ID:
                                                  • API String ID: 1187119602-0
                                                  • Opcode ID: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                  • Instruction ID: cee1712abd0eced5cc96ea34974ed2185298bb9760f8079e64959bf12be8e646
                                                  • Opcode Fuzzy Hash: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                  • Instruction Fuzzy Hash: 650121B2C0011DAACB14DF95DC41DEEB37CAB48314F04869EA60956040EA759BD88FE4
                                                  Function 00434963 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _wcslen$_malloc_wcscat_wcscpy
                                                  • String ID:
                                                  • API String ID: 1597257046-0
                                                  • Opcode ID: 3c6fc8acff7e2f2e7aee9de07fb73a2c390eddda5e8305f0b40f95221864db4e
                                                  • Instruction ID: 3a313011a65081929a098f39c1c59cfda42f2cbb237f2651e2b7e76e77134880
                                                  • Opcode Fuzzy Hash: 3c6fc8acff7e2f2e7aee9de07fb73a2c390eddda5e8305f0b40f95221864db4e
                                                  • Instruction Fuzzy Hash: 40016271200604BFC714EB66D885EABF3EDEFC9354B00852EFA168B651DB39E841C764
                                                  Function 0041F584 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetEnvironmentStringsW.KERNEL32(00000000,00416513), ref: 0041F587
                                                  • __malloc_crt.LIBCMT ref: 0041F5B6
                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041F5C3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: EnvironmentStrings$Free__malloc_crt
                                                  • String ID:
                                                  • API String ID: 237123855-0
                                                  • Opcode ID: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                  • Instruction ID: d6a98a4ee5591e13f27bf8bfb2f7094eea62761642478a01f8f101a8eeefaa10
                                                  • Opcode Fuzzy Hash: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                  • Instruction Fuzzy Hash: D1F08277505220BB8A25BF35BC458DB277ADAD536531A443BF407C3206F66C8ECB82B9
                                                  Function 004556BE Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: DeleteDestroyObject$IconWindow
                                                  • String ID:
                                                  • API String ID: 3349847261-0
                                                  • Opcode ID: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                  • Instruction ID: b40ecd1d224a0eee13877c21127d2214a34fa415f2bf64fab3c1d23e87691ec4
                                                  • Opcode Fuzzy Hash: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                  • Instruction Fuzzy Hash: 60F03C74200601DBC720EF66EDD892B77ACEF49762B00452AFD01D7256D738DC49CB69
                                                  Function 0044B5E8 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EnterCriticalSection.KERNEL32(?), ref: 0044B5F5
                                                  • InterlockedExchange.KERNEL32(?,?), ref: 0044B603
                                                  • LeaveCriticalSection.KERNEL32(?), ref: 0044B61A
                                                  • LeaveCriticalSection.KERNEL32(?), ref: 0044B62C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                  • String ID:
                                                  • API String ID: 2223660684-0
                                                  • Opcode ID: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                  • Instruction ID: 403f3527bf09fa8cde02bf077099102ce48e3ba47acdf7e4c6f4aa39df9fcef1
                                                  • Opcode Fuzzy Hash: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                  • Instruction Fuzzy Hash: 78F05E36241104AF96145F59FD488EBB3ACEBE96317005A3FE5418361087A6E845CBB5
                                                  Function 004472F1 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                    • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                    • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                    • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                    • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                  • MoveToEx.GDI32(?,?,?,00000000), ref: 00447317
                                                  • LineTo.GDI32(?,?,?), ref: 00447326
                                                  • EndPath.GDI32(?), ref: 00447336
                                                  • StrokePath.GDI32(?), ref: 00447344
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                                  • String ID:
                                                  • API String ID: 2783949968-0
                                                  • Opcode ID: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                  • Instruction ID: af9b10de2b5e1f20f757a647655db97b0f5a8bbb123370319d9b3a4020b10ea9
                                                  • Opcode Fuzzy Hash: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                  • Instruction Fuzzy Hash: EBF06770105258BBE721AF54ED4EFAF3B9CAB06310F108119FE01622D1C7B86A02CBA9
                                                  Function 0043646A Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                  • GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                  • AttachThreadInput.USER32(00000000), ref: 004364AA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                  • String ID:
                                                  • API String ID: 2710830443-0
                                                  • Opcode ID: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                  • Instruction ID: 8dfc3faa83ebd232c18032ab1719f084f6ac8c8028b438e2b3a9de4cfe148046
                                                  • Opcode Fuzzy Hash: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                  • Instruction Fuzzy Hash: 61F06D7168470477EB209BA09D0EFDF379CAB18B11F10C41ABB04BA0C0C6F8B50087AD
                                                  Function 00436C2B Relevance: 6.0, APIs: 4, Instructions: 29synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00436C38
                                                  • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 00436C46
                                                  • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C56
                                                  • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C5B
                                                    • Part of subcall function 00436BA9: GetProcessHeap.KERNEL32(00000000,?), ref: 00436BB6
                                                    • Part of subcall function 00436BA9: HeapFree.KERNEL32(00000000), ref: 00436BBD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                  • String ID:
                                                  • API String ID: 146765662-0
                                                  • Opcode ID: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                  • Instruction ID: 8fc8aea04bb3fa9100768a89291620bc24087d812574934f99790ad9b639e1d9
                                                  • Opcode Fuzzy Hash: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                  • Instruction Fuzzy Hash: D9E0C97A510215ABC720EBA6DC48C5BB7ACEF99330311892EFD9683750DA74F840CFA4
                                                  Function 00472B63 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDesktopWindow.USER32 ref: 00472B63
                                                  • GetDC.USER32(00000000), ref: 00472B6C
                                                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00472B78
                                                  • ReleaseDC.USER32(00000000,?), ref: 00472B99
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: CapsDesktopDeviceReleaseWindow
                                                  • String ID:
                                                  • API String ID: 2889604237-0
                                                  • Opcode ID: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                  • Instruction ID: 759e45c534ddacfdadb557a06d932f9b55f62470d77a370046d272fbe6975a9a
                                                  • Opcode Fuzzy Hash: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                  • Instruction Fuzzy Hash: BFF03071900205AFDB00EFB5DA4DA5DB7F4FB44315B10887EFD05D7251EAB59900DB54
                                                  Function 00472BB2 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDesktopWindow.USER32 ref: 00472BB2
                                                  • GetDC.USER32(00000000), ref: 00472BBB
                                                  • GetDeviceCaps.GDI32(00000000,00000074), ref: 00472BC7
                                                  • ReleaseDC.USER32(00000000,?), ref: 00472BE8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: CapsDesktopDeviceReleaseWindow
                                                  • String ID:
                                                  • API String ID: 2889604237-0
                                                  • Opcode ID: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                  • Instruction ID: 439663e17c05eb9dd95bc161916493026628bcc8c78d0f5787bb5213a8e6c1b3
                                                  • Opcode Fuzzy Hash: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                  • Instruction Fuzzy Hash: FAF03075900205AFCB00EFB5DA8856DB7F4FB84315B10887EFD05D7250DB7999019B94
                                                  Function 0041514D Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __getptd_noexit.LIBCMT ref: 00415150
                                                    • Part of subcall function 004179F0: GetLastError.KERNEL32(?,?,00417F7C,00413644,?,?,004115F6,?,00401BAC,?,?,?), ref: 004179F4
                                                    • Part of subcall function 004179F0: ___set_flsgetvalue.LIBCMT ref: 00417A02
                                                    • Part of subcall function 004179F0: __calloc_crt.LIBCMT ref: 00417A16
                                                    • Part of subcall function 004179F0: GetCurrentThreadId.KERNEL32 ref: 00417A46
                                                    • Part of subcall function 004179F0: SetLastError.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 00417A5E
                                                  • CloseHandle.KERNEL32(?,?,0041519B), ref: 00415164
                                                  • __freeptd.LIBCMT ref: 0041516B
                                                  • ExitThread.KERNEL32 ref: 00415173
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
                                                  • String ID:
                                                  • API String ID: 1454798553-0
                                                  • Opcode ID: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                  • Instruction ID: f82a1693998e09e6351869d5e4a2ded823041337c12103c56f11d560ed0c89ab
                                                  • Opcode Fuzzy Hash: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                  • Instruction Fuzzy Hash: BCD0A732805E10A7C122273D5C0DBDF26655F40735B140B09FC25872D1CBACDDC143AC
                                                  Function 00460D41 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OleSetContainedObject.OLE32(00000000,00000001), ref: 00460F3E
                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                    • Part of subcall function 00445660: OleSetContainedObject.OLE32(?,00000000), ref: 004456DD
                                                    • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                    • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                    • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                                                    • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                                                    • Part of subcall function 00451B42: VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Variant$Copy$ContainedObject$ClearErrorLast_malloc
                                                  • String ID: AutoIt3GUI$Container
                                                  • API String ID: 2652923123-3941886329
                                                  • Opcode ID: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                                  • Instruction ID: 68a0a4eee7c61d0b7a6187be62517e39d581686f9474de6139c94a20f06104f0
                                                  • Opcode Fuzzy Hash: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                                  • Instruction Fuzzy Hash: 68A15D746006059FDB10DF69C881B6BB7E4FF88704F24896AEA09CB351EB75E841CB65
                                                  Function 00467215 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                    • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                  • __wcsnicmp.LIBCMT ref: 00467288
                                                  • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0046732E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Connection__wcsnicmp_wcscpy_wcslen
                                                  • String ID: LPT
                                                  • API String ID: 3035604524-1350329615
                                                  • Opcode ID: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                                                  • Instruction ID: cd88b7ab87c5f5a0ce5478f82160e7cdfa8c7cefd9f65e810a8a3337a25aa570
                                                  • Opcode Fuzzy Hash: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                                                  • Instruction Fuzzy Hash: FB51E675A04204ABDB10DF54CC81FAFB7B5AB84708F10855EF905AB381E778EE85CB99
                                                  Function 0043999F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _memcmp
                                                  • String ID: &
                                                  • API String ID: 2931989736-1010288
                                                  • Opcode ID: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                  • Instruction ID: 5cd53615f07abd051f481cac668b43ae4088e938354b3ed51608dfeeaf990cc9
                                                  • Opcode Fuzzy Hash: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                  • Instruction Fuzzy Hash: EC517BB1A0011A9FDB18CF95D891ABFB7B5FF88300F14915AE815A7344D278AE42CBA4
                                                  Function 0044D3D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _memmove
                                                  • String ID: \
                                                  • API String ID: 4104443479-2967466578
                                                  • Opcode ID: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                  • Instruction ID: e0e732097d18f8f10327b86eac3a97b4532b2e4be511d275227a7a0ca48fbcca
                                                  • Opcode Fuzzy Hash: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                  • Instruction Fuzzy Hash: 2451C570E002498FEF24CFA9C8902AEFBB2BF95314F28826BD45597385D7395D86CB45
                                                  Function 004667E1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcslen.LIBCMT ref: 00466825
                                                  • InternetCrackUrlW.WININET(?,00000000,?), ref: 0046682F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: CrackInternet_wcslen
                                                  • String ID: |
                                                  • API String ID: 596671847-2343686810
                                                  • Opcode ID: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                  • Instruction ID: c4ea99685e293915e64884ba1c360efc28696701351dc191072b09a6dd262d67
                                                  • Opcode Fuzzy Hash: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                  • Instruction Fuzzy Hash: B1415076E10209ABDB00EFA5D881BEEB7B8FF58314F00002AE604A7291D7757916CBE5
                                                  Function 0044835A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 00448446
                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044845F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID: '
                                                  • API String ID: 3850602802-1997036262
                                                  • Opcode ID: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                  • Instruction ID: ddf1801fc3b7a37e921bcadc6f33ff454999d78e89978ed9e0859c1643e2593c
                                                  • Opcode Fuzzy Hash: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                  • Instruction Fuzzy Hash: 46418E71A002099FDB04CF98D880AEEB7B5FF59300F14816EED04AB341DB756952CFA5
                                                  Function 0040F850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _strlen.LIBCMT ref: 0040F858
                                                    • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8C9
                                                    • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8E3
                                                  • _sprintf.LIBCMT ref: 0040F9AE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _memmove$_sprintf_strlen
                                                  • String ID: %02X
                                                  • API String ID: 1921645428-436463671
                                                  • Opcode ID: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                  • Instruction ID: e5a937a20bc973e7022889ba35624413ac66f4a4f80aeb0e2d5e31f1d02bff57
                                                  • Opcode Fuzzy Hash: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                  • Instruction Fuzzy Hash: 3E21287270021436D724B66E8C82FDAB39CAF55744F50007FF501A76C1EABCBA1983AD
                                                  Function 00451006 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0045109A
                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004510A8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID: Combobox
                                                  • API String ID: 3850602802-2096851135
                                                  • Opcode ID: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                  • Instruction ID: 528d1b292af097fd122ed4be4541c74d7578eb88e117dd2fe935d7ad7cd5862b
                                                  • Opcode Fuzzy Hash: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                  • Instruction Fuzzy Hash: 0A21A5716102096BEB10DE68DC85FDB3398EB59734F20431AFA24A72D1D3B9EC958768
                                                  Function 00451321 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowTextLengthW.USER32(00000000), ref: 0045134A
                                                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0045135A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: LengthMessageSendTextWindow
                                                  • String ID: edit
                                                  • API String ID: 2978978980-2167791130
                                                  • Opcode ID: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                  • Instruction ID: 5a0e340068a0ba28dc4d1c90c86d8b7761b767731f3a1bde811fb9e5560a91dc
                                                  • Opcode Fuzzy Hash: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                  • Instruction Fuzzy Hash: BB2190761102056BEB108F68D894FEB33ADEB89339F10471AFD64D36E1C279DC458B68
                                                  Function 00476CA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(00000000), ref: 00476CB0
                                                  • GlobalMemoryStatusEx.KERNEL32 ref: 00476CC3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: GlobalMemorySleepStatus
                                                  • String ID: @
                                                  • API String ID: 2783356886-2766056989
                                                  • Opcode ID: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                  • Instruction ID: 7847cb5f82098321599ebf91c79b9dffd15eff11c36c925ad8cec94a5f412430
                                                  • Opcode Fuzzy Hash: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                  • Instruction Fuzzy Hash: 67217130508F0497C211BF6AAC4AB5E7BB8AF84B15F01886DF9C8A14D1DF745528C76F
                                                  Function 00465225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: htonsinet_addr
                                                  • String ID: 255.255.255.255
                                                  • API String ID: 3832099526-2422070025
                                                  • Opcode ID: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                  • Instruction ID: fb726eff09ff94cff080b531f734a3fd27281744828c6f3d0166551fa69e616e
                                                  • Opcode Fuzzy Hash: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                  • Instruction Fuzzy Hash: 5211E732600304ABCF10DF69EC85FAA73A8EF45324F04455BF9049B392D635E4518B59
                                                  Function 0044256C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004425F8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: InternetOpen
                                                  • String ID: <local>
                                                  • API String ID: 2038078732-4266983199
                                                  • Opcode ID: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                  • Instruction ID: 93d8b03a482712ff69e4757b1f2b0d1c201104d099b6cd2898bf81ba059b6d15
                                                  • Opcode Fuzzy Hash: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                  • Instruction Fuzzy Hash: 9311C270680710BAF720CB548E62FBA77E8BB24B01F50844BF9429B6C0D6F4B944D7A9
                                                  Function 0044CE43 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SafeArrayCreateVector.OLEAUT32(00000013,00000000), ref: 0044CE78
                                                  • _memmove.LIBCMT ref: 0044CE9F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: ArrayCreateSafeVector_memmove
                                                  • String ID: crts
                                                  • API String ID: 564309351-3724388283
                                                  • Opcode ID: 7e754992b260b6e72dbf0ba7770114a121c02481734c5380321d1baa9379aa27
                                                  • Instruction ID: ae18a0e6088bde325f2b8f87e65bbb2aaade0ee39655e70765b31d945e00dc0b
                                                  • Opcode Fuzzy Hash: 7e754992b260b6e72dbf0ba7770114a121c02481734c5380321d1baa9379aa27
                                                  • Instruction Fuzzy Hash: 7B0122B390010CABD700DF5AEC41E9B77A8EB84300F00412BFA08D7241EB31EA52C7E0
                                                  Function 004321A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: __fread_nolock_memmove
                                                  • String ID: EA06
                                                  • API String ID: 1988441806-3962188686
                                                  • Opcode ID: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                  • Instruction ID: b3ef0f2836274d974f80c1c05754fec17bf4118f678989acdc9742ef3c25ced0
                                                  • Opcode Fuzzy Hash: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                  • Instruction Fuzzy Hash: 7D014971904228ABCF18DB99DC56EFEBBF49F55301F00859EF59793281D578A708CBA0
                                                  Function 00442BB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _memmove
                                                  • String ID: u,D
                                                  • API String ID: 4104443479-3858472334
                                                  • Opcode ID: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                  • Instruction ID: 1e149f93898fe9afff494952afced4f728167d7c2cca3c00b97e401526751dc1
                                                  • Opcode Fuzzy Hash: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                  • Instruction Fuzzy Hash: 4FF04C722007045AE3149E6ADC41FD7B7ECDBD8714F50442EF74997241E1B8A9858764
                                                  Function 0044CDE9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _memmove
                                                  • String ID: Error:
                                                  • API String ID: 4104443479-232661952
                                                  • Opcode ID: 47c0561e29c226fab9e20f11d30fc4033f42905d42d91430649e8e798f40a5ad
                                                  • Instruction ID: e6e9f2aa443a554b8bda50df2a041f2c42dbd20d32390c21629c974d0e28b4a3
                                                  • Opcode Fuzzy Hash: 47c0561e29c226fab9e20f11d30fc4033f42905d42d91430649e8e798f40a5ad
                                                  • Instruction Fuzzy Hash: 2101EFB6200115ABC704DF49D981D6AF7A9FF88710708855AF819CB302D774FD20CBA4
                                                  Function 004560F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560FE
                                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                  • wsprintfW.USER32 ref: 0045612A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: MessageSend_mallocwsprintf
                                                  • String ID: %d/%02d/%02d
                                                  • API String ID: 1262938277-328681919
                                                  • Opcode ID: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                                  • Instruction ID: 953f6dd97ce98099cbba652085d0304866be84a46252058ffc4865c1a62d2123
                                                  • Opcode Fuzzy Hash: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                                  • Instruction Fuzzy Hash: 9DF0823274022866D7109BD9AD42FBEB3A8DB49762F00416BFE08E9180E6694854C3B9
                                                  Function 00442651 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetCloseHandle.WININET(?), ref: 00442663
                                                  • InternetCloseHandle.WININET ref: 00442668
                                                    • Part of subcall function 004319AC: WaitForSingleObject.KERNEL32(aeB,?,?,00442688,aeB,00002710,?,?,00426561,?,?,0040F19D), ref: 004319BD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: CloseHandleInternet$ObjectSingleWait
                                                  • String ID: aeB
                                                  • API String ID: 857135153-906807131
                                                  • Opcode ID: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                  • Instruction ID: 0fa74210230a71b56b5a48e3a0e63043fcf8dca502afcbd281d0c2380f7acdeb
                                                  • Opcode Fuzzy Hash: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                  • Instruction Fuzzy Hash: 46E0E67650071467D310AF9ADC00B4BF7DC9F95724F11482FEA4497650C6B5B4408BA4
                                                  Function 00433244 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • ^B, xrefs: 00433248
                                                  • C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe, xrefs: 0043324B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: _wcsncpy
                                                  • String ID: ^B$C:\Users\user\Desktop\COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe
                                                  • API String ID: 1735881322-1339808922
                                                  • Opcode ID: f7c3fd886c497ae33bdd3057849675e3afdb83c7c480df0bc310b3c11edf5eb4
                                                  • Instruction ID: 95fca152a805ab331260cabc3645652019b64b11bc5d0d7a1f408bc65d2df1f2
                                                  • Opcode Fuzzy Hash: f7c3fd886c497ae33bdd3057849675e3afdb83c7c480df0bc310b3c11edf5eb4
                                                  • Instruction Fuzzy Hash: ADE0C23360051A7B9710DE4AD841DBBF37DEEC4A20B08802AF90883200E2B1BD1A43E4
                                                  Function 00441BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441BFE
                                                  • PostMessageW.USER32(00000000), ref: 00441C05
                                                    • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: FindMessagePostSleepWindow
                                                  • String ID: Shell_TrayWnd
                                                  • API String ID: 529655941-2988720461
                                                  • Opcode ID: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                  • Instruction ID: aba4e04af0122a293c2d26b46e7c49f9db856b5fc79b6d6ac13cebee95b63d36
                                                  • Opcode Fuzzy Hash: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                  • Instruction Fuzzy Hash: EFD0A772BC13013BFA6077745D0FF8B66145B14711F000C3A7B42E61C1D4F8E4018758
                                                  Function 00441C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441C2A
                                                  • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00441C3D
                                                    • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: FindMessagePostSleepWindow
                                                  • String ID: Shell_TrayWnd
                                                  • API String ID: 529655941-2988720461
                                                  • Opcode ID: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                  • Instruction ID: e91d5bd0f3095d95abf168919443ed1e5ef8457e9bc9ee6dadeb2d3358a759b2
                                                  • Opcode Fuzzy Hash: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                  • Instruction Fuzzy Hash: 61D0A772B843017BFA6077745D0FF8B66145B14711F000C3A7B46A61C1D4F8D4018758
                                                  Function 004370C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004370D1
                                                    • Part of subcall function 004118DA: _doexit.LIBCMT ref: 004118E6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1396766867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1396609232.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1396905952.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397152420.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397262575.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397280827.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1397502678.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Message_doexit
                                                  • String ID: AutoIt$Error allocating memory.
                                                  • API String ID: 1993061046-4017498283
                                                  • Opcode ID: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                  • Instruction ID: aa36ec6b1cc278624b5c670a1a0522bf80bf1016c56dd6686bcadf549e8ac499
                                                  • Opcode Fuzzy Hash: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                  • Instruction Fuzzy Hash: F1B092323C030627E50437910D0BF9D26003B64F02F220C067324280D204C90090131D