Edit tour

Windows Analysis Report
Invoice Shipment.bat.exe

Overview

General Information

Sample name:	Invoice Shipment.bat.exe
Analysis ID:	1578872
MD5:	0124dfaae8cfd1c71918409b23e14ffb
SHA1:	672c6551c37e7ababfdcff30a9b9ad555fdd09fa
SHA256:	619b02fa7d7842107c0567e07f9dc1373a9a290b20ffeb689160e5a5946d8339
Tags:	batexeuser-abuse_ch
Infos:

Detection

DarkCloud

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected DarkCloud

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Initial sample is a PE file and has a suspicious name

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

Sample uses string decryption to hide its real strings

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Invoice Shipment.bat.exe (PID: 7436 cmdline: "C:\Users\user\Desktop\Invoice Shipment.bat.exe" MD5: 0124DFAAE8CFD1C71918409B23E14FFB)

powershell.exe (PID: 7928 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice Shipment.bat.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8088 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7680 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 8160 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qGapNjaVVUPNU" /XML "C:\Users\user\AppData\Local\Temp\tmpF214.tmp" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 5836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 6956 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe MD5: DC67ADE51149EC0C373A379473895BA1)

WerFault.exe (PID: 1672 cmdline: C:\Windows\system32\WerFault.exe -u -p 6956 -s 12 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

qGapNjaVVUPNU.exe (PID: 3500 cmdline: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe MD5: 0124DFAAE8CFD1C71918409B23E14FFB)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DarkCloud Stealer	Stealer is written in Visual Basic.	No Attribution	https://asec.ahnlab.com/en/53128/ https://c3rb3ru5d3d53c.github.io/malware-blog/darkcloud-stealer/	https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcloud

Malware Configuration

Threatname: DarkCloud

{"Exfil Mode": "SMTP", "To Address": "srang.kuyneng@spacelogic.com.kh", "From Address": "srang.kuyneng@spacelogic.com.kh"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2327973079.000000001530A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
00000000.00000002.2327973079.000000001530A000.00000004.00000800.00020000.00000000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x4398:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000000.00000002.2327973079.0000000014FB7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
Process Memory Space: Invoice Shipment.bat.exe PID: 7436	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.2.Invoice Shipment.bat.exe.150eb6a0.4.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0.2.Invoice Shipment.bat.exe.150c2f44.5.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0.2.Invoice Shipment.bat.exe.15078660.6.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0.2.Invoice Shipment.bat.exe.150eb6a0.4.raw.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0.2.Invoice Shipment.bat.exe.150c2f44.5.raw.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\Invoice Shipment.bat.exe", ParentImage: C:\Users\user\Desktop\Invoice Shipment.bat.exe, ParentProcessId: 7436, ParentProcessName: Invoice Shipment.bat.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, ProcessId: 6956, ProcessName: RegSvcs.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice Shipment.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice Shipment.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Invoice Shipment.bat.exe", ParentImage: C:\Users\user\Desktop\Invoice Shipment.bat.exe, ParentProcessId: 7436, ParentProcessName: Invoice Shipment.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice Shipment.bat.exe", ProcessId: 7928, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qGapNjaVVUPNU" /XML "C:\Users\user\AppData\Local\Temp\tmpF214.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qGapNjaVVUPNU" /XML "C:\Users\user\AppData\Local\Temp\tmpF214.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Invoice Shipment.bat.exe", ParentImage: C:\Users\user\Desktop\Invoice Shipment.bat.exe, ParentProcessId: 7436, ParentProcessName: Invoice Shipment.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qGapNjaVVUPNU" /XML "C:\Users\user\AppData\Local\Temp\tmpF214.tmp", ProcessId: 8160, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice Shipment.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice Shipment.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Invoice Shipment.bat.exe", ParentImage: C:\Users\user\Desktop\Invoice Shipment.bat.exe, ParentProcessId: 7436, ParentProcessName: Invoice Shipment.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice Shipment.bat.exe", ProcessId: 7928, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qGapNjaVVUPNU" /XML "C:\Users\user\AppData\Local\Temp\tmpF214.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qGapNjaVVUPNU" /XML "C:\Users\user\AppData\Local\Temp\tmpF214.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Invoice Shipment.bat.exe", ParentImage: C:\Users\user\Desktop\Invoice Shipment.bat.exe, ParentProcessId: 7436, ParentProcessName: Invoice Shipment.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qGapNjaVVUPNU" /XML "C:\Users\user\AppData\Local\Temp\tmpF214.tmp", ProcessId: 8160, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack

Malware Configuration Extractor: DarkCloud {"Exfil Mode": "SMTP", "To Address": "srang.kuyneng@spacelogic.com.kh", "From Address": "srang.kuyneng@spacelogic.com.kh"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe

ReversingLabs: Detection: 52%

Multi AV Scanner detection for submitted file

Source: Invoice Shipment.bat.exe	ReversingLabs: Detection: 52%
Source: Invoice Shipment.bat.exe	Virustotal: Detection: 56%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Invoice Shipment.bat.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: Cookies
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^([13][a-km-zA-HJ-NP-Z1-9]{25,34})\|^((bitcoincash:)?(q\|p)[a-z0-9]{41})\|^((BITCOINCASH:)?(Q\|P)[A-Z0-9]{41})$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^(0x){1}[0-9a-fA-F]{40}$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^([r])([1-9A-HJ-NP-Za-km-z]{24,34})$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^4[0-9AB][1-9A-HJ-NP-Za-km-z]{93}$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^G[ABCDEFGHIJKLMNOPQRSTUVWXYZ234567]{55}$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: \Default\Login Data
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: \Login Data
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: //setting[@name='Password']/value
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: Password :
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: Software\Martin Prikryl\WinSCP 2\Sessions
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: SMTP Email Address
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: NNTP Email Address
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: Email
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: HTTPMail User Name
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: HTTPMail Server
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^(?!:\/\/)([a-zA-Z0-9-_]+\.)[a-zA-Z0-9][a-zA-Z0-9-_]+\.[a-zA-Z]{2,11}?$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: Password
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^3[47][0-9]{13}$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^(6541\|6556)[0-9]{12}$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^389[0-9]{11}$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^3(?:0[0-5]\|[68][0-9])[0-9]{11}$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^63[7-9][0-9]{13}$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^(?:2131\|1800\|35\\d{3})\\d{11}$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^9[0-9]{15}$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^(6304\|6706\|6709\|6771)[0-9]{12,15}$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^(5018\|5020\|5038\|6304\|6759\|6761\|6763)[0-9]{8,15}$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: Mastercard
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^(6334\|6767)[0-9]{12}\|(6334\|6767)[0-9]{14}\|(6334\|6767)[0-9]{15}$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^(4903\|4905\|4911\|4936\|6333\|6759)[0-9]{12}\|(4903\|4905\|4911\|4936\|6333\|6759)[0-9]{14}\|(4903\|4905\|4911\|4936\|6333\|6759)[0-9]{15}\|564182[0-9]{10}\|564182[0-9]{12}\|564182[0-9]{13}\|633110[0-9]{10}\|633110[0-9]{12}\|633110[0-9]{13}$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^(62[0-9]{14,17})$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: Visa Card
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^(?:4[0-9]{12}(?:[0-9]{3})?\|5[1-5][0-9]{14})$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: Visa Master Card
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: \signons.sqlite
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: \logins.json
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: Foxmail.exe
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: mail\
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: \AccCfg\Accounts.tdat
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: EnableSignature
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: Application : FoxMail
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: encryptedUsername
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: logins
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: encryptedPassword
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/sendusing
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: Select * from Win32_ComputerSystem
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpauthenticate
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: mail.spacelogic.com.kh
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpserver
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpserverport
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpusessl
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/sendusername
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/sendpassword
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: \global-messages-db.sqlite
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: C:\\MailMasterData
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: Cookies
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^([13][a-km-zA-HJ-NP-Z1-9]{25,34})\|^((bitcoincash:)?(q\|p)[a-z0-9]{41})\|^((BITCOINCASH:)?(Q\|P)[A-Z0-9]{41})$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^(0x){1}[0-9a-fA-F]{40}$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^([r])([1-9A-HJ-NP-Za-km-z]{24,34})$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^4[0-9AB][1-9A-HJ-NP-Za-km-z]{93}$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^G[ABCDEFGHIJKLMNOPQRSTUVWXYZ234567]{55}$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: \Default\Login Data
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: \Login Data
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: //setting[@name='Password']/value
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: Password :
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: Software\Martin Prikryl\WinSCP 2\Sessions
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: SMTP Email Address
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: NNTP Email Address
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: Email
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: HTTPMail User Name
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: HTTPMail Server
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^(?!:\/\/)([a-zA-Z0-9-_]+\.)[a-zA-Z0-9][a-zA-Z0-9-_]+\.[a-zA-Z]{2,11}?$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: Password
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^3[47][0-9]{13}$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^(6541\|6556)[0-9]{12}$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^389[0-9]{11}$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^3(?:0[0-5]\|[68][0-9])[0-9]{11}$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^63[7-9][0-9]{13}$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^(?:2131\|1800\|35\\d{3})\\d{11}$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^9[0-9]{15}$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^(6304\|6706\|6709\|6771)[0-9]{12,15}$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^(5018\|5020\|5038\|6304\|6759\|6761\|6763)[0-9]{8,15}$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: Mastercard
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^(6334\|6767)[0-9]{12}\|(6334\|6767)[0-9]{14}\|(6334\|6767)[0-9]{15}$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^(4903\|4905\|4911\|4936\|6333\|6759)[0-9]{12}\|(4903\|4905\|4911\|4936\|6333\|6759)[0-9]{14}\|(4903\|4905\|4911\|4936\|6333\|6759)[0-9]{15}\|564182[0-9]{10}\|564182[0-9]{12}\|564182[0-9]{13}\|633110[0-9]{10}\|633110[0-9]{12}\|633110[0-9]{13}$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^(62[0-9]{14,17})$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: Visa Card
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: ^(?:4[0-9]{12}(?:[0-9]{3})?\|5[1-5][0-9]{14})$
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: Visa Master Card
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: \signons.sqlite
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: \logins.json
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: Foxmail.exe
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: mail\
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: \AccCfg\Accounts.tdat
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: EnableSignature
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: Application : FoxMail
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: encryptedUsername
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: logins
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: encryptedPassword
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/sendusing
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: Select * from Win32_ComputerSystem
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpauthenticate
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: mail.spacelogic.com.kh
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpserver
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpserverport
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpusessl
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/sendusername
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/sendpassword
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: \global-messages-db.sqlite
Source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack	String decryptor: C:\\MailMasterData

Source: Invoice Shipment.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: W.pdb4 source: Invoice Shipment.bat.exe, 00000000.00000002.2327973079.0000000014FB7000.00000004.00000800.00020000.00000000.sdmp

Source: Invoice Shipment.bat.exe, 00000000.00000002.2325949249.0000000003567000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2327973079.000000001530A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Invoice Shipment.bat.exe

Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Code function: 0_2_00007FFD340FE253		0_2_00007FFD340FE253
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Code function: 13_2_00007FFD340DE253		13_2_00007FFD340DE253

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6956 -s 12

Source: qGapNjaVVUPNU.exe.0.dr	Static PE information: No import functions for PE file found
Source: Invoice Shipment.bat.exe	Static PE information: No import functions for PE file found

Source: Invoice Shipment.bat.exe, 00000000.00000002.2340989983.000000001DB00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameGreenEnergy.dll@ vs Invoice Shipment.bat.exe
Source: Invoice Shipment.bat.exe, 00000000.00000002.2325430030.0000000000DA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameReactionDiffusion.dll0 vs Invoice Shipment.bat.exe
Source: Invoice Shipment.bat.exe, 00000000.00000000.2217468556.00000000002B2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamehUaX.exe. vs Invoice Shipment.bat.exe
Source: Invoice Shipment.bat.exe, 00000000.00000002.2327973079.000000001530A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGreenEnergy.dll@ vs Invoice Shipment.bat.exe
Source: Invoice Shipment.bat.exe, 00000000.00000002.2327973079.0000000014FB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameflakiness.exe vs Invoice Shipment.bat.exe
Source: Invoice Shipment.bat.exe, 00000000.00000002.2325949249.0000000003567000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameReactionDiffusion.dll0 vs Invoice Shipment.bat.exe
Source: Invoice Shipment.bat.exe	Binary or memory string: OriginalFilenamehUaX.exe. vs Invoice Shipment.bat.exe

Source: 00000000.00000002.2327973079.000000001530A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: Invoice Shipment.bat.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: qGapNjaVVUPNU.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Invoice Shipment.bat.exe, 00000000.00000002.2327973079.000000001530A000.00000004.00000800.00020000.00000000.sdmp, Invoice Shipment.bat.exe, 00000000.00000002.2327973079.0000000014FB7000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: D*\AC:\Users\LENOVO\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp(I@=

Source: classification engine

Classification label: mal100.troj.evad.winEXE@15/13@0/0

Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe

File created: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Mutant created: \Sessions\1\BaseNamedObjects\FWeBGcgSrLvYWmDpUNnteK
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7944:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5836:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8108:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6956

Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe

File created: C:\Users\user\AppData\Local\Temp\tmpF214.tmp

Jump to behavior

Source: Invoice Shipment.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Invoice Shipment.bat.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Invoice Shipment.bat.exe	ReversingLabs: Detection: 52%
Source: Invoice Shipment.bat.exe	Virustotal: Detection: 56%

Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe

File read: C:\Users\user\Desktop\Invoice Shipment.bat.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Invoice Shipment.bat.exe "C:\Users\user\Desktop\Invoice Shipment.bat.exe"
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice Shipment.bat.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qGapNjaVVUPNU" /XML "C:\Users\user\AppData\Local\Temp\tmpF214.tmp"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6956 -s 12
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice Shipment.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qGapNjaVVUPNU" /XML "C:\Users\user\AppData\Local\Temp\tmpF214.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Jump to behavior

Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Automated click: OK
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Automated click: OK
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Automated click: OK
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Automated click: OK
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Automated click: OK
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Automated click: OK
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Automated click: OK
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Automated click: OK
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Automated click: OK
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Automated click: OK
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Automated click: OK
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Automated click: OK
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Automated click: OK
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Automated click: OK
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Automated click: OK
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Automated click: OK
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Automated click: OK
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Automated click: OK
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Automated click: OK
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Automated click: OK
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Automated click: OK
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Invoice Shipment.bat.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Invoice Shipment.bat.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Invoice Shipment.bat.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Invoice Shipment.bat.exe

Static file information: File size 1065984 > 1048576

Source: Invoice Shipment.bat.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x101e00

Source: Invoice Shipment.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: W.pdb4 source: Invoice Shipment.bat.exe, 00000000.00000002.2327973079.0000000014FB7000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: Invoice Shipment.bat.exe, ServerForm.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: qGapNjaVVUPNU.exe.0.dr, ServerForm.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])

Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Code function: 0_2_00007FFD340F00BD pushad ; iretd		0_2_00007FFD340F00C1
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Code function: 13_2_00007FFD340D00BD pushad ; iretd		13_2_00007FFD340D00C1

Source: Invoice Shipment.bat.exe	Static PE information: section name: .text entropy: 7.80635107920428
Source: qGapNjaVVUPNU.exe.0.dr	Static PE information: section name: .text entropy: 7.80635107920428

Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe

File created: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qGapNjaVVUPNU" /XML "C:\Users\user\AppData\Local\Temp\tmpF214.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Memory allocated: CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Memory allocated: 1B520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Memory allocated: 1670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Memory allocated: 1BC40000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8038	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1462	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7754	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1814	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Window / User API: threadDelayed 546	Jump to behavior

Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe TID: 7456	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5052	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7176	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe TID: 612	Thread sleep time: -542000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe TID: 612	Thread sleep time: -1092000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Invoice Shipment.bat.exe, 00000000.00000002.2327973079.0000000014FB7000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: vmtools

Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice Shipment.bat.exe"
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe"
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice Shipment.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe"	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe

Thread register set: target process: 6956

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe

Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe base: 4F3529010

Jump to behavior

Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice Shipment.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qGapNjaVVUPNU" /XML "C:\Users\user\AppData\Local\Temp\tmpF214.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Jump to behavior

Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Queries volume information: C:\Users\user\Desktop\Invoice Shipment.bat.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	Queries volume information: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Invoice Shipment.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DarkCloud

Source: Yara match	File source: 0.2.Invoice Shipment.bat.exe.150eb6a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice Shipment.bat.exe.150c2f44.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice Shipment.bat.exe.15078660.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice Shipment.bat.exe.150eb6a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice Shipment.bat.exe.150c2f44.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2327973079.000000001530A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2327973079.0000000014FB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Invoice Shipment.bat.exe PID: 7436, type: MEMORYSTR

Remote Access Functionality

Yara detected DarkCloud

Source: Yara match	File source: 0.2.Invoice Shipment.bat.exe.150eb6a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice Shipment.bat.exe.150c2f44.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice Shipment.bat.exe.15078660.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice Shipment.bat.exe.150eb6a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice Shipment.bat.exe.150c2f44.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice Shipment.bat.exe.15078660.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2327973079.000000001530A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2327973079.0000000014FB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Invoice Shipment.bat.exe PID: 7436, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	211 Process Injection	1 Masquerading	OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	211 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Invoice Shipment.bat.exe	53%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook
Invoice Shipment.bat.exe	57%	Virustotal		Browse
Invoice Shipment.bat.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe	53%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Invoice Shipment.bat.exe, 00000000.00000002.2325949249.0000000003567000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578872
Start date and time:	2024-12-20 15:59:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Invoice Shipment.bat.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@15/13@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 55% Number of executed functions: 140 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 23.206.197.18, 184.28.90.27, 20.12.23.50, 20.223.35.26, 23.206.197.41, 150.171.28.10, 23.206.197.58
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, tse1.mm.bing.net, azureedge-t-prod.trafficmanager.net, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Invoice Shipment.bat.exe, PID 7436 because it is empty
Execution Graph export aborted for target qGapNjaVVUPNU.exe, PID 3500 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:00:12	API Interceptor	2x Sleep call for process: Invoice Shipment.bat.exe modified
10:00:21	API Interceptor	828x Sleep call for process: qGapNjaVVUPNU.exe modified
10:00:27	API Interceptor	46x Sleep call for process: powershell.exe modified
16:00:20	Task Scheduler	Run new task: qGapNjaVVUPNU path: C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0035.t-0009.t-msedge.net	MS100384UTC.xls	Get hash	malicious	Unknown	Browse	13.107.246.63
	SWIFT.xls	Get hash	malicious	Unknown	Browse	13.107.246.63
	Invoice for 04-09-24 fede39.admr.org.html	Get hash	malicious	Unknown	Browse	13.107.246.63
	https://p.placed.com/api/v2/sync/impression?partner=barkley&plaid=0063o000014sWgoAAE&version=1.0&payload_campaign_identifier=71700000100870630&payload_timestamp=5943094174221506287&payload_type=impression&redirect=http%3A%2F%2Fgoogle.com%2Famp%2Fs%2Fgoal.com.co%2Fwp%2Fpayment	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	ktyihkdfesf.exe	Get hash	malicious	Vidar	Browse	13.107.246.63
	pjthjsdjgjrtavv.exe	Get hash	malicious	Vidar	Browse	13.107.246.63
	Laurier Partners Proposal.eml	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer	Browse	13.107.246.63
	https://drive.google.com/file/d/1zySfUjQ3GqIVAlBHIX3CXdgIcWIqrMkO/view?usp=sharing_eil&ts=67645d30	Get hash	malicious	Unknown	Browse	13.107.246.63
	1734647107dd7eab79078510a75c9c904ec20f028e4e5eeaf98868f69fdfb304d2c24675ce436.dat-decoded.exe	Get hash	malicious	XWorm	Browse	13.107.246.63

Process:	C:\Users\user\Desktop\Invoice Shipment.bat.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1510
Entropy (8bit):	5.380493107040482
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNl+84xp3/VclT:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAA
MD5:	3C7E5782E6C100B90932CBDED08ADE42
SHA1:	D498EE0833BB8C85592FB3B1E482267362DB3F74
SHA-256:	361A6FF160343A2400F7D3FA4A009EA20C994B9788C190EB9D53E544BB376490
SHA-512:	3A90D61631F4DC920860AEA31FDB5E56A102206311705D5D084E809D364F680B4E95F19CE9849D3F9CB3C2C273393FD2F2C67720BAAA885125EE358D59462B0A
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulVsHh:NllUGH
MD5:	E396A80CD8E90276EF876FC94B5CFF7A
SHA1:	6A7ED0E4173A27630A7FC30F3C325EF9D031D495
SHA-256:	8B604E9275EE1B6552C36CB85EAE692225A510A26942C4AC17C68046DE9F1516
SHA-512:	1CD3AD1E23744327701BF26DBAECCCA8FF426D40FACDA77F067C3A56111E9E3A48DA3EF4B990476253C73F0B08E8C4F49375422A80216BD7DD2C57995AF4AFE4
Malicious:	false
Preview:	@...e...................................2............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aai5z0ra.hf1.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b2oipehl.50k.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h5ahv2ge.t11.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hh5dmtb2.m4e.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l3k30ksn.ksl.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mmj2ke5k.oqs.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wq2hwn2w.cvw.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z0g3lako.4hv.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpF214.tmp

Download File

Process:	C:\Users\user\Desktop\Invoice Shipment.bat.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1600
Entropy (8bit):	5.109509747715365
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLGxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTOv
MD5:	56A5769C2D4CCEED2FA33881C3CDB793
SHA1:	354CAA9828DE58B38FBB3BE0D79CA19B70FA4415
SHA-256:	28FEE86A612EC6DAB0789D262A6929A39E0FB22B2BE26740F9F7609643486017
SHA-512:	569FB2EE1E4A71C6EBC1F72C242E3C91A462BFADBFE3CB4DE80CEAD28C2860256FB5508A05C9B0A6474F538DD3273431B7328EA6CD4C3AE9E260A96952DC6446
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe

Download File

Process:	C:\Users\user\Desktop\Invoice Shipment.bat.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1065984
Entropy (8bit):	7.80508152530508
Encrypted:	false
SSDEEP:	24576:ZjlIhZUa/P3seteQpmHNqfWMhlz/1usFWVD+qGN0db1r:Zjl+ZUWPvtvpmtEWklZ0VNd
MD5:	0124DFAAE8CFD1C71918409B23E14FFB
SHA1:	672C6551C37E7ABABFDCFF30A9B9AD555FDD09FA
SHA-256:	619B02FA7D7842107C0567E07F9DC1373A9A290B20FFEB689160E5A5946D8339
SHA-512:	B378420F075FE17DFEE4D844111088300A08291A23D0FE5EB01C726B023E670F54A4AA83B689C2DC3E0C670D7162EBA4049B1B03103260B8A24D06409D6DB14F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 53%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...^L`g.........."...0......$........... .....@..... ....................................@...@......@............... ...............................@..("........................................................................................... ..H............text........ ...................... ..`.rsrc...("...@...$... ..............@..@........................................H.......\1...!...........S...............................................0...........(........}.....s....}.....r...p(....}.....~.... ....s....}.....{....o.... ......o......{.....o......{....o.....{....o......{.....{....o.....f........s ...s!...("....~..{....r...po......{....o#.....0..}.........{....r9..po......+7...{.....\|....o$...}....(%....{....o&.....{.....o........+.&..{....rS..po........&..{....rS..po...................>P..........>f.........}.....('.......s....}.....(.....*

C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Invoice Shipment.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.80508152530508
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	Invoice Shipment.bat.exe
File size:	1'065'984 bytes
MD5:	0124dfaae8cfd1c71918409b23e14ffb
SHA1:	672c6551c37e7ababfdcff30a9b9ad555fdd09fa
SHA256:	619b02fa7d7842107c0567e07f9dc1373a9a290b20ffeb689160e5a5946d8339
SHA512:	b378420f075fe17dfee4d844111088300a08291a23d0fe5eb01c726b023e670f54a4aa83b689c2dc3e0c670d7162eba4049b1b03103260b8a24d06409d6db14f
SSDEEP:	24576:ZjlIhZUa/P3seteQpmHNqfWMhlz/1usFWVD+qGN0db1r:Zjl+ZUWPvtvpmtEWklZ0VNd
TLSH:	933502D02F213301EC69A930816DEDB862161E68B004B9DB5EDD3B5777EF152AA2CF17
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...^L`g.........."...0......$........... .....@..... ....................................@...@......@............... .....

File Icon


Icon Hash:	37c38329a3924d33

Static PE Info

General

Entrypoint:	0x140000000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67604C5E [Mon Dec 16 15:50:54 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x104000	0x2228	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x101c90	0x101e00	b969033e7539f81be57cc6b57dc7ce00	False	0.9313130528962675	data	7.80635107920428	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x104000	0x2228	0x2400	97036f98291751286b28f41cb23b18c2	False	0.8845486111111112	data	7.38448794458387	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x1040c8	0x1e1f	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9939048113085203
RT_GROUP_ICON	0x105ef8	0x14	data	1.05
RT_VERSION	0x105f1c	0x308	data	0.45618556701030927

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 20, 2024 16:00:09.524415016 CET	1.1.1.1	192.168.2.6	0x9404	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 20, 2024 16:00:09.524415016 CET	1.1.1.1	192.168.2.6	0x9404	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	10:00:11
Start date:	20/12/2024
Path:	C:\Users\user\Desktop\Invoice Shipment.bat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Invoice Shipment.bat.exe"
Imagebase:	0x2b0000
File size:	1'065'984 bytes
MD5 hash:	0124DFAAE8CFD1C71918409B23E14FFB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000000.00000002.2327973079.000000001530A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000002.2327973079.000000001530A000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000000.00000002.2327973079.0000000014FB7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:00:17
Start date:	20/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice Shipment.bat.exe"
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:00:17
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:00:18
Start date:	20/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe"
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:00:19
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:00:19
Start date:	20/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qGapNjaVVUPNU" /XML "C:\Users\user\AppData\Local\Temp\tmpF214.tmp"
Imagebase:	0x7ff6d0b30000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:00:19
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:00:20
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe
Imagebase:	0xd30000
File size:	1'065'984 bytes
MD5 hash:	0124DFAAE8CFD1C71918409B23E14FFB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 53%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	10:00:20
Start date:	20/12/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Imagebase:	0x1ba0afb0000
File size:	45'472 bytes
MD5 hash:	DC67ADE51149EC0C373A379473895BA1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	10:00:22
Start date:	20/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6956 -s 12
Imagebase:	0x7ff67d6f0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	10:00:31
Start date:	20/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff717f30000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FFD340FE253 Relevance: 3.1, Strings: 2, Instructions: 602COMMON

Download Yara Rule

Strings

1Gf', xrefs: 00007FFD340FEBC0
L, xrefs: 00007FFD340FE9FE

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID: 1Gf'$L
API String ID: 0-972744021
Opcode ID: f959931fc5d2b050ddab9ef3b7cd4abb691a18fb811a07440f58391421b1c93b
Instruction ID: af4e278cd80dac6ce2db206593800ed00032b87606c8ffbcd5f964f2de656dd2
Opcode Fuzzy Hash: f959931fc5d2b050ddab9ef3b7cd4abb691a18fb811a07440f58391421b1c93b
Instruction Fuzzy Hash: 2412D172A0D3C54FE3569B2488A55A57FF0EF57310F1901FBE489C71A3EA2C6806E792

Function 00007FFD340FC229 Relevance: 1.8, Strings: 1, Instructions: 576COMMON

Download Yara Rule

Strings

"N_H, xrefs: 00007FFD340FC61F

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID: "N_H
API String ID: 0-341807194
Opcode ID: c3c224d84db113c9cdbd173ead72934cadab523dc0f080a0e8ef5af91a97d62b
Instruction ID: f65e1247a201cfa770063a46da0b490c7ffb3f4c20b17004bc486b5de7f7b247
Opcode Fuzzy Hash: c3c224d84db113c9cdbd173ead72934cadab523dc0f080a0e8ef5af91a97d62b
Instruction Fuzzy Hash: 9F121873F0C6864FE76AD76488A66653FB0FF57300F1845BBC189C7193EA2C640AA791

Function 00007FFD340FCF93 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

7, xrefs: 00007FFD340FCFB7

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-1790921346
Opcode ID: a268f3473c25830160e11dec39abc73e51b2e5886216df1cc00328f96a1e9e7a
Instruction ID: 9ae2655e5a2482cff73efa654bff98369891726ef56c4b24764f489d22d92b17
Opcode Fuzzy Hash: a268f3473c25830160e11dec39abc73e51b2e5886216df1cc00328f96a1e9e7a
Instruction Fuzzy Hash: 1211A331B2C5194BD75CAA1C44A247D77E2EF9A700F24843DE597C72C2ED2CE902B280

Function 00007FFD340FD008 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

^, xrefs: 00007FFD340FD01A

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID: ^
API String ID: 0-1590793086
Opcode ID: 1c70245d77d55538b88943a99d24ef0cebec0a5650c62faf0ca4096684f116f9
Instruction ID: aed04070e45da554fa5b9fe6602a4b158815fdaf2dd22df855a0980f8b12f5d7
Opcode Fuzzy Hash: 1c70245d77d55538b88943a99d24ef0cebec0a5650c62faf0ca4096684f116f9
Instruction Fuzzy Hash: 56117031B2C6568AEB6C9A2984B51BC77E1FF46701F20543DE5EBC25C2ED3CE942B640

Function 00007FFD340FCF79 Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

7, xrefs: 00007FFD340FCF7D

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-1790921346
Opcode ID: 1f17683896f5ee9959e526dcd364bf70d089f80a5fae7c2744eb1bdb6e754af5
Instruction ID: f37cd9f91f362a5acfe1556146b3ce4c5d1ad2e96b0b559984f2829a8f4b0e1f
Opcode Fuzzy Hash: 1f17683896f5ee9959e526dcd364bf70d089f80a5fae7c2744eb1bdb6e754af5
Instruction Fuzzy Hash: D701AD31B2C5154AE72CAA2884A14BC77E2FF46701F20443DE59BD21C2DE3DE942B280

Function 00007FFD340F1C86 Relevance: .4, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c10ef0a1f4a587238f4fad33580a8304f6bf54dc2d091c76b5932724c8265f9c
Instruction ID: 4d99189dce07c42a531b574152cd06aafc1c2512d743432e0f7ff9ce3d715517
Opcode Fuzzy Hash: c10ef0a1f4a587238f4fad33580a8304f6bf54dc2d091c76b5932724c8265f9c
Instruction Fuzzy Hash: 4DF11730A09A5E8FDB95EB18C8A4BA973B1FF59300F1045F9E40DD7296CA35AD86DF40

Function 00007FFD340F1699 Relevance: .4, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1ec2f811dee097d38a7826dc82c5842238936e38b68cc2bc5546effdae3ed58
Instruction ID: c58e712bcfdf2926b5bc4c6f4184d5c23398a4c849df6640e7ebb03d4b184597
Opcode Fuzzy Hash: a1ec2f811dee097d38a7826dc82c5842238936e38b68cc2bc5546effdae3ed58
Instruction Fuzzy Hash: FFE12030A0994D8FDB99EF28C895BE973A1FF59304F1005B9D40DD7296CA39AD42DF40

Function 00007FFD340F9955 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2750b6f9c87e85ff2f9c39ba0074dfb1728a724fb0a8e3093e24d4148e02390
Instruction ID: 94ab08d38647b18b200347b57e88dfd376abcbf0bf01e89172eb33ee72d745fe
Opcode Fuzzy Hash: f2750b6f9c87e85ff2f9c39ba0074dfb1728a724fb0a8e3093e24d4148e02390
Instruction Fuzzy Hash: B6D1E371E08A198FDBA4EB68C8A57E8B7B1FF59310F5041BAD04DE3291DE3869849F40

Function 00007FFD340F288E Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45033b116c148d77a76ac910081f780a8417772804f4611727025206deabb92e
Instruction ID: 00c50b403f83dadaa5ca8016028a71fbf46d08d1dd62d4813fec47c57419f5bf
Opcode Fuzzy Hash: 45033b116c148d77a76ac910081f780a8417772804f4611727025206deabb92e
Instruction Fuzzy Hash: 5FE16B31E0961A8FDB69DF58C8A16EDB7B1FF19300F1001BDD109E7282DB396985EB90

Function 00007FFD340F1DED Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b1b36df53eb52bc6d4176012ead32469971b7f49060f70ff7b341d64660a226
Instruction ID: 1228e26a533cc562e348a7889f075ed7dd4cdb0ef2d42fdd8ca28938e35f462b
Opcode Fuzzy Hash: 7b1b36df53eb52bc6d4176012ead32469971b7f49060f70ff7b341d64660a226
Instruction Fuzzy Hash: B2B1E534A0491E8FDB98EF18C894BA9B3B1FF69301F1041E9A41DD7262CA35EE81CF40

Function 00007FFD340F1DA8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eba455a07462a9dc45cf29349e73a262695abb6fc000ee0a5a651de471e443c5
Instruction ID: 5472586396b9a44ed73ca8ef075f0eed1a3ef4ba47d93eb28c05182a67aebdee
Opcode Fuzzy Hash: eba455a07462a9dc45cf29349e73a262695abb6fc000ee0a5a651de471e443c5
Instruction Fuzzy Hash: 0EA1E734A0495E8FDB95EF18C894BA9B3B1FF69301F1041F9A41DD7296CA34AE85DF40

Function 00007FFD340F44DC Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97afe8ba811593a7eb27f1234124ffb91ec125aa8bb82e18bae7c9a816e22774
Instruction ID: b7ad7fda0b140f064c69ea059def8406025eca393b75541536ca02477017ff6c
Opcode Fuzzy Hash: 97afe8ba811593a7eb27f1234124ffb91ec125aa8bb82e18bae7c9a816e22774
Instruction Fuzzy Hash: 5C81BE71A0D6898FDB46DB68C8A4BE97BF1FF67300F0501AAD048D72A3DA386945DB41

Function 00007FFD340FCC14 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8669e67e7a40ad7c86c7dad616b8b06f8322b12d0bb3648b2aca730ff63912d6
Instruction ID: 2551a10ee672b3d20570629da132868b4c306a493ebb4e37a5b397db415a2a93
Opcode Fuzzy Hash: 8669e67e7a40ad7c86c7dad616b8b06f8322b12d0bb3648b2aca730ff63912d6
Instruction Fuzzy Hash: 5361F631B0D2814FD71ADB2488A65A53FF1EF57300B1941FED48ACB1A3D92CA846E792

Function 00007FFD341069D0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b3bbdc974dc4fc5052214b7c99d7463b95aced20b15c804923bdc67a4a5706c
Instruction ID: a679cc4766dbf451df3ebd0a3d1a29e97d1ab6a625832d15cee5371190067d5c
Opcode Fuzzy Hash: 9b3bbdc974dc4fc5052214b7c99d7463b95aced20b15c804923bdc67a4a5706c
Instruction Fuzzy Hash: 1D71C071A18A0ECFDB98DF58C4A4ABD77F5FF59300F101469E50AE7291CA38A861DB90

Function 00007FFD340F6B01 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddd1baa70cf1cad8eeef5eb93c11c6aaaef64e4a339c872c650b59d88ec8fc7d
Instruction ID: 4f4dc4eaf54f6d7f90803f7d361a02a62b68bf9dd43c0b6d7bdc4ce0f9fbd3f8
Opcode Fuzzy Hash: ddd1baa70cf1cad8eeef5eb93c11c6aaaef64e4a339c872c650b59d88ec8fc7d
Instruction Fuzzy Hash: F7719E7190D3C98FDB03CB7488616D97FB1EF57210F0A45EBC485CB2A3D628990ADB62

Function 00007FFD340FCC93 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d79ebd1c7a07d0e865ec6723c91233925385868765bc7d370468ab1830f1b38
Instruction ID: 53462f76f063636d74c961fd0e73aa9fdf27cdb7ac9a66dc7c02a47abc33fc3b
Opcode Fuzzy Hash: 5d79ebd1c7a07d0e865ec6723c91233925385868765bc7d370468ab1830f1b38
Instruction Fuzzy Hash: EB51D97170D6814FD71ADB24C8A69653FB1EF63310B1941FAC08ACB1A3D92CEC06E792

Function 00007FFD340F6B68 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecc2cb9e95c4d51baaadb9504fa7f88c88c00aef95f22cd4013c899d10f19a3c
Instruction ID: 93d0d27031c62f166fa0cfb2fb800c93390cb5abf5cf9adf3ac0737dc6486295
Opcode Fuzzy Hash: ecc2cb9e95c4d51baaadb9504fa7f88c88c00aef95f22cd4013c899d10f19a3c
Instruction Fuzzy Hash: 38618AB290E3C48FD7438B7488716D57FB1EF67214B0A45EBC484CB1A3D62C990AD722

Function 00007FFD340F5D85 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeeda5a6a23b90d7f504f1af0f78c30ec32d6ed64783382cda31459430eaba41
Instruction ID: a58db297e5c1101658d186dd68bd1c63965fd0cd05d837fbecf846cb2ff5941d
Opcode Fuzzy Hash: aeeda5a6a23b90d7f504f1af0f78c30ec32d6ed64783382cda31459430eaba41
Instruction Fuzzy Hash: 04512A37B0D7554FD762EBACE8A11E937A0EF86365F0802B7C18CD7153DA28690697C1

Function 00007FFD340F2AAA Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30fefd5b90f608b6793121888acb4d2cbef625272c1d3fa7e2133445174db84b
Instruction ID: 449929d0a506589898e68453bcf601a38ead3995a6c0b4c1820adfab0cc5389c
Opcode Fuzzy Hash: 30fefd5b90f608b6793121888acb4d2cbef625272c1d3fa7e2133445174db84b
Instruction Fuzzy Hash: 69711871E042298FDB69DF58C8A16EDB7B1BF19300F1041BDD14DE7282DA39AA81DF50

Function 00007FFD340F1405 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71ee7c9b6c3b54c63b340d01a0395498dd305ba6d40ddb1fcf4f3a3ea099da6f
Instruction ID: 1ce4671a76678ee9a1b41e7163d5980cb6c34e3e00040989b78cfa42a7062fdc
Opcode Fuzzy Hash: 71ee7c9b6c3b54c63b340d01a0395498dd305ba6d40ddb1fcf4f3a3ea099da6f
Instruction Fuzzy Hash: 5F514271B0994D8FDB98EF28C8A5AE973A1FF59300F1001B9D41DD7292CE39AD82DB40

Function 00007FFD340F08ED Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a05dd3103f036df6bf71971f8aba20823ca66df3ee9837613ed793b2bd166121
Instruction ID: 2ae8957d6c4f728a4494cf2ca7123b02c2b79888092c67cfe792f8f854fdbcad
Opcode Fuzzy Hash: a05dd3103f036df6bf71971f8aba20823ca66df3ee9837613ed793b2bd166121
Instruction Fuzzy Hash: 7E512D71A18A5D8FDB94EFA8C8A5AEDB7F1FF59300F50017AD409E7292DE396841CB40

Function 00007FFD340FE45B Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb68e44244776e214041ca0cf720979f2a70d27335588e6b1d337a6293cbfb80
Instruction ID: 23a2cf0496b8e0004935a797da399351ed31687dfab50a20c121b9f5ebfd66ae
Opcode Fuzzy Hash: bb68e44244776e214041ca0cf720979f2a70d27335588e6b1d337a6293cbfb80
Instruction Fuzzy Hash: BE41D732B0D6C14FE356973448A52A53FE19F57314F1942BBE489CB1E3E92C6906A391

Function 00007FFD340FE40B Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 644a253cded403665e9f56021f116f38405c9d3f2872af32582ee4491061cef3
Instruction ID: d1cc3b601a1c2a63ea6d2c73b558ee40cf13965ab78291f61ceafc52568ae38f
Opcode Fuzzy Hash: 644a253cded403665e9f56021f116f38405c9d3f2872af32582ee4491061cef3
Instruction Fuzzy Hash: FD41E532B0D7C14FE316A73488A42A53FE1AF57314F1901BFE489CB1E3E92C6906A791

Function 00007FFD340FE499 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f81a6b39fd921d9c03653efdc7f0dc4287c6e2144a6f47c3615a14a84ac5323
Instruction ID: c936f1f369491825291e353482dfa7e9132c94eb5b4e4e3f312baf2f6d25cc3f
Opcode Fuzzy Hash: 6f81a6b39fd921d9c03653efdc7f0dc4287c6e2144a6f47c3615a14a84ac5323
Instruction Fuzzy Hash: 6841B232A0D7C14FE366A73448A51A43FE1AF57314F1901FBE489CB1E3E56C690AE392

Function 00007FFD340FE4B2 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6acd8d568262e2ae862207a65800329dabf06ca3151e55dd362fab6e4981fb62
Instruction ID: e597c2df903bf721fd804ba230f5ea833d91eb8d764fd6ebc42728583dc07c31
Opcode Fuzzy Hash: 6acd8d568262e2ae862207a65800329dabf06ca3151e55dd362fab6e4981fb62
Instruction Fuzzy Hash: 0E41D232A0D7C14FE366973448A51A53FE1AF17314B1901FFE489CB1E3E96C680AE392

Function 00007FFD340FCD65 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c80c1f469be0acf80f99edc6999aeba85041b55d6c021c972c34bd84f749249
Instruction ID: 980b7c08612b95ba5bf6abd7db27637878216f11ca7e14675381ab05caa37ff3
Opcode Fuzzy Hash: 2c80c1f469be0acf80f99edc6999aeba85041b55d6c021c972c34bd84f749249
Instruction Fuzzy Hash: 8541A262A0E7C14FD717977488B51A57FB0EF53210B1941EFD4CACB1A3E91C684AE362

Function 00007FFD340FCDAF Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af0353507428f347775a46fbfda7f38feb3dca8c66fbc073e55937c47cb3abbf
Instruction ID: 7017778701f49ebb5357ea30b5d420fc82c73fd7fa008c446e12fa3306691672
Opcode Fuzzy Hash: af0353507428f347775a46fbfda7f38feb3dca8c66fbc073e55937c47cb3abbf
Instruction Fuzzy Hash: 1F41C062A0E3C14FD723977488665A53FB0EF53310B1901EBD489CB0A3E95CA846E362

Function 00007FFD340FCD8F Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2334eee0997f39aef4ff23c9909b2b174ac232773d3eeab45f7f8c42fd4df3f0
Instruction ID: 31f8db2e6af4c3151fb14f9691f0528343217efd2a70ba7c04d1134e3d563c07
Opcode Fuzzy Hash: 2334eee0997f39aef4ff23c9909b2b174ac232773d3eeab45f7f8c42fd4df3f0
Instruction Fuzzy Hash: 4141BC6290E7C14FD31797748CA61A57FB0EF53210B1941EFD4CACB1A3E91C6846D3A2

Function 00007FFD340FA240 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 419f807dbe4a34b782e65215ecb3f4fa94b6fecfaee9a4f212b6477f1548fa3b
Instruction ID: 4ea9b5a9eeb248c86e056532459ed6759f910ae6cd67289ee551dfa76e41111b
Opcode Fuzzy Hash: 419f807dbe4a34b782e65215ecb3f4fa94b6fecfaee9a4f212b6477f1548fa3b
Instruction Fuzzy Hash: D741396298E3C15FD3534BB05C265E27FB0AF13224B0E41EBD0D4CB4A3E61D5A5AD762

Function 00007FFD340FCDF8 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 725f5315f081f7db5903eb613c923677a1c4a098d50d7d6fa20feeee572496be
Instruction ID: 5ba656c927ec9e684ba9ec2eb3455b4d81a5f9399a8393b77b98980a77fd63a3
Opcode Fuzzy Hash: 725f5315f081f7db5903eb613c923677a1c4a098d50d7d6fa20feeee572496be
Instruction Fuzzy Hash: 2731BA7290E7C14FD71397748CA65A17FB0EF63210B0901EFD489CB1A3E95C6846D3A2

Function 00007FFD340F8D28 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83f4fb2cfd768d814e6f1c08db128a7fa6032ceb4653af3f9d8939d9b1f46abd
Instruction ID: 16bf9c2ae31596613de146f493d3975c7e7ec38b63a9fd90e41a89abfe2649c2
Opcode Fuzzy Hash: 83f4fb2cfd768d814e6f1c08db128a7fa6032ceb4653af3f9d8939d9b1f46abd
Instruction Fuzzy Hash: 3831B23190C3C98FCB46DF6888A15E97FF0EF07310F0801E6D885DB193D628A856CB91

Function 00007FFD340FE171 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f6f3fe4415cf1bf678f656f432511bfbd113014f6bad297be5d91c03eba46f7
Instruction ID: 12d54ae01ed630606bd10545d175269c9cea0c56afbe3214ca6839ca56b81150
Opcode Fuzzy Hash: 0f6f3fe4415cf1bf678f656f432511bfbd113014f6bad297be5d91c03eba46f7
Instruction Fuzzy Hash: 7221F973F0DA454FE398996888E557637D1EFD6710B15027FE54EC32D2D81CA80263C1

Function 00007FFD340F72B0 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7f5af7abe5c10396c676ba284a7b0de385b5d61f2995fa8d9949d182ee761ef
Instruction ID: e2fcfb750f7ffa189b96e76bb7de291bf86039f0cfce8d875d484e895da33038
Opcode Fuzzy Hash: d7f5af7abe5c10396c676ba284a7b0de385b5d61f2995fa8d9949d182ee761ef
Instruction Fuzzy Hash: FE31C231A0978A8FDB42DF64C8601EA7BF1FF56310F0441BAD904D7292DA3C9945CB91

Function 00007FFD340F1522 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef4b6513107944bb274ca5fcc121697564378b8c8923997171bfb6d1fff150fc
Instruction ID: d22756bec1591ae50347657dc742107c383d4154165dd244372f7157f41a25ee
Opcode Fuzzy Hash: ef4b6513107944bb274ca5fcc121697564378b8c8923997171bfb6d1fff150fc
Instruction Fuzzy Hash: C0312D35B09A4D8FDB99EF18C894AE973A1FF59300F5005B9D40DD7252CA76AD82CF40

Function 00007FFD340FE289 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef4527f0b0d3ad83a722130ba41185b4b19446f927c34c97bd8f1c505e7c433
Instruction ID: 1890ab672064b17c00b91c155afcf963fc095805ceb5c24dbcae691de05a6c7f
Opcode Fuzzy Hash: 1ef4527f0b0d3ad83a722130ba41185b4b19446f927c34c97bd8f1c505e7c433
Instruction Fuzzy Hash: B731D372A0C3C64FE3569A6588A95603FE1EF13310B1900BBE18DC7093EA1C6C42E7D2

Function 00007FFD340F4A65 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0370d982f7f3d4695d4db059f801010f398e151d3dfc0c329a939f3666919b1f
Instruction ID: 9ac67fe704f4ab71a60e96d769359453809c5493769815410f3420533c3aa5ee
Opcode Fuzzy Hash: 0370d982f7f3d4695d4db059f801010f398e151d3dfc0c329a939f3666919b1f
Instruction Fuzzy Hash: FB312171B1894E4FDBE5EF18C8A5BE9B3A1FF68304F0041B6D00DE3196DE38A9859B40

Function 00007FFD340F14E2 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e02b5725ac60e74e5284b5715db808830cfd01e589dcc9137c818f6014e0210e
Instruction ID: b12df329c32186ead8c0a7c2c25f6a4c068ae98edcb88085ba02e4900bc88d7e
Opcode Fuzzy Hash: e02b5725ac60e74e5284b5715db808830cfd01e589dcc9137c818f6014e0210e
Instruction Fuzzy Hash: 9C219475B095498FDB99EF28C8957E873E1FF59300F0401B9E44DCB292CA39AD82DB41

Function 00007FFD340FE539 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8906535a4f90fc7dc3cb22a9583ca7ed835d3f6fd49547d7364eba2473415f8f
Instruction ID: 7850c06d205ee7f8a494b794e4ae499f128dfa236bc246884fc6d1cb08978409
Opcode Fuzzy Hash: 8906535a4f90fc7dc3cb22a9583ca7ed835d3f6fd49547d7364eba2473415f8f
Instruction Fuzzy Hash: E6210D32B0C6C44FE355B72848A42B93BE5EF4B744F18017EE48DD7293E96C6905A381

Function 00007FFD340F12A5 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6e48fdd9b7eb760b8f63001257baf14b13895ac6f1fc56ef3aa2d9f41847612
Instruction ID: 4baf8865e333035016e811de387a0b745ab23acffc6a52d4ddc9c2f9d97c7a5f
Opcode Fuzzy Hash: c6e48fdd9b7eb760b8f63001257baf14b13895ac6f1fc56ef3aa2d9f41847612
Instruction Fuzzy Hash: C221D372B0DA9D4FEBA5DA68C8652E87BF0EF96300F0001F7D44CE6192DE386D459B41

Function 00007FFD340F5E48 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc74f11111e9cd6b73bc8424c1caf9c116e8c6cf168fb4fb5b03528faa23fb46
Instruction ID: 5d7fbec42921854c3eb87d4d4b52ad9333364ff9b4a8eb805904e156484c16f6
Opcode Fuzzy Hash: fc74f11111e9cd6b73bc8424c1caf9c116e8c6cf168fb4fb5b03528faa23fb46
Instruction Fuzzy Hash: E921C131A08B4D8FDB65DF68C8546EA77F1FF5A351F00027AD40DD7291DA34A9448B80

Function 00007FFD340F473E Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26772e0368741de453fdce2a20b896deb32256bde764c643182bc4644435055d
Instruction ID: 5e4707395a122013eac58ed0d6098eba4326bc50b0e85764f221fc04d82d68e8
Opcode Fuzzy Hash: 26772e0368741de453fdce2a20b896deb32256bde764c643182bc4644435055d
Instruction Fuzzy Hash: 2D210975A08A1D8FDF98DF98C895BED77B1FF69311F10016AD50DE7261CA34A880DB40

Function 00007FFD340F3730 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94045b9b712757f03c45bf4f668911d069465d7edb5d723deb304e239f1e81c2
Instruction ID: 0b2194b3d9fd7a87bfe831d3bf9e6a0cbc25f0f9231c5de7aa08a53b58349025
Opcode Fuzzy Hash: 94045b9b712757f03c45bf4f668911d069465d7edb5d723deb304e239f1e81c2
Instruction Fuzzy Hash: 8B216A72A1460D8BDB44EF58C8819FEB7F0FF58304F000176E809E3281CA38E8A19B91

Function 00007FFD340FA341 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4013f92fe70057daff2a7895ab292bda00d13c9763ff372c5fe9a6ca9d37e722
Instruction ID: 835ec3f517755940b6a21ed9da2b282ef392202aaaaf1364ca202167e49acc1e
Opcode Fuzzy Hash: 4013f92fe70057daff2a7895ab292bda00d13c9763ff372c5fe9a6ca9d37e722
Instruction Fuzzy Hash: E611B172E08A4C9FDB81EB98C8A5AED7BF1FF5A710F000176E509E3192CB3C6454AB40

Function 00007FFD340FA4A8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd00e99b5aa9b7b3768616e6a49b3363a95f0a68ab12910e893336508b91f06a
Instruction ID: 0c2cdae19402a960fd081ae63bec5627aad32cbc73cf1ed6b75987cbd025a4f5
Opcode Fuzzy Hash: fd00e99b5aa9b7b3768616e6a49b3363a95f0a68ab12910e893336508b91f06a
Instruction Fuzzy Hash: CA210771E04A4E8FDB48EF98C4A95ADBBB1FF99310F14413AC109E7295DA3869819B80

Function 00007FFD340FCFDB Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca82b29384c0e1e39868025c2daacb88d348235a5e22453fd4dcc6a772a77fbe
Instruction ID: 68b6b0d7c5f9fb6d326b791ebf00186f17eb2dc90ef654202d8a8575f088716f
Opcode Fuzzy Hash: ca82b29384c0e1e39868025c2daacb88d348235a5e22453fd4dcc6a772a77fbe
Instruction Fuzzy Hash: FC01523171C5454BE76C9A1884A15B837E6FF46301F20503DD597C71C6DE3CE942A680

Function 00007FFD340F4683 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a9501c896aedac63b480529088c36278058473e22cb5fc419d715248def3fef
Instruction ID: 9f3913236429ced81b60d25f2bc6e34e01e31a15d613c1d1986152e279e0b087
Opcode Fuzzy Hash: 7a9501c896aedac63b480529088c36278058473e22cb5fc419d715248def3fef
Instruction Fuzzy Hash: B011E834B155098FCB48DFA8D894AADB7F2FF99301F108129E40AEB394DB38A905DF04

Function 00007FFD340F98E5 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aaadf2d203c4ac77443ebfb96c67a2b1786b6df09bec5488597b9c7814c6f39
Instruction ID: b912a7ee7f30491d3a8025502f9a23bcff29666ec621494d0c225b57e6834569
Opcode Fuzzy Hash: 8aaadf2d203c4ac77443ebfb96c67a2b1786b6df09bec5488597b9c7814c6f39
Instruction Fuzzy Hash: E1018F31A1878D8FDB50DF2888965E97BF0FF1A310F41117AE808D3191DB38E8549B81

Function 00007FFD340F3805 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a5fec1c9c567f32e456af9e7d5cd92fdb72d09915df8e174dba5d642fb9a2ba
Instruction ID: eb92840e3891fbcdccda20b89a458886a4ca97c6f4d37151a49df35983b80182
Opcode Fuzzy Hash: 0a5fec1c9c567f32e456af9e7d5cd92fdb72d09915df8e174dba5d642fb9a2ba
Instruction Fuzzy Hash: 98014C37F0D2965BD3526B3C98954EA3BA0DF43314F040076E558CA093E62C9A09D7D2

Function 00007FFD340FCF3D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5551c3e030578df6c2f1c8ddc39fa41b3aafc5c652e27e44dd89b9553a51cdb9
Instruction ID: 413b4ce9041b74de1bb3bb46afe1f31929a0aaf52abc7863096cb55e4a644357
Opcode Fuzzy Hash: 5551c3e030578df6c2f1c8ddc39fa41b3aafc5c652e27e44dd89b9553a51cdb9
Instruction Fuzzy Hash: 3B018F31B2C5454AE7689A2884F55B837E2FF46301F20413DD5ABC61C2DE3CEA42A240

Function 00007FFD340FE109 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efe10a0ccc9a888b940ac2cccd4f79e5d759d8c1683e4c1079aee2ba460d6720
Instruction ID: 8a1496630a99a2a8cea32fac6a3877a1478099cdd9c17dada38f2061f9c7715d
Opcode Fuzzy Hash: efe10a0ccc9a888b940ac2cccd4f79e5d759d8c1683e4c1079aee2ba460d6720
Instruction Fuzzy Hash: B801443091878D8FDB51DF6488156EA7BF0FF59301F4505A6E418C7161E734D554CB81

Function 00007FFD340FB58A Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96cdd13d58aaa19378d4a1d99df92e583842f524f36db047d66a9bc25e9787b0
Instruction ID: f1f798a451aca23c6cef66469093a737f9a3f4317fb00e53479df8bdf917e0d1
Opcode Fuzzy Hash: 96cdd13d58aaa19378d4a1d99df92e583842f524f36db047d66a9bc25e9787b0
Instruction Fuzzy Hash: 1F01D274A08A4D8FDF90EF6CC889AEA7BF0FF69304F000566E918D3260D774E9549B81

Function 00007FFD340F33E0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a08a4c2d0f256fb0fa4cd93c740016a04dfd9da0c1788e7fb42cc1d4e69dc806
Instruction ID: 5c13f35eafc0a0cde4186841cc4b28013e59733f62e3ffc36c00617f5604a438
Opcode Fuzzy Hash: a08a4c2d0f256fb0fa4cd93c740016a04dfd9da0c1788e7fb42cc1d4e69dc806
Instruction Fuzzy Hash: 54014630914A0D8FDB91EF68884A6FE77F4FF18305F400A6AE81CD3251DB38A5548B80

Function 00007FFD340FBA61 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e48e2710ca3929ca83fcc1f63459d3957b62541a077b0987a4e8cc7bc5465dfc
Instruction ID: 6a6ed9eaa52fd4ab678ba16cf1cc2621c80f452f4ec9815045949b2d82d9760d
Opcode Fuzzy Hash: e48e2710ca3929ca83fcc1f63459d3957b62541a077b0987a4e8cc7bc5465dfc
Instruction Fuzzy Hash: 58F0B471E1968DCFEB91DF6488592EE7BF0FF19300F4105BAD518C2191DB389554DB41

Function 00007FFD340F33F0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa2d5bcb2e49785905925eb2c1c1e65a461332cc7852aa4e77c877f0af90b10
Instruction ID: 63993056bae4eb8b63ee1e78c0500b2a55d3424a0b3dcc7618c256343f7f2317
Opcode Fuzzy Hash: 1fa2d5bcb2e49785905925eb2c1c1e65a461332cc7852aa4e77c877f0af90b10
Instruction Fuzzy Hash: 32F0E730914A4D8FDB90EF6888496EE77F0FF58305F400A6AE818D3250DB34A6549B81

Function 00007FFD340F1636 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb3a2badb18d4c557d5bdda81f4c706d64fe754bf3d6d9fd200ba31120d54d7
Instruction ID: 0298b21417ef0af83f9be74ad6644dd8b3c7bad06a477b9115dd4a6e97f574b0
Opcode Fuzzy Hash: 1cb3a2badb18d4c557d5bdda81f4c706d64fe754bf3d6d9fd200ba31120d54d7
Instruction Fuzzy Hash: 5AF0E231A169299FDB90EA18C899E9973B1FF69300F5041E4A40CD7261CA39ED81CF40

Function 00007FFD340F0877 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aec87a25bb9bd152997d96c7ab2b8ff8c0f2dfb4b183fbd882d21bcb9b7c654
Instruction ID: b97bee616cb069d6100662f801a242cd2dd0eee83ee4935eefc785de68c779ef
Opcode Fuzzy Hash: 2aec87a25bb9bd152997d96c7ab2b8ff8c0f2dfb4b183fbd882d21bcb9b7c654
Instruction Fuzzy Hash: 7BF05E22B4E7CA0EE726637844B91E97FE0AF03200F4918B7D589C6093DD1C6459D362

Function 00007FFD340F67B8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fef30ed2090e4d491d44fbd2d48f6de80b77532c7da693ab988e7c54cbb995e1
Instruction ID: b000f6492ed5ef98dc3380953873f67d2fe12ff44e62e4992db111c13f3fc7b2
Opcode Fuzzy Hash: fef30ed2090e4d491d44fbd2d48f6de80b77532c7da693ab988e7c54cbb995e1
Instruction Fuzzy Hash: CBF06D71A0E68A4FCB59EFA0C5958EDBB61FF12344B5002BDC006AB287CA39A416DF40

Function 00007FFD340FB958 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c371bef138ab410ae2d0c41963c58893f1f8bf482d1146e0f0532740c8c4893
Instruction ID: 532320c7467c7e36727261a35f6984f6bafc804e99bc10b2dff618e900cd9164
Opcode Fuzzy Hash: 6c371bef138ab410ae2d0c41963c58893f1f8bf482d1146e0f0532740c8c4893
Instruction Fuzzy Hash: DFF0A735E1864D8FEB60EFA888552EEB7F0FF05300F00047AE91CD2152DB7495589B40

Function 00007FFD340F6675 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bdd9f3cd7ca44dde2ec6c357ee2ee6bcbdd0832bace1ac448eec2659e511de9
Instruction ID: 7a82fcd7be760e623126fa31f9b88160706025dfcad404077ee61d375e1a3aaa
Opcode Fuzzy Hash: 0bdd9f3cd7ca44dde2ec6c357ee2ee6bcbdd0832bace1ac448eec2659e511de9
Instruction Fuzzy Hash: FFF01D31A056198FCB9CEF64C4A19FDB772FF55301F5001BDD10AA7291CA3AA942DF00

Function 00007FFD340F215A Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa5d3eb204961c1343b49ffcc282f879bf006cdedfc8b446a1bd2b5f9b2ef202
Instruction ID: cafeeb54b110c9fa47d50cba159d5ecbb43b1cb722d4cf174cba89fbabdf9635
Opcode Fuzzy Hash: fa5d3eb204961c1343b49ffcc282f879bf006cdedfc8b446a1bd2b5f9b2ef202
Instruction Fuzzy Hash: EFE09236B0560A4FDB44EF54DDA25EEB361EF89300F404475EA1CC3186CE386814B640

Function 00007FFD340F681A Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d51f36124ae96078a704c2fbc8c2014a9c041ce961611c7304a1de7a84166e2
Instruction ID: a93d9c9113b5973343eaa1e199c143abb9366a35051d0e7239e31a8c63418b60
Opcode Fuzzy Hash: 5d51f36124ae96078a704c2fbc8c2014a9c041ce961611c7304a1de7a84166e2
Instruction Fuzzy Hash: 97F05E71E1960A8FDB58EFA0C4954ADB761FF11741F60067DD10AAB286EE38A412EB40

Function 00007FFD340F3410 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b38fd62d46a72a137d29143df2f1f79a88bbf0d14b1c131f09c56f8b6323d14e
Instruction ID: 8f18b9ed60f05a9f834610ca912de1aeaba5cf0278ecdcd0cfc82e3b9f98e154
Opcode Fuzzy Hash: b38fd62d46a72a137d29143df2f1f79a88bbf0d14b1c131f09c56f8b6323d14e
Instruction Fuzzy Hash: BDF0C031E1454D8FEB50EFA489582FEB7F4FF45304F400976E51CD2191DB74A5549B41

Function 00007FFD340F21D9 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 446dd6d0497779c0909136c278ab4eecbdb6534b568f74b68fa255cb8a8aa494
Instruction ID: 7bc19658db070bc96bb8068a02425d40588a6c33da2ce490dd6dcaf9514d60b8
Opcode Fuzzy Hash: 446dd6d0497779c0909136c278ab4eecbdb6534b568f74b68fa255cb8a8aa494
Instruction Fuzzy Hash: 67E01A36B1454E4BDB40EF14DDA15EAB362EF89210F405971E91CC3186CE38A815AB40

Function 00007FFD340F7038 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d7b11082496024bded4bab1babc3366ea98f3ad3c87ded08969e4249184d344
Instruction ID: 1db3be5a9fb92b3987ad2231e16921abaf69e29af8903055813daa163bfe8dec
Opcode Fuzzy Hash: 8d7b11082496024bded4bab1babc3366ea98f3ad3c87ded08969e4249184d344
Instruction Fuzzy Hash: 5BE06C31B1911BDEDB14CB6140605BC7371FF55300B30447EC5499B2D0EA3F9902BB54

Function 00007FFD340FA0A3 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc8dac27ef631906b1154e13f487fa785b754e13137e8e96f147327e55525513
Instruction ID: 8ca4ebb1f1126aa1aaf8ab766391be0df62b5f8aa8ad251d5c57e2f04bfeca61
Opcode Fuzzy Hash: cc8dac27ef631906b1154e13f487fa785b754e13137e8e96f147327e55525513
Instruction Fuzzy Hash: 07F01C30E445598EEB98DB28C8A1BE9B6B1FF09300F4040BAC00DE2281CF3959809F00

Function 00007FFD340FBB85 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aecd0b625160001ee89f5b80a7e0c70cc8e0cb3c6c40e10aa66ef8400f5612b1
Instruction ID: b53fc38c204d2500710e88aa164b99f95979207be5c9ba673f3d4a5c9f2ed350
Opcode Fuzzy Hash: aecd0b625160001ee89f5b80a7e0c70cc8e0cb3c6c40e10aa66ef8400f5612b1
Instruction Fuzzy Hash: 9EE01A2690E3C84FD7135B608C655A67FB0AF43110F0982E7E688CA0A3D65C5A18C752

Function 00007FFD340F08CA Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d919a1c44753663c7d4576adb38fce8bce8cac6d999479faee956e604239c758
Instruction ID: 8390cb8fc2a64b9adef813f4e95d5cc8592308338977323904c3b0b7c909aa71
Opcode Fuzzy Hash: d919a1c44753663c7d4576adb38fce8bce8cac6d999479faee956e604239c758
Instruction Fuzzy Hash: 24D0C971E0880C9EEB44EF98E8515EDB7B4EF45210F0012B7D50DD3152DE356A518640

Function 00007FFD340FC878 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd433a3773b4813755ab26fc942a5e4f6d11ff0121124be235578535844f5032
Instruction ID: 909a234150e2a19a3bc4d4744adaec0e6cef17ef685b1493f2d1dcf3923ac431
Opcode Fuzzy Hash: bd433a3773b4813755ab26fc942a5e4f6d11ff0121124be235578535844f5032
Instruction Fuzzy Hash: 27C09B1379A51D0DD5D45A5C7C911A4B780DB8513178115B7DA09C524BD85F484157C1

Function 00007FFD340F42BA Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb52318dff0cc622ab8399d6be62b79ce7b7b0f378eea1cc78c73ef878c6a890
Instruction ID: 5f13b7a15b909e3b3b3c0bdfda372cd55bb022d3e4a8358d6dac8a5dbed73cce
Opcode Fuzzy Hash: fb52318dff0cc622ab8399d6be62b79ce7b7b0f378eea1cc78c73ef878c6a890
Instruction Fuzzy Hash: 42E01730E1450E8EDB95EBB9C8913ECB6B2BF59300F4084F9D44EF2295CB382981AF00

Function 00007FFD340F707C Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344823176.00007FFD340F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd340f0000_Invoice Shipment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a99e214ea31bcc46357b61b4bae6a2dd36849591aa7ae86073fb1d9338b71b1f
Instruction ID: 8d336dffee14e7f316a7a597a4fd7fff274d6ef3f4c2e772a014659349e35e96
Opcode Fuzzy Hash: a99e214ea31bcc46357b61b4bae6a2dd36849591aa7ae86073fb1d9338b71b1f
Instruction Fuzzy Hash: ADD09230A0560A8ECF88DF3481915A873B2BF59344B205879D01ADA295EA3AE812EF14

Analysis Process: qGapNjaVVUPNU.exePID: 3500, Parent PID: 1064COMMON

Executed Functions

Function 00007FFD340DE253 Relevance: 3.1, Strings: 2, Instructions: 598COMMON

Download Yara Rule

Strings

L, xrefs: 00007FFD340DE9FE
1Gf', xrefs: 00007FFD340DEBC0

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID: 1Gf'$L
API String ID: 0-972744021
Opcode ID: 2a239bb3b7e7d03c94d9b80052ef6db6b7b81bd8c8a61f715bcff575e48bdb3b
Instruction ID: 4c50800d02c3e76611908eda4aae41c591c504a8275b40620f1c4116414f9019
Opcode Fuzzy Hash: 2a239bb3b7e7d03c94d9b80052ef6db6b7b81bd8c8a61f715bcff575e48bdb3b
Instruction Fuzzy Hash: 5A12D271A0E7C54FE3169B3488A55A57FF0EF47310F1901EBE489CB193DA2C684AE792

Function 00007FFD340DC229 Relevance: 1.8, Strings: 1, Instructions: 576COMMON

Download Yara Rule

Strings

"P_H, xrefs: 00007FFD340DC61F

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID: "P_H
API String ID: 0-48700960
Opcode ID: 887477fc9c726e4cd56cd24c71a2ecf7d7e88a3597964b5c62dd300c0ce6eb43
Instruction ID: c16802bce261028e244fe4874d8174eac49ab724a520c034713a33efca3ff70f
Opcode Fuzzy Hash: 887477fc9c726e4cd56cd24c71a2ecf7d7e88a3597964b5c62dd300c0ce6eb43
Instruction Fuzzy Hash: D6120772E0E2C64FE726D76488A56653FB0EF57300F1845FBE189C7193EA2C640EA791

Function 00007FFD340DCF93 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

7, xrefs: 00007FFD340DCFB7

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-1790921346
Opcode ID: f76fb7821b6ebb9ffe7e19fab6e27630f1f7858e9292adc8417313a1ab746882
Instruction ID: aa780633abd1e93be1080d23b39b2eb1d8382cff1f78b719c074f47a6aabc1ac
Opcode Fuzzy Hash: f76fb7821b6ebb9ffe7e19fab6e27630f1f7858e9292adc8417313a1ab746882
Instruction Fuzzy Hash: EC119E30B2C6594BD76CAA2C84A14BD73E2EB9B701B24943DF58BC72C2DD3CE9466240

Function 00007FFD340DD008 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

^, xrefs: 00007FFD340DD01A

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID: ^
API String ID: 0-1590793086
Opcode ID: cfc3005372cae6950bd5e988705fb733b0ec0385375a1c3aadb6a47a27cdd2df
Instruction ID: 8f57246a83e5e72da8cff3ab793131be1ec63b0e4184912b0c8a0488f7ed9589
Opcode Fuzzy Hash: cfc3005372cae6950bd5e988705fb733b0ec0385375a1c3aadb6a47a27cdd2df
Instruction Fuzzy Hash: 57118F70B1D6558AE72C9A2880B01BC77E1EF87301F20543DF59BC25C1DD3CE946B200

Function 00007FFD340DCF79 Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

7, xrefs: 00007FFD340DCF7D

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-1790921346
Opcode ID: b18f89755c318db0f49b6ce3d0d421520d83cfbe4bcb5bdb2bf78c6abb651d3d
Instruction ID: 809b158f6d573f0ea45919a8a3d6acc47dc843eeab460ecb71de4cf64a20413a
Opcode Fuzzy Hash: b18f89755c318db0f49b6ce3d0d421520d83cfbe4bcb5bdb2bf78c6abb651d3d
Instruction Fuzzy Hash: 2201AD70B2C5954AE72CAA2884A04BC73E2EB47701F20543EF59BC21C2DE3DE946B240

Function 00007FFD340D1C25 Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bed17ffde01e0865d2ee54f9778145cc63161cc96b6d347684c6a6c800ed70b
Instruction ID: 6fc5a26c298b42b8485062f4805173b2371745f01c44a05a4ca5192206c9ac0b
Opcode Fuzzy Hash: 5bed17ffde01e0865d2ee54f9778145cc63161cc96b6d347684c6a6c800ed70b
Instruction Fuzzy Hash: 54F14C30A0AA5E8FDB95EF18C895BA977B1FF5A304F0005E9E40DD7296CA34AD85DF40

Function 00007FFD340D1699 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca0a76e90c67baced4f8d90a841a596b535a4c471b27ed3b940fcc76f736a527
Instruction ID: e7273dca5b8d3d783b455e97f3b7e3212aef622c8f575f10ee34e9e4be1b7bbc
Opcode Fuzzy Hash: ca0a76e90c67baced4f8d90a841a596b535a4c471b27ed3b940fcc76f736a527
Instruction Fuzzy Hash: 99E13030A09A4D8FDB98EB28C895BE977A1FF5A304F1005B9E40DD7296CE35AD45DF40

Function 00007FFD340D9955 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525b89f8b3d55c7e1c975b0066eb0f80b147e9a070a50476761128af47891b9b
Instruction ID: ebca8cd00f8751bb439b13ee5337d8882a4a299b4e3099d3e2e612039738f247
Opcode Fuzzy Hash: 525b89f8b3d55c7e1c975b0066eb0f80b147e9a070a50476761128af47891b9b
Instruction Fuzzy Hash: 2DD1E870E09A1D8FDBA4DF68C8A57E9B7F1FB5A300F5041AAE44DE3251DE3869849F40

Function 00007FFD340D288E Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d62944121290cb3bbefc258a67559821eb99c7ffac737283863ebe388b779cf4
Instruction ID: 94db82dfd7ac5e1efd2ededc7e656f170c04859d2a3213439cb0af6caccbadd3
Opcode Fuzzy Hash: d62944121290cb3bbefc258a67559821eb99c7ffac737283863ebe388b779cf4
Instruction Fuzzy Hash: 64E15B70E096198FDB69DF58C8A16EDB7B1FF1A300F1001BDE109E7282DB386985EB50

Function 00007FFD340D1DED Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfbe035f250f70cdca45ab0680f417064ada20ae25046c596fcb98447348b796
Instruction ID: dd18fea44a64f4352ce7e9c8f14f32abfbcae21bf6eab0f7db7cb1cb0d0624a5
Opcode Fuzzy Hash: dfbe035f250f70cdca45ab0680f417064ada20ae25046c596fcb98447348b796
Instruction Fuzzy Hash: 57B1E730A0591E8FDB99EF18C894BA9B3B1FF6A300F1041E9A41DD7256CA35EE85CF40

Function 00007FFD340D1DA8 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe17a21dc427bcf33317e016c7ab98a951628434cc4296af167e547400722fb6
Instruction ID: c99ffdff7ca080790c67073ca41da52a54492870437716cac29661b82e7d536f
Opcode Fuzzy Hash: fe17a21dc427bcf33317e016c7ab98a951628434cc4296af167e547400722fb6
Instruction Fuzzy Hash: 86A1E730A0595E8FDB99EF18C895BA9B3B1FF5A300F1041E9A41DD7296CA34AE85DF40

Function 00007FFD340D44DC Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c9366a99d24d1083d425d64550c72954cee98118c92480cb44d0c39cb72adbb
Instruction ID: 89eeefe38a245f7362d3064db83988c35f4eb980e8da180d4984428155389301
Opcode Fuzzy Hash: 6c9366a99d24d1083d425d64550c72954cee98118c92480cb44d0c39cb72adbb
Instruction Fuzzy Hash: 4C819F70A0D6888FDB46DB68C8A5BE97BF1FF57300F0500EAD049D72A3DA385949DB11

Function 00007FFD340DCC14 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9981f571ecbc933d6eea36bc8d149f49deb7e2eb2dbc244df8a7f81e9e9af55c
Instruction ID: 13eb0913fa03296101c526e99f9fcfd0586b1c4497eba7108dba2bfb980d558b
Opcode Fuzzy Hash: 9981f571ecbc933d6eea36bc8d149f49deb7e2eb2dbc244df8a7f81e9e9af55c
Instruction Fuzzy Hash: 8A61F671B0E2C14FD71ADB2488A55653FF1EF53300B1541EEE48ACB1A3D92CE84AE792

Function 00007FFD340E69D0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb40fd496dadeaf5bbaf8ce7976abeae2b10abdf8f95bc05000328d93f15ed9b
Instruction ID: fea188319cd85fdcc674f7eab3f6e0c20697e399b9e31f338661eef5154d17e3
Opcode Fuzzy Hash: cb40fd496dadeaf5bbaf8ce7976abeae2b10abdf8f95bc05000328d93f15ed9b
Instruction Fuzzy Hash: F5710930A0890D8FDB58DF58D494ABE77F5FF59340F540469E50AE7291CA38E8A1EB90

Function 00007FFD340D6B01 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d60ba08106e00d0c806cc6d2e3e2744a50048c0017eab41eaf9d27a3b9ac057b
Instruction ID: 382388f93695873a4b266db5e812957d8c26d386cec42758dc8d151e17a44f47
Opcode Fuzzy Hash: d60ba08106e00d0c806cc6d2e3e2744a50048c0017eab41eaf9d27a3b9ac057b
Instruction Fuzzy Hash: 9371AF7190E3C98FD703CB7488616D57FB1EF57214F0A45EBD485CB2A3D628990ADB22

Function 00007FFD340DCC93 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca7200788cff7a7953c2315f38edbfd9e7e856262a95674e71dd525d997c541
Instruction ID: 92dd2e086fdfb68c957f8d2ebeccf3a5dc652f4b86a6b144f870119d854a0262
Opcode Fuzzy Hash: 3ca7200788cff7a7953c2315f38edbfd9e7e856262a95674e71dd525d997c541
Instruction Fuzzy Hash: E151C57170E6C14FD71ADB24CCA55653FB1EF53310B1A41EAD08ACB1A3D928EC0AE792

Function 00007FFD340D5D85 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e9434a453ce4322c08f994b11e5cdada526c51d62aef0c366cbfa5448b00bd1
Instruction ID: 0af96498040c0c35ead7a578fe61cc2fd4fb33c64e2921f158fde756cc66c4c9
Opcode Fuzzy Hash: 8e9434a453ce4322c08f994b11e5cdada526c51d62aef0c366cbfa5448b00bd1
Instruction Fuzzy Hash: 17512737B0D6654BD762FBACA8A11D937A0EF43365F0802B7D68CC6152DD28590A9BC0

Function 00007FFD340D6B68 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 498c1e2ce38b1c1a068e3b006bbc82111cc44dbeda8ce3d0e012f3bbca01787a
Instruction ID: aadfc3fd19124695f1dee9fb1370f35982895ce269c484d2c8ab32e15f2cfc55
Opcode Fuzzy Hash: 498c1e2ce38b1c1a068e3b006bbc82111cc44dbeda8ce3d0e012f3bbca01787a
Instruction Fuzzy Hash: 906189B190E3C88FD7438B7488716D57FB1EF67214B0A45EBD485CB2A3D62C990AD722

Function 00007FFD340D2AAA Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40d957968e0c66a840ec8301838cabf80ae833a5ee0c4c793ebdb552291ede59
Instruction ID: 02fd52641e36a906cd87fc29a68b60248f4d0e1b6a55da410afd6ece7a88c240
Opcode Fuzzy Hash: 40d957968e0c66a840ec8301838cabf80ae833a5ee0c4c793ebdb552291ede59
Instruction Fuzzy Hash: 9F712970E092298FDB69DF58C8916EDB7B1BF1A300F1041BDE14DE7282DA396A85DF50

Function 00007FFD340D1405 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be1adef36112824135a83708806897893b5eceb8b2c066b81b4bbfccec951fd7
Instruction ID: f5f927d3fa1c8dedf56aa3a162f651a8cfd439e43f251dbfd08aa199915d3fb3
Opcode Fuzzy Hash: be1adef36112824135a83708806897893b5eceb8b2c066b81b4bbfccec951fd7
Instruction Fuzzy Hash: 3B514230B0954E8FDB98EF28C495AED73A1FF59304F1005B9E41DD7296CE39A985CB40

Function 00007FFD340D08ED Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1874f5a9a4a69f32bd363a6354f10272d1cfde4a08da57aecd7925647b6032f5
Instruction ID: 021d4a07113af92abe21dab98e822f609f741c33f2496c41394c7ab1015161da
Opcode Fuzzy Hash: 1874f5a9a4a69f32bd363a6354f10272d1cfde4a08da57aecd7925647b6032f5
Instruction Fuzzy Hash: AF511B70A19A4D8FDB94EFA8C8A5AEDB7B1FF59304F50017AD40DE7292CE386841CB40

Function 00007FFD340DE45B Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 047b075be615a7ce68aa2da6da12d078dc4635dea57f28db84e33222c4cc6921
Instruction ID: d05603d28bece453c1a6e71b92087efb77606db17c4584ade3097c42864c78bc
Opcode Fuzzy Hash: 047b075be615a7ce68aa2da6da12d078dc4635dea57f28db84e33222c4cc6921
Instruction Fuzzy Hash: 1C410731B0EAC14FE316A7344CA42653FE1DF57314F1942BBE489CB1D3E92C5809A391

Function 00007FFD340DE40B Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adf5b4aee0bd5faf73bc9c819398d2f6f24ec70745256d72e447645b4728595d
Instruction ID: 1641ab99971ef4f275996ab00649aba9f080ad6e34c24d7317528ce0c5cbd4a0
Opcode Fuzzy Hash: adf5b4aee0bd5faf73bc9c819398d2f6f24ec70745256d72e447645b4728595d
Instruction Fuzzy Hash: 0341C531B0EBC14FE316A73488A42A53FE1EF57354F1901BBE489CB1E3E92C5909A391

Function 00007FFD340DE499 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07ee1cfcc8d9953d17afbc5f6ce4db936d51593e98f68612e278099c4cce49d
Instruction ID: 03e7e3c1d4232c7d04d33402641bb290274a4e59d1c4beeb5badb91001e3db5c
Opcode Fuzzy Hash: b07ee1cfcc8d9953d17afbc5f6ce4db936d51593e98f68612e278099c4cce49d
Instruction Fuzzy Hash: 9141B231A0E7C14FE366A73448A52A53FE0AF57354F1901FBE489CB1E3E56C590AA352

Function 00007FFD340DE4B2 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfa9ad812a1d51a4d1644c3780b7d219889212ffb1cb7b10ce29da7afdc29ce5
Instruction ID: 079b07be0922bcd6d9714d909fe5db1a13bc71fc90133568cdc895b81198bc9c
Opcode Fuzzy Hash: dfa9ad812a1d51a4d1644c3780b7d219889212ffb1cb7b10ce29da7afdc29ce5
Instruction Fuzzy Hash: A041A071A0EBC14FE356A73448A51653FE0AF57354F1901FBE489CB1E3E92C580AE352

Function 00007FFD340DCD65 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e764f03c9dffa7995cf54699b6a89b34046582161bf430fd495a5101325c1237
Instruction ID: cb9ea28891e3055db334238153393693f1d685a9e46a251c64d045affa85e22c
Opcode Fuzzy Hash: e764f03c9dffa7995cf54699b6a89b34046582161bf430fd495a5101325c1237
Instruction Fuzzy Hash: CF41C061A0E7C14FD71397748CA51A57FB0EF13210B1941EFE4CACB1A3E91CA84AD362

Function 00007FFD340DCDAF Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d2978af803d08d4fd21932281161c38f9a5b0831542707b0d7ea83f6175579e
Instruction ID: b10e7ea7a7d7c383b59234b5c734a73a58525db34469c4422f79dedeab3d2769
Opcode Fuzzy Hash: 7d2978af803d08d4fd21932281161c38f9a5b0831542707b0d7ea83f6175579e
Instruction Fuzzy Hash: BD41C062A0E3C15FD72397748C651A53FB0EF13210B1941EFE4CACB0A3E95CA84AD362

Function 00007FFD340DCD8F Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d90e292b5c095d58aed0b848ebce2edf2526a6fc09a4dbb54a374f460fd4963
Instruction ID: 7fcc7854e2201840a937c3df9197ca41654c3de82ee11caa22f8c5254b02231c
Opcode Fuzzy Hash: 7d90e292b5c095d58aed0b848ebce2edf2526a6fc09a4dbb54a374f460fd4963
Instruction Fuzzy Hash: 5D41CE6290E3C14FD71797748C651A13FB0EF53210B1941EFE4CACB1A3E91CA84AD362

Function 00007FFD340DA240 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77661b66fefa3adf91749b3a97a1da765001f932fd876e761bf73cb1c72ea26d
Instruction ID: cd004ba4fd6033d8fb0b174f6957508dabf1910a9349a671d2705101b90d534e
Opcode Fuzzy Hash: 77661b66fefa3adf91749b3a97a1da765001f932fd876e761bf73cb1c72ea26d
Instruction Fuzzy Hash: 1441476298E3C15FC3434B745C265E27FB0AE13224B0E41EBE0D4CB4A3E61D5A5AD762

Function 00007FFD340DCDF8 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c8478f354b2d6b8bcd484e5eb11f57fab708f1696fce0a9646bb56ebe1d4287
Instruction ID: 25ee9e0929af369ba7d1f4e526b812f3f7e4d5c98d9b234771077079a4bd7b51
Opcode Fuzzy Hash: 2c8478f354b2d6b8bcd484e5eb11f57fab708f1696fce0a9646bb56ebe1d4287
Instruction Fuzzy Hash: 6731986290E7C14FD71397748CA55A17FB0EF63210B1A41EFD489CB1A3EA58684AC7A2

Function 00007FFD340D8D28 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb65197c7c05f6d560fc6d1b269f7d4174bf1d36b6a8dbf0743acbc39ecc5481
Instruction ID: add5c7ed04ad480da65d2875db404a2379f167f4053495eb6d12be3d807d7f6b
Opcode Fuzzy Hash: eb65197c7c05f6d560fc6d1b269f7d4174bf1d36b6a8dbf0743acbc39ecc5481
Instruction Fuzzy Hash: B831A33190D3C98FCB46DF68C8A15E97FF0EF17310F0901E6E885DB192D628A85ACB91

Function 00007FFD340DE171 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd5a1ef2bc50be697cb9560ce79b7d52deabf8f7d5f15eda8e77d4e80c5fce04
Instruction ID: f4723f8342946a78dbaf597cbb161e898f627e505e04d1936a364916fcc9b5f2
Opcode Fuzzy Hash: bd5a1ef2bc50be697cb9560ce79b7d52deabf8f7d5f15eda8e77d4e80c5fce04
Instruction Fuzzy Hash: D321F772B0EE854FE3589A6888A527537D1EBDB710B15027FF58EC72C2DD1C6C06A381

Function 00007FFD340D72B0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d48a05ce7d531c266198e79c0d0cee1472ff5341cdc6ede378e2221adaf727f6
Instruction ID: ab312483d13ae40eb35047445ed5554e55daec2a19af4ec7dc06b6d9a1d05447
Opcode Fuzzy Hash: d48a05ce7d531c266198e79c0d0cee1472ff5341cdc6ede378e2221adaf727f6
Instruction Fuzzy Hash: FD319431A0978A8FDB42DF64C8602EA7BF1FF56310F0445BBE904D7292DA7C9945CB90

Function 00007FFD340D1522 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 082cb5c278545656e9c3064f2cf613bbd810ac92ce6bd919b98158d64674f13f
Instruction ID: cb4d73e0c2d813e218cc793886efa036a477b8a7f7fc63a30dcf927c99a6f518
Opcode Fuzzy Hash: 082cb5c278545656e9c3064f2cf613bbd810ac92ce6bd919b98158d64674f13f
Instruction Fuzzy Hash: 30310E7470564D8FDB99EF18C4956ED73A1FF5A304F1004B9E40DD7251CA75AD82CB40

Function 00007FFD340D4A65 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cfba642e6058c3edd19741c7f4b23353daf450e7b748ff5c3eab5dbaa2483a3
Instruction ID: c3502e094cea551ea39dd3310b8693f34449b83830796174e4fa0d16278f419e
Opcode Fuzzy Hash: 7cfba642e6058c3edd19741c7f4b23353daf450e7b748ff5c3eab5dbaa2483a3
Instruction Fuzzy Hash: 4B310071A1995E4FDBE4EF18C8A5BEAB3A1FF69304F0041A6D00DE3156DE38A9859B40

Function 00007FFD340DE289 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bcd28f0293465861d16d87bd753ff1d896d4a24da997dfe75691d4651f6efff
Instruction ID: 467232acb33251346d064be80361ca2c3e43f216d43a9575a55d142d9ddc934b
Opcode Fuzzy Hash: 2bcd28f0293465861d16d87bd753ff1d896d4a24da997dfe75691d4651f6efff
Instruction Fuzzy Hash: E131B371A0E7C64FE3569B6548A91713FE1EB43314B1904BBE18DC7093EA1CAC4AE7D2

Function 00007FFD340D14E2 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8de8476c80fa6cd774ba894674fd2148eb62ea76d3036bec2837c81608f797f
Instruction ID: 81f3fe6b3b5ee8584684ba2313fab3d1172828a932cb6eb8c268bc033679376b
Opcode Fuzzy Hash: b8de8476c80fa6cd774ba894674fd2148eb62ea76d3036bec2837c81608f797f
Instruction Fuzzy Hash: FB3199747095498FD795EF28C8957D873E1FF5A304F0405B9E44DC7291CA39AD86DB00

Function 00007FFD340DE539 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce33cb6cea4ab80450c94ba9b1585abd241af5832e81b7ead25b4ff457aa8f76
Instruction ID: 61225818a79fbbd30280eb4b8b2c7f8436502fabc49810c80080b7f00656db75
Opcode Fuzzy Hash: ce33cb6cea4ab80450c94ba9b1585abd241af5832e81b7ead25b4ff457aa8f76
Instruction Fuzzy Hash: 2221C831B0DAC44FE365B72848A42793BE5EF4B344F1805BEF48DD7297E96C6909A381

Function 00007FFD340D12A5 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be2ce89eb85a3d5d89224254897e08b9d947fb870119de85b16bb5a32d2bda65
Instruction ID: bd2a6841125b11625edd055747914d34ce110444882f8bc583b1311ca0a7e3e1
Opcode Fuzzy Hash: be2ce89eb85a3d5d89224254897e08b9d947fb870119de85b16bb5a32d2bda65
Instruction Fuzzy Hash: 5521B371B0DA894FEBA5DE28C8643A87BF0EF96301F0401F7E54CE6192DE386D459B41

Function 00007FFD340D5E48 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1685bef34e924e7e4514c6dfc80141f8ba022e9d90b21d2d51d5fac6838d8b3c
Instruction ID: 8b720f0b857df5602f3a73c40072482ff16d57747b898f5fb734f199519cd20b
Opcode Fuzzy Hash: 1685bef34e924e7e4514c6dfc80141f8ba022e9d90b21d2d51d5fac6838d8b3c
Instruction Fuzzy Hash: 5821DE31A09B5D8FDB55EF68C8506EA77F1FF5A351F00027AE40DD7291DA34A9448B80

Function 00007FFD340D473E Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9389fadfe330585f7838c182401a7118d42d4cc960dda2adfb204645d27cfba8
Instruction ID: 4d9d90e5fa9d6316c8c350bbbf6e4c8d4470afbfdaeba7c3660281edfd430601
Opcode Fuzzy Hash: 9389fadfe330585f7838c182401a7118d42d4cc960dda2adfb204645d27cfba8
Instruction Fuzzy Hash: 08210C74E08A1D8FDF98DF58C895BADB7B1FF6A301F10016AE10DE7251CA34A844DB40

Function 00007FFD340D3730 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0858f600574d3ec8d3cbf471ee85363171c4121e938c894415388522232d7c6
Instruction ID: c5f37c403404137584ddc69d166ec631270b048e1e4f0ee827112a3ebd573b91
Opcode Fuzzy Hash: b0858f600574d3ec8d3cbf471ee85363171c4121e938c894415388522232d7c6
Instruction Fuzzy Hash: 78216A71A1460D8BDB44EF58C8819FEB7F0FB59304F000176F85AE3291CA38E8959B91

Function 00007FFD340DA341 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec2c0a0a954378dfd033f09c02017e669fb46387bd778925f5a766d087b95f62
Instruction ID: 0e5181c3ee1780ab7e2a8d6cd5d78c375e7f28808aa7282e15ab6d6a6b85e322
Opcode Fuzzy Hash: ec2c0a0a954378dfd033f09c02017e669fb46387bd778925f5a766d087b95f62
Instruction Fuzzy Hash: 49119D71E09A4D9FDB81EB98C8A5AE97BE1EF5A310F000166F508E3192CB286448AB40

Function 00007FFD340DA4A8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1750ba888f16fe4c6206ae47211359a02804e91b43615fa4a8bd915a5ef6ef23
Instruction ID: e9b002afffbf9c5f8e906ab809cb94951ac19ba1d9b23db3683ed8b463dc8d0e
Opcode Fuzzy Hash: 1750ba888f16fe4c6206ae47211359a02804e91b43615fa4a8bd915a5ef6ef23
Instruction Fuzzy Hash: D3214C70E05A5E8FDB48EF98C4A55BDBBB2FF9A311F10412AD409F7285DA386845DB40

Function 00007FFD340D3805 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 385ccf7ac5e95f592c048666e381946c2371adbc8cce6adb9e284af8e9f83687
Instruction ID: dc038a62f7bc6a9852c38516feb04426aaf56bc01704ac51792a341d7ff9bfb2
Opcode Fuzzy Hash: 385ccf7ac5e95f592c048666e381946c2371adbc8cce6adb9e284af8e9f83687
Instruction Fuzzy Hash: 8B01D867F0F3D25EE761A67C98A25DA3BA0DF03225B0840BAE60CCE093D92C594DF251

Function 00007FFD340DCFDB Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4214cd7ea517d7783786c6d550f2e73616fa95227cc41ed780ad8fa31118c076
Instruction ID: bb4fb8251e5b291b4c50bf03817fefca8d5242489c1d6159672d2c283f9d7cbb
Opcode Fuzzy Hash: 4214cd7ea517d7783786c6d550f2e73616fa95227cc41ed780ad8fa31118c076
Instruction Fuzzy Hash: 1801757071C5854BE76C9A1884A15BC33E6EF47301F20503EE597C71C6DE3CE946B640

Function 00007FFD340D4683 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a9501c896aedac63b480529088c36278058473e22cb5fc419d715248def3fef
Instruction ID: 1149354e27b8cf376edab88e659efbed4b2ab62271be3520bb12a72a3a92de2b
Opcode Fuzzy Hash: 7a9501c896aedac63b480529088c36278058473e22cb5fc419d715248def3fef
Instruction Fuzzy Hash: 8911A834B155098FDB48DFA8D994A9DB7F2FB99301F108169E00AEB295DB38A905DF04

Function 00007FFD340DCF3D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8fddf22e5469524adc107480da91b38a8b3b8bdc6547598e8540b1fab747e53
Instruction ID: f535cd6647c2e4044b1ba1658859fe127348ec2a90e2b0343119a7ee2c7a444a
Opcode Fuzzy Hash: e8fddf22e5469524adc107480da91b38a8b3b8bdc6547598e8540b1fab747e53
Instruction Fuzzy Hash: AC018F70B2C5854AE7689A2884F45B833E6EF47301F20413EE59BC61C2DE3CEA46A240

Function 00007FFD340D98E5 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a3022223e167c44a4a6bcc1b391b1d1b22bdc5fb56a11b94009cb1b188c5b3
Instruction ID: 00abdd17abf19e79136184f57c3438340026e20b866eaee3c8f5075908d912a9
Opcode Fuzzy Hash: 37a3022223e167c44a4a6bcc1b391b1d1b22bdc5fb56a11b94009cb1b188c5b3
Instruction Fuzzy Hash: 7801AD30A1968C8FCB50DF28C8956ED7BB0FF1A300F4102BAE808C3291DB38E854CB81

Function 00007FFD340DE109 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 501402e388b299efa6d1d98cda5b7f321c32589ad63429271954f094dae6cc95
Instruction ID: cabdc345d6ceb1328f4b5df75810eb4625fbc42626a4213b047bf6ef516095f5
Opcode Fuzzy Hash: 501402e388b299efa6d1d98cda5b7f321c32589ad63429271954f094dae6cc95
Instruction Fuzzy Hash: 57018F3091878D8FCB92DF2888196EA7BF0FF1A301F4105ABE808C7162E738D554CB81

Function 00007FFD340D33E0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 213a01462e1ce9b0cdc76749772d159deb4d6b53d2b1b590f8c1de2f3b6321c2
Instruction ID: b3967a178ca6b333509e05dd8725c32a378fd257bcf52d02eb48ae6d3157d385
Opcode Fuzzy Hash: 213a01462e1ce9b0cdc76749772d159deb4d6b53d2b1b590f8c1de2f3b6321c2
Instruction Fuzzy Hash: C5014630A14A0E8FDB91EF68884A6FE77F4FF18305F400A6AF81CD3251DB38A5548B80

Function 00007FFD340DB58A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cbaa00d129bc309cf4b9f5379bc5d561bfc887ed8f2891820e9d17ebbdaf5b3
Instruction ID: 15f25b717559f1d6f7a135e4649709657a6ff70d2ec5ba83fbe01dd41dde1357
Opcode Fuzzy Hash: 8cbaa00d129bc309cf4b9f5379bc5d561bfc887ed8f2891820e9d17ebbdaf5b3
Instruction Fuzzy Hash: EF01A474918A4D8FDF80EF5CC889AAA7BF0FF69305F000566E918D3260D774E554CB81

Function 00007FFD340DBA61 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d618e4156c1f4e00242aba84683e80713f43920ea4a53122f74c71d903b70521
Instruction ID: 5d72e75249e7adb7bba405a9e7b92f16a615051b6232826bdbc663835a0eb2b6
Opcode Fuzzy Hash: d618e4156c1f4e00242aba84683e80713f43920ea4a53122f74c71d903b70521
Instruction Fuzzy Hash: DEF05E70E1968DCFDB91EF68C8582EE7BB0FF59300F4109AAE518C21A2DB389554CB41

Function 00007FFD340D33F0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 545e0ab8cc54d670be5fc49e0a37cf9a9de4048672cf31a6c5085e1be57f2229
Instruction ID: 37da09bcb5678e25d6346f7743397763ce3ef4a6e11dfab45c56d5e66168c887
Opcode Fuzzy Hash: 545e0ab8cc54d670be5fc49e0a37cf9a9de4048672cf31a6c5085e1be57f2229
Instruction Fuzzy Hash: 91F0E734A14A4E8FDB90EF68884A6EE77F0FB59305F400A6AF818D3250DB34A6549B81

Function 00007FFD340D1636 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30708b25036362919925debcb3abaf20d3fb31db71e782b818dbbf6f3db3ed48
Instruction ID: e4f70902fa2a758614bf55c00ffe4c9b3bbf8a44b24ae5e0d0e85d2410af7748
Opcode Fuzzy Hash: 30708b25036362919925debcb3abaf20d3fb31db71e782b818dbbf6f3db3ed48
Instruction Fuzzy Hash: 54F0E231A169299FDB90EB18C8D9A9973B1FFAA300F4041E4A40CD7261CB39ED81CF40

Function 00007FFD340D0877 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d34cc49a9f0d49dd06d0de17b037227b9a4ca54deca3be83c9e85328f664040
Instruction ID: ded43425452fb062330aee3932291a75e3f5e9261900c4f9fe1361ab13c1a7c4
Opcode Fuzzy Hash: 8d34cc49a9f0d49dd06d0de17b037227b9a4ca54deca3be83c9e85328f664040
Instruction Fuzzy Hash: F4F05820A4E3CA0EE316A37848B81A97FA0AF03204F090CBBD689C6093CC1C6818D322

Function 00007FFD340D67B8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6617a16db073d84e0ddb1a7351e60020d422513bfcdefe914549fdb1d4ec20e6
Instruction ID: c386655e8137efac5458431bfa4323d25aaaa38a96fb1326794a7964c6259152
Opcode Fuzzy Hash: 6617a16db073d84e0ddb1a7351e60020d422513bfcdefe914549fdb1d4ec20e6
Instruction Fuzzy Hash: A5F06270A0E58A4FCB59EFA0C5958EDB761FF12344B5002ADD006AB187CA39A44ADF40

Function 00007FFD340D6675 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bdd9f3cd7ca44dde2ec6c357ee2ee6bcbdd0832bace1ac448eec2659e511de9
Instruction ID: 7afce4e5c088b9699719afcdcc04c9496fe5516012085fd095cf55a6d9b77347
Opcode Fuzzy Hash: 0bdd9f3cd7ca44dde2ec6c357ee2ee6bcbdd0832bace1ac448eec2659e511de9
Instruction Fuzzy Hash: 78F01D70A056198FCB9CEF64C4A19FDB772FF56301F5001ADD10AA7291CA3AA982DF00

Function 00007FFD340D215A Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d8a0f4a46bc48d29a8bf9d0cfe8ae61852f800589dd45b812f60000a68a684b
Instruction ID: 6b83164b492b0d07cd79fce641486db25c54644ae18f098cb683b82605a8c162
Opcode Fuzzy Hash: 6d8a0f4a46bc48d29a8bf9d0cfe8ae61852f800589dd45b812f60000a68a684b
Instruction Fuzzy Hash: E4E09235B0660A4FDB48EF14D9A26EEB361EF8A304F408475FA1CC3186CE38A818B640

Function 00007FFD340DB958 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3666a47d705f647e15e218a30ee976ee66ba1d1baee0557a873fde02f4cc02fe
Instruction ID: 5f69f050b0f70a3d4fcf1882b784d7a294f268b895cee7fba13e789ce62fdf1d
Opcode Fuzzy Hash: 3666a47d705f647e15e218a30ee976ee66ba1d1baee0557a873fde02f4cc02fe
Instruction Fuzzy Hash: F9F03034E1568D8FDB90EF6889582EEBBF0FF45300F00097AE918D2251DB7495588B40

Function 00007FFD340D681A Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edac2ba40c637109d83ee9e1138b2b8ba40545d3a4a4fea671d72d51031f41d9
Instruction ID: cf85f25d522d95b68e695be0cb3949869392529048e6c9f3dc417acf9fd35dc9
Opcode Fuzzy Hash: edac2ba40c637109d83ee9e1138b2b8ba40545d3a4a4fea671d72d51031f41d9
Instruction Fuzzy Hash: 90F05470E1A60E8FDB58EFA0C4954BD7761FF12741F50067DE50AA7186EE38A406EF40

Function 00007FFD340D3410 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cafffcd86a5161e631fb3f75594971dd4ecfc4c1aada0a012309f259859c4cd
Instruction ID: da62412d76ae96209faee1ef8542e02e5a8af96aa74176490f6cc1bc6e6570b7
Opcode Fuzzy Hash: 3cafffcd86a5161e631fb3f75594971dd4ecfc4c1aada0a012309f259859c4cd
Instruction Fuzzy Hash: 34F03030E1454D8FEB50EFA488482FEB3F4FF05300F00097AE41CD2191DB3465589740

Function 00007FFD340D21D9 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19e75a996e4054ac678c7975fe7f9e9c89f00e92a93b1b4c1fbd9f80feeee264
Instruction ID: 75447ec982736dd199ec91ea2c000ae41c1ffb66dab3554ff9474c144545228a
Opcode Fuzzy Hash: 19e75a996e4054ac678c7975fe7f9e9c89f00e92a93b1b4c1fbd9f80feeee264
Instruction Fuzzy Hash: FDE04F31B1554E4FDB44EF14D9A16EEB362FF8A214F505971F91CC3186CE38AC15AB40

Function 00007FFD340D7038 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d7b11082496024bded4bab1babc3366ea98f3ad3c87ded08969e4249184d344
Instruction ID: 9c5ca8722fd2e10e101d3098a42406547ab31173305897b2b7fbd5f8fea5836a
Opcode Fuzzy Hash: 8d7b11082496024bded4bab1babc3366ea98f3ad3c87ded08969e4249184d344
Instruction Fuzzy Hash: 2AE03030B2B11ADEDB18DB6180A01BCB6B1FF57300B70947EE50A9A2D1DA3A9905BA50

Function 00007FFD340DA0A3 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc8dac27ef631906b1154e13f487fa785b754e13137e8e96f147327e55525513
Instruction ID: 5e8568164ddaa77648177bfa09953414be564f42385a85ba3e55e83b21808665
Opcode Fuzzy Hash: cc8dac27ef631906b1154e13f487fa785b754e13137e8e96f147327e55525513
Instruction Fuzzy Hash: 74F0AC30A555599FEB98DB68C8A5BEDB6B1FB59301F5040AAD10DE2281DF3959809F00

Function 00007FFD340DBB85 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b27880b65a6eac9917f91535bb8489bb22fcdfc70612c4216d17aa31c28c1237
Instruction ID: 80eba205bd78809c413f5c70091d3faf2f72dc992364caf51434a90d90c79f48
Opcode Fuzzy Hash: b27880b65a6eac9917f91535bb8489bb22fcdfc70612c4216d17aa31c28c1237
Instruction Fuzzy Hash: 98E04F2690E3C84FD7135B648C615E57FB0AF47110F0D42D7E688CA0A3D65C5A18C752

Function 00007FFD340D08CA Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 474185f59dfa5de56986f73e9f0fb8f154e20d0079e37bc8b68e0b62f01eab1e
Instruction ID: f04ed7e4f7d5d15954544612aa4f44ec99f1113ad6b1bd2058e6550c336f7227
Opcode Fuzzy Hash: 474185f59dfa5de56986f73e9f0fb8f154e20d0079e37bc8b68e0b62f01eab1e
Instruction Fuzzy Hash: EBD0C971E0980C9EEB40EF98E8915EDB774FF45214F0012B7E50DD3152DE342A518A40

Function 00007FFD340DC878 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd433a3773b4813755ab26fc942a5e4f6d11ff0121124be235578535844f5032
Instruction ID: 1fc5a1ec703ce8b80991dc483454ae3affc41128689c4ba2e3120bc7230db3ce
Opcode Fuzzy Hash: bd433a3773b4813755ab26fc942a5e4f6d11ff0121124be235578535844f5032
Instruction Fuzzy Hash: DCC09B1279B51D0DD6D45A5C7C911A4B380D74613178015B7EE09C524AD85F48455781

Function 00007FFD340D42BA Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60ca09c043559ac5932fd90f5aa99a2db9a2423e9cb7d4fd3dee7bef2964fd3a
Instruction ID: 474de9cd4ff2ab800deff93b0f7ebc85f0f693fdc93534d16bea2ce1a6b32fba
Opcode Fuzzy Hash: 60ca09c043559ac5932fd90f5aa99a2db9a2423e9cb7d4fd3dee7bef2964fd3a
Instruction Fuzzy Hash: A6E0EC30E1450D8ADB95DB69C8912DCA6B1BF5A200F0044A5E04DF2155CA3819419F04

Function 00007FFD340D707C Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3486324966.00007FFD340D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd340d0000_qGapNjaVVUPNU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a99e214ea31bcc46357b61b4bae6a2dd36849591aa7ae86073fb1d9338b71b1f
Instruction ID: 553d1636cee6a3f7f00997abbf72996b4e05540ee781c29cf357b4bbff53e758
Opcode Fuzzy Hash: a99e214ea31bcc46357b61b4bae6a2dd36849591aa7ae86073fb1d9338b71b1f
Instruction Fuzzy Hash: F2D09E306056098ECF44DF3485915A87371BF56344B105869E019DA195D63AD811EF14

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Invoice Shipment.bat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DarkCloud

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Invoice Shipment.bat.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aai5z0ra.hf1.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b2oipehl.50k.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h5ahv2ge.t11.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hh5dmtb2.m4e.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l3k30ksn.ksl.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mmj2ke5k.oqs.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wq2hwn2w.cvw.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z0g3lako.4hv.ps1

C:\Users\user\AppData\Local\Temp\tmpF214.tmp

C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe

C:\Users\user\AppData\Roaming\qGapNjaVVUPNU.exe:Zone.Identifier

Static File Info

General

File Icon

Windows Analysis Report
Invoice Shipment.bat.exe